Windows Analysis Report
order 4502657678.exe

Overview

General Information

Sample name: order 4502657678.exe
Analysis ID: 1430351
MD5: 82df9d1ee9b303d453a7ea91d5f574e2
SHA1: 4b121f046e002ac5e2fbeec21079f6fd4c55d370
SHA256: 61e2a9db8f357380b18ba1017f2ae52d656d2c5f4de8851e244566b8c986d88a
Tags: exe
Infos:

Detection

DarkTortilla, FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected DarkTortilla Crypter
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Moves itself to temp directory
Tries to detect virtualization through RDTSC time measurements
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
DarkTortilla DarkTortilla is a complex and highly configurable .NET-based crypter that has possibly been active since at least August 2015. It typically delivers popular information stealers and remote access trojans (RATs) such as AgentTesla, AsyncRat, NanoCore, and RedLine. While it appears to primarily deliver commodity malware, Secureworks Counter Threat Unit (CTU) researchers identified DarkTortilla samples delivering targeted payloads such as Cobalt Strike and Metasploit. It can also deliver "addon packages" such as additional malicious payloads, benign decoy documents, and executables. It features robust anti-analysis and anti-tamper controls that can make detection, analysis, and eradication challenging.From January 2021 through May 2022, an average of 93 unique DarkTortilla samples per week were uploaded to the VirusTotal analysis service. Code similarities suggest possible links between DarkTortilla and other malware: a crypter operated by the RATs Crew threat group, which was active between 2008 and 2012, and the Gameloader malware that emerged in 2021. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.darktortilla
Name Description Attribution Blogpost URLs Link
Formbook, Formbo FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
 https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.budget-harmony.com/ij84/"], "decoy": ["resetter.xyz", "simonbelanger.me", "kwip.xyz", "7dbb9.baby", "notion-everyday.com", "saftiwall.com", "pulse-gaming.com", "fafafa1.shop", "ihaveahole.com", "sxtzzj.com", "996688x.xyz", "komalili.monster", "haberdashere.store", "nurselifegng.com", "kidtryz.com", "ghvx.xyz", "1minvideopro.com", "hidef.group", "stylishbeststyler.space", "spx21.com", "spatialad.net", "btstarvip.xyz", "gofetcher.net", "cqcready.net", "thecommunitycatalyst.com", "ssduckduckgo.com", "hastingsmortgagegroup.com", "mcminniespostersandmore.com", "xn--vaffelppinne-zcb.com", "thelsao.com", "muddybootssalisbury.com", "repetitionlaces.com", "yao-med.com", "hometotheworldcleaning.com", "ampowersolar.com", "xn--dtruire-bya.com", "cryptofarm.space", "ventaonline.site", "davidedema.com", "forklift-jobs-50425.bond", "laserfusionart.com", "mundosaludable.club", "bndl.fit", "lbexpress.shop", "matthewbrownlee.com", "viega.pro", "recrooglobal.com", "langzzzblog.online", "m-1263bets10.com", "surfacespecialistsnc.com", "conallnolankitchens.com", "80n.icu", "bleeckha.us", "thyselftrench.com", "bawaslu-tual.com", "elevatebuilders.co.za", "spacekat.xyz", "seniorlivinghub.today", "aloyoga-southafricas.com", "pickstreak.com", "boutiquelrdesign.com", "nazook.net", "ifoxclicks.com", "clinicallabpartner.com"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe ReversingLabs: Detection: 23%
Multi AV Scanner detection for submitted file
Source: order 4502657678.exe ReversingLabs: Detection: 23%
Yara detected FormBook
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: order 4502657678.exe Joe Sandbox ML: detected
Source: order 4502657678.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000014.00000002.2551899389.00000000018A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000014.00000002.2551899389.00000000018A0000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_05EE4564
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then push dword ptr [ebp-20h] 4_2_05EEF7E8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 4_2_05EEF7E8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then push dword ptr [ebp-20h] 4_2_05EEF7DD
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 4_2_05EEF7DD
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then push dword ptr [ebp-24h] 4_2_05EEFF08
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 4_2_05EEFF08
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then push dword ptr [ebp-24h] 4_2_05EEFEFC
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 4_2_05EEFEFC
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_05EEF66D
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then xor edx, edx 4_2_05EEFE40
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then xor edx, edx 4_2_05EEFE34
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_07C92408
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_07C923A1
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 4_2_07C92334
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_07C84564
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then push dword ptr [ebp-20h] 10_2_07C8F7DD
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 10_2_07C8F7DD
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then push dword ptr [ebp-20h] 10_2_07C8F7E8
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 10_2_07C8F7E8
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then push dword ptr [ebp-24h] 10_2_07C8FF08
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 10_2_07C8FF08
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then push dword ptr [ebp-24h] 10_2_07C8FEFC
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 10_2_07C8FEFC
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then xor edx, edx 10_2_07C8FE40
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_07C8F66D
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_07CC21A8
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 10_2_07CC2408
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 16_2_07A64564
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then push dword ptr [ebp-20h] 16_2_07A6F7E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 16_2_07A6F7E8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then push dword ptr [ebp-20h] 16_2_07A6F7DD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 16_2_07A6F7DD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then push dword ptr [ebp-24h] 16_2_07A6FF08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 16_2_07A6FF08
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then push dword ptr [ebp-24h] 16_2_07A6FEFC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 16_2_07A6FEFC
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then xor edx, edx 16_2_07A6FE10
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 16_2_07A6F66D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then xor edx, edx 16_2_07A6FE40
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 16_2_07AA21A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 16_2_07AA2408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then pop ebx 20_2_00407B1B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then pop esi 20_2_00417330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 4x nop then pop edi 20_2_0040E47B

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.budget-harmony.com/ij84/
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20
Source: explorer.exe, 00000016.00000000.2522467915.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.00000000094DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000016.00000000.2522467915.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.00000000094DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000016.00000000.2522467915.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.0000000009519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.0000000009519000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.00000000094DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000016.00000000.2522467915.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.000000000955E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.00000000094DC000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000016.00000000.2517182041.000000000305D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2554089500.000000000305D000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: order 4502657678.exe, 00000004.00000002.1369737440.0000000006053000.00000004.00000020.00020000.00000000.sdmp, ghedgegehe.exe, 0000000A.00000002.1466724304.0000000006A02000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://purl.oen
Source: explorer.exe, 00000016.00000000.2520673588.0000000007AF0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2553005536.0000000002C00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000002.2559813276.0000000007B10000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000016.00000002.2569046857.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2527841871.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin
Source: explorer.exe, 00000016.00000002.2569046857.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2527841871.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000016.00000002.2562512037.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.00000000093B4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/$
Source: explorer.exe, 00000016.00000002.2562512037.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.00000000093B4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/X
Source: explorer.exe, 00000016.00000000.2517182041.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2515831260.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2549041838.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2554089500.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000016.00000002.2562512037.00000000093B4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.00000000093B4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc
Source: explorer.exe, 00000016.00000000.2517182041.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2554089500.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000016.00000002.2562512037.0000000009390000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2522467915.0000000009390000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comWzE
Source: explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000016.00000002.2569046857.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2527841871.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.comE
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15G9PH.img
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hJkDs.img
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000016.00000002.2569046857.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2527841871.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.comNaP0B
Source: explorer.exe, 00000016.00000000.2527841871.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2568699459.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcemberZ
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000016.00000000.2523704295.0000000009724000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2563984081.0000000009724000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000016.00000002.2569046857.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2527841871.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com576
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000016.00000002.2557784325.0000000006F94000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: order 4502657678.exe PID: 7648, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: ghedgegehe.exe PID: 7172, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: purches order.exe PID: 1696, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 312, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: order 4502657678.exe
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A360 NtCreateFile, 20_2_0041A360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A410 NtReadFile, 20_2_0041A410
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A490 NtClose, 20_2_0041A490
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A540 NtAllocateVirtualMemory, 20_2_0041A540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A35A NtCreateFile, 20_2_0041A35A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A45A NtReadFile, 20_2_0041A45A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A40A NtReadFile, 20_2_0041A40A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041A48A NtClose, 20_2_0041A48A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912BF0 NtAllocateVirtualMemory,LdrInitializeThunk, 20_2_01912BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912B60 NtClose,LdrInitializeThunk, 20_2_01912B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912DF0 NtQuerySystemInformation,LdrInitializeThunk, 20_2_01912DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912D10 NtMapViewOfSection,LdrInitializeThunk, 20_2_01912D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912C70 NtFreeVirtualMemory,LdrInitializeThunk, 20_2_01912C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912F30 NtCreateSection,LdrInitializeThunk, 20_2_01912F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912EA0 NtAdjustPrivilegesToken,LdrInitializeThunk, 20_2_01912EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01914340 NtSetContextThread, 20_2_01914340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01914650 NtSuspendThread, 20_2_01914650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912B80 NtQueryInformationFile, 20_2_01912B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912BA0 NtEnumerateValueKey, 20_2_01912BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912BE0 NtQueryValueKey, 20_2_01912BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912AB0 NtWaitForSingleObject, 20_2_01912AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912AD0 NtReadFile, 20_2_01912AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912AF0 NtWriteFile, 20_2_01912AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912DB0 NtEnumerateKey, 20_2_01912DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912DD0 NtDelayExecution, 20_2_01912DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912D00 NtSetInformationFile, 20_2_01912D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912D30 NtUnmapViewOfSection, 20_2_01912D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912CA0 NtQueryInformationToken, 20_2_01912CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912CC0 NtQueryVirtualMemory, 20_2_01912CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912CF0 NtOpenProcess, 20_2_01912CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912C00 NtQueryInformationProcess, 20_2_01912C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912C60 NtCreateKey, 20_2_01912C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912F90 NtProtectVirtualMemory, 20_2_01912F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912FB0 NtResumeThread, 20_2_01912FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912FA0 NtQuerySection, 20_2_01912FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912FE0 NtCreateFile, 20_2_01912FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912F60 NtCreateProcessEx, 20_2_01912F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912E80 NtReadVirtualMemory, 20_2_01912E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912EE0 NtQueueApcThread, 20_2_01912EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912E30 NtWriteVirtualMemory, 20_2_01912E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01913090 NtSetValueKey, 20_2_01913090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01913010 NtOpenDirectoryObject, 20_2_01913010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019135C0 NtCreateMutant, 20_2_019135C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019139B0 NtGetContextThread, 20_2_019139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01913D10 NtOpenProcessToken, 20_2_01913D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01913D70 NtOpenThread, 20_2_01913D70
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0797DEC0 CreateProcessAsUserW, 16_2_0797DEC0
Detected potential crypto function
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9567 4_2_006E9567
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E5580 4_2_006E5580
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E1F38 4_2_006E1F38
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E6460 4_2_006E6460
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9652 4_2_006E9652
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9619 4_2_006E9619
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E96AD 4_2_006E96AD
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9758 4_2_006E9758
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9704 4_2_006E9704
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E97FE 4_2_006E97FE
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E97DE 4_2_006E97DE
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E97A6 4_2_006E97A6
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E987D 4_2_006E987D
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E98C7 4_2_006E98C7
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9963 4_2_006E9963
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E99DB 4_2_006E99DB
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9A37 4_2_006E9A37
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006E9AE8 4_2_006E9AE8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_05EC57D8 4_2_05EC57D8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_05ECF7A8 4_2_05ECF7A8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_05EE59B8 4_2_05EE59B8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_05EE1228 4_2_05EE1228
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_072E22C8 4_2_072E22C8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_072E6ED8 4_2_072E6ED8
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_072E0006 4_2_072E0006
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_07C94D98 4_2_07C94D98
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_07C90448 4_2_07C90448
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_07C90438 4_2_07C90438
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_07C94D81 4_2_07C94D81
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_02E19567 10_2_02E19567
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_02E15858 10_2_02E15858
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_02E11F38 10_2_02E11F38
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_02E16460 10_2_02E16460
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_02E19AFD 10_2_02E19AFD
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07C81228 10_2_07C81228
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07C859B8 10_2_07C859B8
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CB80BB 10_2_07CB80BB
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CB6745 10_2_07CB6745
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CBD6B0 10_2_07CBD6B0
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CC4D98 10_2_07CC4D98
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CC4D7F 10_2_07CC4D7F
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CC0448 10_2_07CC0448
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CC0438 10_2_07CC0438
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_081757D8 10_2_081757D8
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_081757B8 10_2_081757B8
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_0817F7A8 10_2_0817F7A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB6470 16_2_00CB6470
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB5580 16_2_00CB5580
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB9B2A 16_2_00CB9B2A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB1F38 16_2_00CB1F38
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0753EF90 16_2_0753EF90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0753CC0A 16_2_0753CC0A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0753E868 16_2_0753E868
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0753E7F1 16_2_0753E7F1
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0753E7B0 16_2_0753E7B0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0753DC29 16_2_0753DC29
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_075339E0 16_2_075339E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_075339AD 16_2_075339AD
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07952E90 16_2_07952E90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07970F29 16_2_07970F29
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07976EF8 16_2_07976EF8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07978660 16_2_07978660
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_079791FA 16_2_079791FA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0797E540 16_2_0797E540
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07978898 16_2_07978898
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07970040 16_2_07970040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0797C7F0 16_2_0797C7F0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0797AF00 16_2_0797AF00
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07977E90 16_2_07977E90
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07973288 16_2_07973288
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_079736B8 16_2_079736B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_079736A9 16_2_079736A9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07976EE8 16_2_07976EE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07974200 16_2_07974200
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07978650 16_2_07978650
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07977E7C 16_2_07977E7C
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07973278 16_2_07973278
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07977198 16_2_07977198
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0797718A 16_2_0797718A
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_079729D0 16_2_079729D0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07971DD8 16_2_07971DD8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_079729E0 16_2_079729E0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07971DE8 16_2_07971DE8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07974161 16_2_07974161
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07978895 16_2_07978895
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07972CD0 16_2_07972CD0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0797C0C0 16_2_0797C0C0
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07970006 16_2_07970006
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07977822 16_2_07977822
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07977828 16_2_07977828
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07973050 16_2_07973050
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07973040 16_2_07973040
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07A457D8 16_2_07A457D8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07A4F7A8 16_2_07A4F7A8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07A457B8 16_2_07A457B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07A61228 16_2_07A61228
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07A659B8 16_2_07A659B8
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AA4D98 16_2_07AA4D98
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AA0438 16_2_07AA0438
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AA0448 16_2_07AA0448
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AA4D7F 16_2_07AA4D7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00401030 20_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041D942 20_2_0041D942
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041E2DA 20_2_0041E2DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041E3DD 20_2_0041E3DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041EBA1 20_2_0041EBA1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00402D90 20_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041E59E 20_2_0041E59E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041D5A6 20_2_0041D5A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00409E60 20_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041DEAE 20_2_0041DEAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041EFF2 20_2_0041EFF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041E7F9 20_2_0041E7F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041E780 20_2_0041E780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041EF97 20_2_0041EF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00402FB0 20_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A01AA 20_2_019A01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019941A2 20_2_019941A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019981CC 20_2_019981CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0100 20_2_018D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197A118 20_2_0197A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01968158 20_2_01968158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A03E6 20_2_019A03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE3F0 20_2_018EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199A352 20_2_0199A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019602C0 20_2_019602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A0591 20_2_019A0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0535 20_2_018E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198E4F6 20_2_0198E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01984420 20_2_01984420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01992446 20_2_01992446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DC7C0 20_2_018DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01904750 20_2_01904750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FC6E0 20_2_018FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019AA9A6 20_2_019AA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F6962 20_2_018F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C68B8 20_2_018C68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E8F0 20_2_0190E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EA840 20_2_018EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E2840 20_2_018E2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01996BD7 20_2_01996BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199AB40 20_2_0199AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F8DBF 20_2_018F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DADE0 20_2_018DADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197CD1F 20_2_0197CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EAD00 20_2_018EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980CB5 20_2_01980CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0CF2 20_2_018D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0C00 20_2_018E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195EFA0 20_2_0195EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D2FC8 20_2_018D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018ECFE0 20_2_018ECFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01900F30 20_2_01900F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01982F30 20_2_01982F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01922F28 20_2_01922F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01954F40 20_2_01954F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199CE93 20_2_0199CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F2E90 20_2_018F2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199EEDB 20_2_0199EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199EE26 20_2_0199EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0E59 20_2_018E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EB1B0 20_2_018EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019AB16B 20_2_019AB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0191516C 20_2_0191516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CF172 20_2_018CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E70C0 20_2_018E70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198F0CC 20_2_0198F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019970E9 20_2_019970E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199F0E0 20_2_0199F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0192739A 20_2_0192739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199132D 20_2_0199132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CD34C 20_2_018CD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E52A0 20_2_018E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FB2C0 20_2_018FB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019812ED 20_2_019812ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197D5B0 20_2_0197D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A95C3 20_2_019A95C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01997571 20_2_01997571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199F43F 20_2_0199F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D1460 20_2_018D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199F7B0 20_2_0199F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D17EC 20_2_018D17EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019916CC 20_2_019916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01925630 20_2_01925630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01975910 20_2_01975910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E9950 20_2_018E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FB950 20_2_018FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E38E0 20_2_018E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194D800 20_2_0194D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FFB80 20_2_018FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01955BF0 20_2_01955BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0191DBF9 20_2_0191DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199FB76 20_2_0199FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01925AA0 20_2_01925AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197DAAC 20_2_0197DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01981AA3 20_2_01981AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198DAC6 20_2_0198DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199FA49 20_2_0199FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01997A46 20_2_01997A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01953A6C 20_2_01953A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FFDC0 20_2_018FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01991D5A 20_2_01991D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E3D40 20_2_018E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01997D73 20_2_01997D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199FCF2 20_2_0199FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01959C32 20_2_01959C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E1F92 20_2_018E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199FFB1 20_2_0199FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199FF09 20_2_0199FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E9EB0 20_2_018E9EB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 01915130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 0194EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 01927E54 appears 109 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 018CB970 appears 283 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: String function: 0195F290 appears 105 times
Sample file is different than original file name gathered from version info
Source: order 4502657678.exe, 00000004.00000002.1359041869.00000000007FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs order 4502657678.exe
Source: order 4502657678.exe, 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs order