Play interactive tour

Edit tour

Analysis Report Novi poredak.exe

Overview

General Information

Sample Name:	Novi poredak.exe
Analysis ID:	324086
MD5:	99a04fddbcdadcc10efa80d863d96d30
SHA1:	7e92abbe31847d455d69b4da443ef01d958b4706
SHA256:	2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3
Tags:	exegeoHRVModiLoader
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected FormBook malware

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Steal Google chrome login data

Yara detected FormBook

Allocates memory in foreign processes

Creates a thread in another existing process (thread injection)

Injects a PE file into a foreign processes

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE / OLE file has an invalid certificate

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Novi poredak.exe (PID: 5972 cmdline: 'C:\Users\user\Desktop\Novi poredak.exe' MD5: 99A04FDDBCDADCC10EFA80D863D96D30)

ieinstal.exe (PID: 6780 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)

explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 1256 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 784 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

ieinstal.exe (PID: 5168 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

ieinstal.exe (PID: 5860 cmdline: 'C:\Program Files (x86)\internet explorer\ieinstal.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 10 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
11.2.ieinstal.exe.10410000.3.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.ieinstal.exe.10410000.3.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.ieinstal.exe.10410000.3.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18449:$sqlite3step: 68 34 1C 7B E1 0x1855c:$sqlite3step: 68 34 1C 7B E1 0x18478:$sqlite3text: 68 38 2A 90 C5 0x1859d:$sqlite3text: 68 38 2A 90 C5 0x1848b:$sqlite3blob: 68 53 D8 7F 8C 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
11.2.ieinstal.exe.10410000.3.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
11.2.ieinstal.exe.10410000.3.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
11.2.ieinstal.exe.10410000.3.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17649:$sqlite3step: 68 34 1C 7B E1 0x1775c:$sqlite3step: 68 34 1C 7B E1 0x17678:$sqlite3text: 68 38 2A 90 C5 0x1779d:$sqlite3text: 68 38 2A 90 C5 0x1768b:$sqlite3blob: 68 53 D8 7F 8C 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 1 entries

Sigma Overview

System Summary:

Sigma detected: Steal Google chrome login data

Show sources

Source: Process started

Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\control.exe, ParentImage: C:\Windows\SysWOW64\control.exe, ParentProcessId: 1256, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 784

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Novi poredak.exe	Virustotal: Detection: 55%			Perma Link
Source: Novi poredak.exe	ReversingLabs: Detection: 60%

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

Source: 11.2.ieinstal.exe.10410000.3.unpack

Avira: Label: TR/Crypt.ZPACK.Gen

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4x nop then pop ebx
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi

Source: Joe Sandbox View	IP Address: 162.159.137.232 162.159.137.232
Source: Joe Sandbox View	IP Address: 162.159.135.233 162.159.135.233

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown

DNS traffic detected: queries for: discord.com

Source: Novi poredak.exe	String found in binary or memory: Http://gorohov.narod.ru
Source: explorer.exe, 0000000C.00000000.343740110.000000000F640000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/?ocid=iehp3n
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: http://www.msn.com/ocid=iehp
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/:n
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.pngdIdg
Source: control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0s

Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\control.exe	Dropped file: C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\control.exe	Dropped file: C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F195D0 NtClose,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19540 NtReadFile,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F196E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F197A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F198F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F199A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F195F0 NtQueryInformationFile,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19560 NtWriteFile,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F1AD30 NtSetContextThread,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19520 NtWaitForSingleObject,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F196D0 NtCreateKey,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19670 NtQueryInformationProcess,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19650 NtQueryValueKey,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19610 NtEnumerateValueKey,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19FE0 NtCreateMutant,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F1A770 NtOpenThread,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19770 NtSetInformationFile,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19760 NtOpenProcess,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19730 NtQueryVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F1A710 NtOpenProcessToken,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F198A0 NtWriteVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F1B040 NtSuspendThread,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19820 NtEnumerateKey,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F199D0 NtCreateProcessEx,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19950 NtQueueApcThread,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19A80 NtOpenDirectoryObject,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19A10 NtQuerySection,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F1A3B0 NtGetContextThread,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F19B00 NtSetValueKey,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10429850 NtCreateFile,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10429900 NtReadFile,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10429980 NtClose,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10429A30 NtAllocateVirtualMemory,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042984A NtCreateFile,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_104298FB NtReadFile,
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042997A NtClose,
Source: C:\Windows\explorer.exe	Code function: 12_2_071CF852 NtCreateFile,NtReadFile,NtClose,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E99A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E95D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9560 NtWriteFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E96D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E96E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9610 NtEnumerateValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9B00 NtSetValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9770 NtSetInformationFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E98A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E98F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048EB040 NtSuspendThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E99D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E95F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048EAD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9A10 NtQuerySection,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9A20 NtResumeThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E97A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048EA3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048EA710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E9760 NtOpenProcess,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048EA770 NtOpenThread,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D99A30 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D99850 NtCreateFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D99980 NtClose,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D99900 NtReadFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D998FB NtReadFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D9984A NtCreateFile,
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D9997A NtClose,

Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_04C0AD7C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9D466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EED5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA25DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA1D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED0D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA2D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA2EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF6E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9D616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA1FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FADFCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA28EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F020A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA20A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEB090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FAE824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA830
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF4120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDF900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA22AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F8FA2B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F823E3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F903DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0ABD8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9DBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFAB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA2B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10411030
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042CA46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042DA5E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042D29D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042CB3E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042D4B3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10412D90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042DFE6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_1042D7F9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10419F80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_10412FB0
Source: C:\Windows\explorer.exe	Code function: 12_2_071CF852
Source: C:\Windows\explorer.exe	Code function: 12_2_071CCF52
Source: C:\Windows\explorer.exe	Code function: 12_2_071CE679
Source: C:\Windows\explorer.exe	Code function: 12_2_071D2AAC
Source: C:\Windows\explorer.exe	Code function: 12_2_071CAAF2
Source: C:\Windows\explorer.exe	Code function: 12_2_071CAAEF
Source: C:\Windows\explorer.exe	Code function: 12_2_071C6072
Source: C:\Windows\explorer.exe	Code function: 12_2_071C6069
Source: C:\Windows\explorer.exe	Code function: 12_2_071C7CF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048BB090
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961002
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048AF900
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A0D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C4120
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04971D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C6E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DEBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D9DA5E
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D9CA46
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D9D7F9
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D9DFE6
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D89F80
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D82FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D9D4B3
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_02D82D90

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: String function: 04EDB150 appears 133 times

Source: Novi poredak.exe

Static PE information: invalid certificate

Source: Novi poredak.exe

Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST

Source: Novi poredak.exe	Binary or memory string: OriginalFilename vs Novi poredak.exe
Source: Novi poredak.exe, 00000001.00000003.214140717.00000000021E4000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCOMCTL32.DLL.MUIj% vs Novi poredak.exe
Source: Novi poredak.exe, 00000001.00000000.213874206.00000000004BE000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameProcexp.exeB vs Novi poredak.exe
Source: Novi poredak.exe	Binary or memory string: OriginalFilenameProcexp.exeB vs Novi poredak.exe

Source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@11/5@8/2

Source: C:\Windows\SysWOW64\control.exe

File created: C:\Users\user\AppData\Roaming\8LO8PUBW

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4276:120:WilError_01

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Local\Temp\DB1

Jump to behavior

Source: C:\Users\user\Desktop\Novi poredak.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Novi poredak.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\Novi poredak.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Novi poredak.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Users\user\Desktop\Novi poredak.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Novi poredak.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\Desktop\Novi poredak.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Novi poredak.exe	Virustotal: Detection: 55%
Source: Novi poredak.exe	ReversingLabs: Detection: 60%

Source: unknown	Process created: C:\Users\user\Desktop\Novi poredak.exe 'C:\Users\user\Desktop\Novi poredak.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: unknown	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: C:\Users\user\Desktop\Novi poredak.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32

Source: C:\Windows\SysWOW64\control.exe

File written: C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogri.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Novi poredak.exe

Static file information: File size 2250352 > 1048576

Source:	Binary string: ieinstal.pdbGCTL source: control.exe, 00000010.00000002.481933703.000000000074B000.00000004.00000020.sdmp
Source:	Binary string: wscui.pdbUGP source: explorer.exe, 0000000C.00000000.342809291.000000000E1C0000.00000002.00000001.sdmp
Source:	Binary string: ieinstal.pdb source: control.exe, 00000010.00000002.481933703.000000000074B000.00000004.00000020.sdmp
Source:	Binary string: control.pdb source: ieinstal.exe, 0000000B.00000002.360031587.0000000004E50000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: ieinstal.exe, 0000000B.00000002.360073133.0000000004EB0000.00000040.00000001.sdmp, control.exe, 00000010.00000002.485782152.000000000499F000.00000040.00000001.sdmp
Source:	Binary string: wntdll.pdb source: ieinstal.exe, control.exe
Source:	Binary string: control.pdbUGP source: ieinstal.exe, 0000000B.00000002.360031587.0000000004E50000.00000040.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 0000000C.00000000.342809291.000000000E1C0000.00000002.00000001.sdmp

Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421F328 push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421DB2C push ebx; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421F437 push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421F794 push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421E099 push ebx; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421D41C push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421DC1C push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421E960 push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421F263 push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421F4E8 push esi; retf
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421D5EF push edi; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421E542 push edi; iretd
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421DFC4 push ebx; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421D64D push ebx; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0421DDD3 push ebx; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_04393C1C push 0042A174h; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0437DCA4 push 00414246h; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_04388CA4 push 0041F1FCh; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0438049C push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_04370CE0 push ecx; mov dword ptr [esp], eax
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0437DD1C push 004142F0h; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_04391D78 push 004282D0h; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_043805B8 push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_043945A0 push 0042AB1Bh; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0439F5F8 push ecx; mov dword ptr [esp], ecx
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_043805FC push ecx; mov dword ptr [esp], edx
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0437DEB8 push 00414410h; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_043926A4 push 00428BFCh; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_0437E6F0 push 00414C69h; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_04370EFC push 00407454h; ret
Source: C:\Users\user\Desktop\Novi poredak.exe	Code function: 1_3_043926E4 push 00428C3Ch; ret

Source: C:\Windows\SysWOW64\control.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JAP_RGXCN			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run 5JAP_RGXCN			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Modifies the prolog of user mode functions (user mode inline hooks)

Show sources

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xB3 0x38

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 00000000104198B4 second address: 00000000104198BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000010419B2E second address: 0000000010419B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002D898B4 second address: 0000000002D898BA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 0000000002D89B2E second address: 0000000002D89B34 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 11_2_04F16DE6 rdtsc

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: explorer.exe, 0000000C.00000000.337250848.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000000C.00000000.337250848.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 0000000C.00000000.336381200.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 0000000C.00000000.336944637.0000000008640000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000C.00000000.328424561.00000000055D0000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: explorer.exe, 0000000C.00000000.337250848.000000000871F000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 0000000C.00000000.337250848.000000000871F000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 0000000C.00000002.495467589.0000000005603000.00000004.00000001.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: explorer.exe, 0000000C.00000000.336381200.0000000008220000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 0000000C.00000000.336381200.0000000008220000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 0000000C.00000000.336381200.0000000008220000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 11_2_04F16DE6 rdtsc

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Code function: 11_2_04F195D0 NtClose,LdrInitializeThunk,

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F914FB mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA8CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94496 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE849B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF746D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0AC7B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA740D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA740D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA740D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F88DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EED5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EED5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F56DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F01DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F01DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F01DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F035A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA05AC mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02581 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92D82 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F13D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F53540 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F83D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F5A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F04D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F04D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F04D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA8D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE76E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F016E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA8ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F18EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F8FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F036CC mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F546A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA0EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE766D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFAE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE7E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F8FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDE620 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDC600 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F08E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F91608 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F137F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F57794 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F57794 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F57794 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE8794 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEFF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA8F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEEF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED4F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFB73D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFB73D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6FF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA070D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA070D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFF716 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED58EC mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFB8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFB8E4 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED40E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F6B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F020A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F190AF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F53884 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F53884 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F92073 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA1074 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0002D mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA830 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F57016 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA4015 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F641E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F551BE mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F061A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF99BF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F569A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F949A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02990 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDC962 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0513A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0513A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F94AEF mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EEAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F1927A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F8B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F8B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA8A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F64257 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED9240 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA229 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F14A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F14A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE8A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EF3A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDAA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED5210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04ED5210 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFDBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F003E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F823E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F823E3 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F823E3 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F553CA mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F553CA mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F04BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F04BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F04BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA5BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F0B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EE1B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F02397 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9138A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F8D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F03B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F03B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDDB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04FA8B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDDB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EDF358 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04F9131B mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 11_2_04EFA309 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A9080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04923884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04923884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E90AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DF0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DF0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04978CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493B8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493B8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04926CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04926CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04926CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_049614FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04974015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04974015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04927016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04927016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04927016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04961C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04926C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04926C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04926C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04926C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0497740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0497740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0497740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048BB02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DBC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493C450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C0050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04971074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04962073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A2D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DA185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048CC182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DFD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048D35A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04958DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048AB1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A9100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04978D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0492A537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C4120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C4120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048D4D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048D513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048AAD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B3D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048CB944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E3D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04923540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048C7D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048AB171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048CC577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0493FE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DD294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048A52A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04970EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04970EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04970EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_049246A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048BAAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048DFAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_04978ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048D36CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048E8EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_0495FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\control.exe	Code function: 16_2_048B76E2 mov eax, dword ptr fs:[00000030h]

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\Desktop\Novi poredak.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10410000 protect: page execute and read and write
Source: C:\Users\user\Desktop\Novi poredak.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2DC0000 protect: page execute and read and write
Source: C:\Users\user\Desktop\Novi poredak.exe	Memory allocated: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2DD0000 protect: page execute and read and write

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\Desktop\Novi poredak.exe

Thread created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe EIP: 2DD0000

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Novi poredak.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10410000 value starts with: 4D5A

Maps a DLL or memory area into another process

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread register set: target process: 3388
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3388

Queues an APC in another process (thread injection)

Show sources

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\Novi poredak.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 10410000
Source: C:\Users\user\Desktop\Novi poredak.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2DC0000
Source: C:\Users\user\Desktop\Novi poredak.exe	Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: 2DD0000

Source: C:\Users\user\Desktop\Novi poredak.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V

Source: explorer.exe, 0000000C.00000000.309312066.0000000001398000.00000004.00000020.sdmp	Binary or memory string: ProgmanamF
Source: explorer.exe, 0000000C.00000000.310079080.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 0000000C.00000000.337250848.000000000871F000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.310079080.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.310079080.0000000001980000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\SysWOW64\control.exe	File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Windows\SysWOW64\control.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection712	Rootkit1	OS Credential Dumping1	Security Software Discovery121	Remote Services	Email Collection1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Masquerading1	Credential API Hooking1	Virtualization/Sandbox Evasion1	Remote Desktop Protocol	Credential API Hooking1	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Archive Collected Data1	Automated Exfiltration	Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection712	NTDS	Remote System Discovery1	Distributed Component Object Model	Data from Local System1	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery2	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information3	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Novi poredak.exe	56%	Virustotal		Browse
Novi poredak.exe	60%	ReversingLabs	Win32.Infostealer.Fareit

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
11.2.ieinstal.exe.10410000.3.unpack	100%	Avira	TR/Crypt.ZPACK.Gen		Download File

Domains

Source	Detection	Scanner	Label	Link
discord.com	1%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
discord.com	162.159.137.232	true	false	1%, Virustotal, Browse	unknown
cdn.discordapp.com	162.159.135.233	true	false		high
www.naehascloud.com	unknown	unknown	true		unknown
www.hotsmail.today	unknown	unknown	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/?ocid=iehp3n	control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	false		high
http://www.msn.com/de-ch/?ocid=iehpLMEMh	control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers?	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.tiro.com	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/ocid=iehp	control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/?ocid=iehp	control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	false		high
http://www.typography.netD	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.msn.com/?ocid=iehp	control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	false		high
http://www.jiyu-kobo.co.jp/	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.fonts.com	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sakkal.com	explorer.exe, 0000000C.00000000.338826970.0000000008B46000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.msn.com/de-ch/ocid=iehp	control.exe, 00000010.00000002.482857570.00000000007CA000.00000004.00000001.sdmp	false		high
Http://gorohov.narod.ru	Novi poredak.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.159.137.232	unknown	United States		13335	CLOUDFLARENETUS	false
162.159.135.233	unknown	United States		13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	324086
Start date:	28.11.2020
Start time:	10:36:47
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Novi poredak.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@11/5@8/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 36.2% (good quality ratio 32.3%) Quality average: 70.3% Quality standard deviation: 32.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 92.122.144.200, 51.104.144.132, 13.64.90.137, 2.20.142.209, 2.20.142.210, 51.103.5.159, 92.122.213.194, 92.122.213.247, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:37:40	API Interceptor	2x Sleep call for process: Novi poredak.exe modified
10:38:57	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run 5JAP_RGXCN C:\Program Files (x86)\internet explorer\ieinstal.exe
10:38:58	API Interceptor	1x Sleep call for process: explorer.exe modified
10:39:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run 5JAP_RGXCN C:\Program Files (x86)\internet explorer\ieinstal.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
162.159.137.232	94039330.exe	Get hash	malicious	Browse
	PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe	Get hash	malicious	Browse
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse
	Scan 25112020 pdf.exe	Get hash	malicious	Browse
	Q21rQw2C4o.exe	Get hash	malicious	Browse
	tzjEwwwbqK.exe	Get hash	malicious	Browse
	oUI0jQS8xQ.exe	Get hash	malicious	Browse
	NyUnwsFSCa.exe	Get hash	malicious	Browse
	PO#0007507_009389283882873PDF.exe	Get hash	malicious	Browse
	LAX28102020HBL_AMSLAX1056_CTLQD06J0BL_PO_DTH266278_RFQ.exe	Get hash	malicious	Browse
	8fJPaTfN8D.exe	Get hash	malicious	Browse
	LJLMG5Syza.exe	Get hash	malicious	Browse
	oAkfKRTCvN.exe	Get hash	malicious	Browse
	eybgvwBamW.exe	Get hash	malicious	Browse
	R#U00d6SLER Puchase_tcs 10-28-2020,pdf.exe	Get hash	malicious	Browse
	#U8ba2#U5355#U786e#U8ba4,pdf.exe	Get hash	malicious	Browse
	Documentos_ordine.exe	Get hash	malicious	Browse
	ShipmentReceipt.exe	Get hash	malicious	Browse
	ShipmentReceipt.exe	Get hash	malicious	Browse
162.159.135.233	Vessel details.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/780175015496777751/781048233136226304/mocux.exe
162.159.135.233	Teklif Rusya 24 09 2020.doc	Get hash	malicious	Browse	cdn.discordapp.com/attachments/733818080668680222/758418625429372978/p2.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
discord.com	94039330.exe	Get hash	malicious	Browse	162.159.128.233
	P1001094.EXE	Get hash	malicious	Browse	162.159.128.233
	ompbSaRiK0.exe	Get hash	malicious	Browse	162.159.135.232
	New Order PO20011046.exe	Get hash	malicious	Browse	162.159.128.233
	PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe	Get hash	malicious	Browse	162.159.137.232
	11-27.exe	Get hash	malicious	Browse	162.159.136.232
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.128.233
	XcOxlmOz4D.exe	Get hash	malicious	Browse	162.159.136.232
	fAhW3JEGaZ.exe	Get hash	malicious	Browse	162.159.136.232
	HIp08HPg20.exe	Get hash	malicious	Browse	162.159.128.233
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.137.232
	caw.exe	Get hash	malicious	Browse	162.159.138.232
	lxpo.exe	Get hash	malicious	Browse	162.159.128.233
	SpecificationX20202611.xlsx	Get hash	malicious	Browse	162.159.136.232
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.137.232
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.137.232
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.128.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.137.232
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.128.233
	tzjEwwwbqK.exe	Get hash	malicious	Browse	162.159.136.232
cdn.discordapp.com	94039330.exe	Get hash	malicious	Browse	162.159.134.233
	P1001094.EXE	Get hash	malicious	Browse	162.159.134.233
	New Order PO20011046.exe	Get hash	malicious	Browse	162.159.135.233
	PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe	Get hash	malicious	Browse	162.159.135.233
	11-27.exe	Get hash	malicious	Browse	162.159.129.233
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.129.233
	OVERDUE INVOICE.xls	Get hash	malicious	Browse	162.159.129.233
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.129.233
	Vessel details.doc	Get hash	malicious	Browse	162.159.135.233
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.130.233
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.135.233
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.129.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.130.233
	Q21rQw2C4o.exe	Get hash	malicious	Browse	162.159.133.233
	tzjEwwwbqK.exe	Get hash	malicious	Browse	162.159.130.233
	DHL_Express_Consignment_Details.exe	Get hash	malicious	Browse	162.159.133.233
	New Microsoft Office Excel Worksheet.xlsx	Get hash	malicious	Browse	162.159.129.233
	INV SF2910202.doc	Get hash	malicious	Browse	162.159.135.233
	Komfkim_Signed_.exe	Get hash	malicious	Browse	162.159.129.233
	oUI0jQS8xQ.exe	Get hash	malicious	Browse	162.159.130.233

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	94039330.exe	Get hash	malicious	Browse	162.159.134.233
	P1001094.EXE	Get hash	malicious	Browse	162.159.134.233
	ompbSaRiK0.exe	Get hash	malicious	Browse	104.18.53.239
	New Order PO20011046.exe	Get hash	malicious	Browse	162.159.135.233
	PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe	Get hash	malicious	Browse	162.159.135.233
	11-27.exe	Get hash	malicious	Browse	162.159.135.233
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.135.233
	XcOxlmOz4D.exe	Get hash	malicious	Browse	162.159.136.232
	fAhW3JEGaZ.exe	Get hash	malicious	Browse	162.159.136.232
	HIp08HPg20.exe	Get hash	malicious	Browse	104.23.98.190
	case.8920.xls	Get hash	malicious	Browse	104.27.186.55
	case.8920.xls	Get hash	malicious	Browse	172.67.212.16
	OVERDUE INVOICE.xls	Get hash	malicious	Browse	172.67.143.180
	Venom.exe	Get hash	malicious	Browse	104.23.98.190
	PO348578.jar	Get hash	malicious	Browse	104.23.99.190
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.129.233
	notif8372.xls	Get hash	malicious	Browse	104.24.117.11
	notif8372.xls	Get hash	malicious	Browse	172.67.222.45
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.87.226
	2020-11-27-ZLoader-DLL-example-01.dll	Get hash	malicious	Browse	172.67.155.205
CLOUDFLARENETUS	94039330.exe	Get hash	malicious	Browse	162.159.134.233
	P1001094.EXE	Get hash	malicious	Browse	162.159.134.233
	ompbSaRiK0.exe	Get hash	malicious	Browse	104.18.53.239
	New Order PO20011046.exe	Get hash	malicious	Browse	162.159.135.233
	PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe	Get hash	malicious	Browse	162.159.135.233
	11-27.exe	Get hash	malicious	Browse	162.159.135.233
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.135.233
	XcOxlmOz4D.exe	Get hash	malicious	Browse	162.159.136.232
	fAhW3JEGaZ.exe	Get hash	malicious	Browse	162.159.136.232
	HIp08HPg20.exe	Get hash	malicious	Browse	104.23.98.190
	case.8920.xls	Get hash	malicious	Browse	104.27.186.55
	case.8920.xls	Get hash	malicious	Browse	172.67.212.16
	OVERDUE INVOICE.xls	Get hash	malicious	Browse	172.67.143.180
	Venom.exe	Get hash	malicious	Browse	104.23.98.190
	PO348578.jar	Get hash	malicious	Browse	104.23.99.190
	MT103---USD42880.45---20201127--dbs--9900.exe	Get hash	malicious	Browse	162.159.129.233
	notif8372.xls	Get hash	malicious	Browse	104.24.117.11
	notif8372.xls	Get hash	malicious	Browse	172.67.222.45
	SecuriteInfo.com.Heur.23770.xls	Get hash	malicious	Browse	104.31.87.226
	2020-11-27-ZLoader-DLL-example-01.dll	Get hash	malicious	Browse	172.67.155.205

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	94039330.exe	Get hash	malicious	Browse	162.159.135.233
	P1001094.EXE	Get hash	malicious	Browse	162.159.135.233
	New Order PO20011046.exe	Get hash	malicious	Browse	162.159.135.233
	PRO FORMA INVOICE - - MAGAUTKCP (24-Nov-20).exe	Get hash	malicious	Browse	162.159.135.233
	11-27.exe	Get hash	malicious	Browse	162.159.135.233
	STATEMENT OF ACCOUNT.exe	Get hash	malicious	Browse	162.159.135.233
	caw.exe	Get hash	malicious	Browse	162.159.135.233
	6znqz0d1.dll	Get hash	malicious	Browse	162.159.135.233
	INV-FATURA010009.xlsx	Get hash	malicious	Browse	162.159.135.233
	INV-FATURA010009.xlsx	Get hash	malicious	Browse	162.159.135.233
	2zv940v7.dll	Get hash	malicious	Browse	162.159.135.233
	RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exe	Get hash	malicious	Browse	162.159.135.233
	Izezma64.dll	Get hash	malicious	Browse	162.159.135.233
	fuxenm32.dll	Get hash	malicious	Browse	162.159.135.233
	api-cdef.dll	Get hash	malicious	Browse	162.159.135.233
	Scan 25112020 pdf.exe	Get hash	malicious	Browse	162.159.135.233
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	162.159.135.233
	tarifvertrag_igbce_weihnachtsgeld_k#U00fcndigung.js	Get hash	malicious	Browse	162.159.135.233
	Piraeus Bank_swift_.exe	Get hash	malicious	Browse	162.159.135.233
	FxzOwcXb7x.exe	Get hash	malicious	Browse	162.159.135.233

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DB1 Download File
Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	true
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogim.jpeg Download File
Process:	C:\Windows\SysWOW64\control.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, frames 3
Category:	dropped
Size (bytes):	95747
Entropy (8bit):	7.918123771358294
Encrypted:	false
SSDEEP:	1536:CGA3mwPhxXv4zyIgZKsHdnPdT6CS3qPv8xWeKeXLQOLKWSxYzRuhiVxp6FSg:hUmqXvHrDHdPdTIqPr8LmLKE
MD5:	AC7A0E0EA541C87E39949617D1C6921C
SHA1:	3CD90BB318790321A1EA8AC83DA4BF900EA7867D
SHA-256:	DDDC91EB31EC4CDB2B0D0E43809CEA4B1A0C8D1C14FCE0CC89E0A2083779B0B9
SHA-512:	DDB33044BCE099B45C54B308F077EDBC0FCB592E7A13BECFD2FAED2DC315E69B67C252E48A7121664DAAD109034CF3A5374010901246A796A0672F28033DDB4A
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............\|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.A.:.....X.l..1lN23....._....m.....'.........S.. ..W....'.c....1....5.5.}j.Ly..k;.\...q.U..Q...bgJpW.(QKI]&b.QE.&(....Q..R...`2.`....j.$.....+..];$....F...K.1...3.)k...@<1..@.../...G. .....g.G.....~.W.W.......

C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogrg.ini Download File
Process:	C:\Windows\SysWOW64\control.exe
File Type:	data
Category:	dropped
Size (bytes):	38
Entropy (8bit):	2.7883088224543333
Encrypted:	false
SSDEEP:	3:rFGQJhIl:RGQPY
MD5:	4AADF49FED30E4C9B3FE4A3DD6445EBE
SHA1:	1E332822167C6F351B99615EADA2C30A538FF037
SHA-256:	75034BEB7BDED9AEAB5748F4592B9E1419256CAEC474065D43E531EC5CC21C56
SHA-512:	EB5B3908D5E7B43BA02165E092F05578F45F15A148B4C3769036AA542C23A0F7CD2BC2770CF4119A7E437DE3F681D9E398511F69F66824C516D9B451BB95F945
Malicious:	false
Preview:	....C.h.r.o.m.e. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogri.ini Download File
Process:	C:\Windows\SysWOW64\control.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	2.8420918598895937
Encrypted:	false
SSDEEP:	3:+slXllAGQJhIl:dlIGQPY
MD5:	D63A82E5D81E02E399090AF26DB0B9CB
SHA1:	91D0014C8F54743BBA141FD60C9D963F869D76C9
SHA-256:	EAECE2EBA6310253249603033C744DD5914089B0BB26BDE6685EC9813611BAAE
SHA-512:	38AFB05016D8F3C69D246321573997AAAC8A51C34E61749A02BF5E8B2B56B94D9544D65801511044E1495906A86DC2100F2E20FF4FCBED09E01904CC780FDBAD
Malicious:	true
Preview:	....I.e.x.p.l.o.r. .R.e.c.o.v.e.r.y.....

C:\Users\user\AppData\Roaming\8LO8PUBW\8LOlogrv.ini Download File
Process:	C:\Windows\SysWOW64\control.exe
File Type:	data
Category:	dropped
Size (bytes):	210
Entropy (8bit):	3.4316249313117866
Encrypted:	false
SSDEEP:	6:tGQPYlIaExGNlGcQga3Of9y96GO4KTOmePgJsEoY:MlIaExGNYvOI6x4uOm4WYY
MD5:	0FBD56A0A77A1CC560E052F5374A54E9
SHA1:	9CACB949953FA7B9FE2969604A9E795D99DC0735
SHA-256:	8D64D71D385D20B20BCF3A8B86CD1462EE5B8C1D0A499608CE65B7AE3B67D31B
SHA-512:	6B33F1023121A861E08846852494BE67B3B2775EF8763FF625A493C5643318E15D8C74350E9E5584DDC29402C4C860173AFD9AE00C97D2590833F03D1288EBAD
Malicious:	true
Preview:	...._._.V.a.u.l.t. .R.e.c.o.v.e.r.y.........N.a.m.e.:...M.i.c.r.o.s.o.f.t.A.c.c.o.u.n.t.:.t.a.r.g.e.t.=.S.S.O._.P.O.P._.D.e.v.i.c.e.....I.d.:...0.2.a.d.u.j.n.e.r.a.u.c.a.k.d.s.....A.u.t.:.......P.a.s.s.:.......

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.601752575807204
TrID:	Win32 Executable (generic) a (10002005/4) 99.24% InstallShield setup (43055/19) 0.43% Win32 Executable Delphi generic (14689/80) 0.15% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02%
File name:	Novi poredak.exe
File size:	2250352
MD5:	99a04fddbcdadcc10efa80d863d96d30
SHA1:	7e92abbe31847d455d69b4da443ef01d958b4706
SHA256:	2446476e9008d7e3c9f908680c22794aad6c26605536ec0cb428b33c99f72be3
SHA512:	7264997b719fdc4b998504a72ce1409a4f1c62920117e1bdde54877b4c5b223361f8235c08f7306e16431f72673e7d421eca96a8f0333e952d7bbecd13a1ce36
SSDEEP:	49152:vLrd08kN5H7Y9gKAdZVhlZfyiSCyiSV/CznFw9:vLrDkNlY9gDdZVLpi
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	b2989692969ed26a

Static PE Info

General
Entrypoint:	0x47fb18
Entrypoint Section:	CODE
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, BYTES_REVERSED_LO, EXECUTABLE_IMAGE, UP_SYSTEM_ONLY, LARGE_ADDRESS_AWARE, LINE_NUMS_STRIPPED, BYTES_REVERSED_HI, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x2A425E19 [Fri Jun 19 22:22:17 1992 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	23de31c260a4b45c8d1ef99329fb5969

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	5/2/2019 2:24:35 PM 5/2/2020 2:24:35 PM
Subject Chain	CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Version:	3
Thumbprint MD5:	ED012B5F6A27839EB6A8A74FED15D260
Thumbprint SHA-1:	0DD6D4D4F46C0C7C2671962C4D361D607E370940
Thumbprint SHA-256:	FC2FE55A92C580502B77547E21A31C9D63124C4B7DD8E6011B992C4B4F35ACBC
Serial:	33000002313234CBAFA8AB9A4D000000000231

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 0047F898h
call 00007F170C3E1131h
push edx
pop ebx
mov eax, dword ptr [00481FE8h]
mov eax, dword ptr [eax]
call 00007F170C437F37h
mov eax, dword ptr [00481FE8h]
mov eax, dword ptr [eax]
mov edx, 0047FB84h
call 00007F170C437B26h
mov ecx, dword ptr [00481DACh]
mov eax, dword ptr [00481FE8h]
mov eax, dword ptr [eax]
mov edx, dword ptr [0047EB68h]
call 00007F170C437F26h
mov eax, dword ptr [00481FE8h]
mov eax, dword ptr [eax]
mov byte ptr [eax+5Bh], 00000000h
mov eax, dword ptr [00481FE8h]
mov eax, dword ptr [eax]
call 00007F170C437F8Fh
call 00007F170C3DED56h
add bh, bh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85000	0x24a4	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x93000	0x96d50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x123a00	0x101c70
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8a000	0x8f94	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x89000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
CODE	0x1000	0x7eb90	0x7ec00	False	0.522919363289	data	6.52340828785	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
DATA	0x80000	0x219c	0x2200	False	0.391429227941	data	4.59070866129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
BSS	0x83000	0x1101	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.idata	0x85000	0x24a4	0x2600	False	0.354132401316	data	4.80426893043	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.tls	0x88000	0x40	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rdata	0x89000	0x18	0x200	False	0.05078125	data	0.184150656087	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.reloc	0x8a000	0x8f94	0x9000	False	0.564208984375	data	6.64246473046	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ
.rsrc	0x93000	0x96d50	0x96e00	False	0.510111912283	data	6.94667229231	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_SHARED, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x93c58	0x134	data
RT_CURSOR	0x93d8c	0x134	data
RT_CURSOR	0x93ec0	0x134	data
RT_CURSOR	0x93ff4	0x134	data
RT_CURSOR	0x94128	0x134	data
RT_CURSOR	0x9425c	0x134	data
RT_CURSOR	0x94390	0x134	data
RT_BITMAP	0x944c4	0x1d0	data
RT_BITMAP	0x94694	0x1e4	data
RT_BITMAP	0x94878	0x1d0	data
RT_BITMAP	0x94a48	0x1d0	data
RT_BITMAP	0x94c18	0x1d0	data
RT_BITMAP	0x94de8	0x1d0	data
RT_BITMAP	0x94fb8	0x1d0	data
RT_BITMAP	0x95188	0x1d0	data
RT_BITMAP	0x95358	0x1d0	data
RT_BITMAP	0x95528	0x1d0	data
RT_BITMAP	0x956f8	0xe8	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x957e0	0x10a8	data	English	United States
RT_ICON	0x96888	0x25a8	data	English	United States
RT_ICON	0x98e30	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 240, next used block 251658240	English	United States
RT_ICON	0x9d058	0x5488	data	English	United States
RT_ICON	0xa24e0	0xac5c	data	English	United States
RT_DIALOG	0xad13c	0x52	data
RT_STRING	0xad190	0x314	data
RT_STRING	0xad4a4	0x1dc	data
RT_STRING	0xad680	0x154	data
RT_STRING	0xad7d4	0x3a4	data
RT_STRING	0xadb78	0x4bc	data
RT_STRING	0xae034	0xc0	data
RT_STRING	0xae0f4	0xfc	data
RT_STRING	0xae1f0	0x120	data
RT_STRING	0xae310	0x4c0	data
RT_STRING	0xae7d0	0x350	data
RT_STRING	0xaeb20	0x39c	data
RT_STRING	0xaeebc	0x3b0	data
RT_STRING	0xaf26c	0xf0	data
RT_STRING	0xaf35c	0xc0	data
RT_STRING	0xaf41c	0x2d8	data
RT_STRING	0xaf6f4	0x494	data
RT_STRING	0xafb88	0x3ac	data
RT_STRING	0xaff34	0x2d4	data
RT_RCDATA	0xb0208	0x10	data
RT_RCDATA	0xb0218	0x350	data
RT_RCDATA	0xb0568	0x2029	Delphi compiled form 'T__3811613060'
RT_RCDATA	0xb2594	0x76f67	GIF image data, version 89a, 577 x 188	English	United States
RT_GROUP_CURSOR	0x1294fc	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x129510	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x129524	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x129538	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x12954c	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x129560	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_CURSOR	0x129574	0x14	Lotus unknown worksheet or configuration, revision 0x1
RT_GROUP_ICON	0x129588	0x4c	data	English	United States
RT_VERSION	0x1295d4	0x77c	data	English	United States

Imports

DLL	Import
kernel32.dll	DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSection, VirtualFree, VirtualAlloc, LocalFree, LocalAlloc, GetTickCount, QueryPerformanceCounter, GetVersion, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, WriteFile, UnhandledExceptionFilter, RtlUnwind, RaiseException, GetStdHandle
user32.dll	GetKeyboardType, LoadStringA, MessageBoxA, CharNextA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualProtect, VirtualAlloc, Sleep, SizeofResource, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResetEvent, ReadFile, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalReAlloc, GlobalHandle, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetSystemInfo, GetStringTypeExA, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, GetACP, FreeResource, InterlockedExchange, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, FileTimeToLocalFileTime, FileTimeToDosDateTime, EnumCalendarInfoA, EnterCriticalSection, DeleteFileA, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, Polyline, Polygon, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetTextAlign, GetSystemPaletteEntries, GetStockObject, GetROP2, GetPolyFillMode, GetPixel, GetPaletteEntries, GetObjectA, GetMapMode, GetGraphicsMode, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetDCPenColor, GetDCBrushColor, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBkMode, GetBkColor, GetBitmapBits, GdiFlush, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
user32.dll	CreateWindowExA, WindowFromPoint, WinHelpA, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, ShowCursor, ShowCaret, SetWindowsHookExA, SetWindowTextA, SetWindowPos, SetWindowPlacement, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostQuitMessage, PostMessageA, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, HideCaret, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassNameA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawStateA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayPutElement, SafeArrayGetElement, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopyInd, VariantCopy, VariantClear, VariantInit
ole32.dll	CoUninitialize, CoInitialize
oleaut32.dll	GetErrorInfo, SysFreeString
comctl32.dll	ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_GetDragImage, ImageList_DragShowNolock, ImageList_SetDragCursorImage, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Replace, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_ReplaceIcon, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
shell32.dll	ShellExecuteA
winmm.dll	sndPlaySoundA

Version Infos

Description	Data
LegalCopyright	Copyright 1998-2017 Mark Russinovich
InternalName	Process Explorer
FileVersion	16.21
CompanyName	Sysinternals - www.sysinternals.com
LegalTrademarks	Copyright (C) 1998-2017 Mark Russinovich
ProductName	Process Explorer
ProductVersion	16.21
FileDescription	Sysinternals Process Explorer
OriginalFilename	Procexp.exe
Translation	0x0409 0x04e4

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 10:37:41.597628117 CET	49716	443	192.168.2.3	162.159.137.232
Nov 28, 2020 10:37:41.614025116 CET	443	49716	162.159.137.232	192.168.2.3
Nov 28, 2020 10:37:41.614131927 CET	49716	443	192.168.2.3	162.159.137.232
Nov 28, 2020 10:37:41.614514112 CET	49716	443	192.168.2.3	162.159.137.232
Nov 28, 2020 10:37:41.630994081 CET	443	49716	162.159.137.232	192.168.2.3
Nov 28, 2020 10:37:41.631031036 CET	443	49716	162.159.137.232	192.168.2.3
Nov 28, 2020 10:37:41.631122112 CET	49716	443	192.168.2.3	162.159.137.232
Nov 28, 2020 10:37:41.701122046 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.717849970 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.717999935 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.730017900 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.746350050 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.747222900 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.747257948 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.747277975 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.747426987 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.809895039 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.826611042 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.826992989 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.881931067 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.894929886 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.911379099 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930778980 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930804014 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930816889 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930830956 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930846930 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930859089 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930876017 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930886984 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.930890083 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930903912 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930917025 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930932999 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930933952 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.930951118 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930963993 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930969000 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.930977106 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.930994034 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931003094 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931010962 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931024075 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931034088 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931041002 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931056976 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931066036 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931075096 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931092024 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931102037 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931112051 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931126118 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931128979 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931145906 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931159973 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931176901 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931181908 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931196928 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931216002 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931224108 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931232929 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931248903 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931263924 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931282043 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931293011 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931298018 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931313992 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931324005 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931334019 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931350946 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931351900 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931369066 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931385040 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931385994 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931404114 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931412935 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931418896 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931436062 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931447983 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931456089 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931477070 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931488037 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931495905 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931512117 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931526899 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931529999 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931545019 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931561947 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931561947 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931577921 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931596041 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931596041 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931612968 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931632996 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931633949 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931648970 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931663990 CET	49717	443	192.168.2.3	162.159.135.233
Nov 28, 2020 10:37:41.931665897 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931679964 CET	443	49717	162.159.135.233	192.168.2.3
Nov 28, 2020 10:37:41.931689978 CET	49717	443	192.168.2.3	162.159.135.233

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 28, 2020 10:37:41.552948952 CET	60100	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:37:41.580101967 CET	53	60100	8.8.8.8	192.168.2.3
Nov 28, 2020 10:37:41.671618938 CET	53195	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:37:41.698879004 CET	53	53195	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:04.240446091 CET	50141	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:04.277604103 CET	53	50141	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:04.965647936 CET	53023	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:04.992706060 CET	53	53023	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:06.827598095 CET	49563	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:06.854834080 CET	53	49563	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:07.905268908 CET	51352	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:07.932425022 CET	53	51352	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:08.980107069 CET	59349	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:09.007498980 CET	53	59349	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:09.972315073 CET	57084	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:09.999340057 CET	53	57084	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:11.084019899 CET	58823	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:11.119395018 CET	53	58823	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:12.444272995 CET	57568	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:12.471477032 CET	53	57568	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:13.672631025 CET	50540	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:13.708272934 CET	53	50540	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:14.808981895 CET	54366	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:14.836146116 CET	53	54366	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:16.734339952 CET	53034	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:16.761512995 CET	53	53034	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:17.945646048 CET	57762	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:17.972709894 CET	53	57762	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:19.525032043 CET	55435	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:19.560581923 CET	53	55435	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:20.615120888 CET	50713	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:20.650367022 CET	53	50713	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:21.832798958 CET	56132	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:21.868168116 CET	53	56132	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:23.951775074 CET	58987	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:23.987147093 CET	53	58987	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:24.709131002 CET	56579	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:24.756115913 CET	53	56579	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:36.859330893 CET	60633	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:36.896075010 CET	53	60633	8.8.8.8	192.168.2.3
Nov 28, 2020 10:38:36.928865910 CET	61292	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:38:36.955954075 CET	53	61292	8.8.8.8	192.168.2.3
Nov 28, 2020 10:39:09.606900930 CET	63619	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:39:09.634120941 CET	53	63619	8.8.8.8	192.168.2.3
Nov 28, 2020 10:39:30.997318983 CET	64938	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:39:31.035757065 CET	53	64938	8.8.8.8	192.168.2.3
Nov 28, 2020 10:39:33.114603996 CET	61946	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:39:33.152363062 CET	53	61946	8.8.8.8	192.168.2.3
Nov 28, 2020 10:39:33.159216881 CET	64910	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:39:33.200141907 CET	53	64910	8.8.8.8	192.168.2.3
Nov 28, 2020 10:39:51.334048986 CET	52123	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:39:51.376846075 CET	53	52123	8.8.8.8	192.168.2.3
Nov 28, 2020 10:39:53.399835110 CET	56130	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:39:53.448430061 CET	53	56130	8.8.8.8	192.168.2.3
Nov 28, 2020 10:39:53.456829071 CET	56338	53	192.168.2.3	8.8.8.8
Nov 28, 2020 10:39:53.492341995 CET	53	56338	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 28, 2020 10:37:41.552948952 CET	192.168.2.3	8.8.8.8	0x116c	Standard query (0)	discord.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.671618938 CET	192.168.2.3	8.8.8.8	0xe351	Standard query (0)	cdn.discordapp.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:30.997318983 CET	192.168.2.3	8.8.8.8	0xfdad	Standard query (0)	www.hotsmail.today	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:33.114603996 CET	192.168.2.3	8.8.8.8	0xd9c	Standard query (0)	www.hotsmail.today	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:33.159216881 CET	192.168.2.3	8.8.8.8	0xcf9c	Standard query (0)	www.hotsmail.today	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:51.334048986 CET	192.168.2.3	8.8.8.8	0x82ca	Standard query (0)	www.naehascloud.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:53.399835110 CET	192.168.2.3	8.8.8.8	0xec43	Standard query (0)	www.naehascloud.com	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:53.456829071 CET	192.168.2.3	8.8.8.8	0xe131	Standard query (0)	www.naehascloud.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 28, 2020 10:37:41.580101967 CET	8.8.8.8	192.168.2.3	0x116c	No error (0)	discord.com		162.159.137.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.580101967 CET	8.8.8.8	192.168.2.3	0x116c	No error (0)	discord.com		162.159.128.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.580101967 CET	8.8.8.8	192.168.2.3	0x116c	No error (0)	discord.com		162.159.138.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.580101967 CET	8.8.8.8	192.168.2.3	0x116c	No error (0)	discord.com		162.159.136.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.580101967 CET	8.8.8.8	192.168.2.3	0x116c	No error (0)	discord.com		162.159.135.232	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.698879004 CET	8.8.8.8	192.168.2.3	0xe351	No error (0)	cdn.discordapp.com		162.159.135.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.698879004 CET	8.8.8.8	192.168.2.3	0xe351	No error (0)	cdn.discordapp.com		162.159.130.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.698879004 CET	8.8.8.8	192.168.2.3	0xe351	No error (0)	cdn.discordapp.com		162.159.134.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.698879004 CET	8.8.8.8	192.168.2.3	0xe351	No error (0)	cdn.discordapp.com		162.159.129.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:37:41.698879004 CET	8.8.8.8	192.168.2.3	0xe351	No error (0)	cdn.discordapp.com		162.159.133.233	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:31.035757065 CET	8.8.8.8	192.168.2.3	0xfdad	Name error (3)	www.hotsmail.today	none	none	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:33.152363062 CET	8.8.8.8	192.168.2.3	0xd9c	Name error (3)	www.hotsmail.today	none	none	A (IP address)	IN (0x0001)
Nov 28, 2020 10:39:33.200141907 CET	8.8.8.8	192.168.2.3	0xcf9c	Name error (3)	www.hotsmail.today	none	none	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Nov 28, 2020 10:37:41.747277975 CET	162.159.135.233	443	192.168.2.3	49717	CN=ssl711320.cloudflaressl.com CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Tue Oct 27 01:00:00 CET 2020 Thu Sep 25 02:00:00 CEST 2014 Thu Jan 01 01:00:00 CET 2004	Thu May 06 01:59:59 CEST 2021 Tue Sep 25 01:59:59 CEST 2029 Mon Jan 01 00:59:59 CET 2029	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN=COMODO ECC Domain Validation Secure Server CA 2, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Sep 25 02:00:00 CEST 2014	Tue Sep 25 01:59:59 CEST 2029
					CN=COMODO ECC Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB	CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GB	Thu Jan 01 01:00:00 CET 2004	Mon Jan 01 00:59:59 CET 2029

Code Manipulations

User Modules

Hook Summary

Function Name	Hook Type	Active in Processes
PeekMessageA	INLINE	explorer.exe
PeekMessageW	INLINE	explorer.exe
GetMessageW	INLINE	explorer.exe
GetMessageA	INLINE	explorer.exe

Processes

Process: explorer.exe, Module: user32.dll

Function Name	Hook Type	New Data
PeekMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xB3 0x38
PeekMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x33 0x38
GetMessageW	INLINE	0x48 0x8B 0xB8 0x83 0x33 0x38
GetMessageA	INLINE	0x48 0x8B 0xB8 0x8B 0xB3 0x38

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Novi poredak.exe PID: 5972 Parent PID: 5664

General

Start time:	10:37:40
Start date:	28/11/2020
Path:	C:\Users\user\Desktop\Novi poredak.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Novi poredak.exe'
Imagebase:	0x400000
File size:	2250352 bytes
MD5 hash:	99A04FDDBCDADCC10EFA80D863D96D30
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Analysis Process: ieinstal.exe PID: 6780 Parent PID: 5972

General

Start time:	10:38:21
Start date:	28/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	C:\Program Files (x86)\internet explorer\ieinstal.exe
Imagebase:	0x300000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.359869128.0000000004CA0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.360930357.0000000010410000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.359837993.0000000004C70000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: explorer.exe PID: 3388 Parent PID: 6780

General

Start time:	10:38:24
Start date:	28/11/2020
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff714890000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: control.exe PID: 1256 Parent PID: 3388

General

Start time:	10:38:45
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0x7ff7488e0000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.481396669.0000000000670000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000010.00000002.484546978.0000000002D80000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Analysis Process: cmd.exe PID: 784 Parent PID: 1256

General

Start time:	10:38:54
Start date:	28/11/2020
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Imagebase:	0xbd0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 4276 Parent PID: 784

General

Start time:	10:38:55
Start date:	28/11/2020
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: ieinstal.exe PID: 5168 Parent PID: 3388

General

Start time:	10:39:10
Start date:	28/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Imagebase:	0x300000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: ieinstal.exe PID: 5860 Parent PID: 3388

General

Start time:	10:39:18
Start date:	28/11/2020
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\internet explorer\ieinstal.exe'
Imagebase:	0x300000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information.
Tactics:	Defense Evasion
Data Sources:	BIOS, MBR, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Loaded DLLs, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Novi poredak.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations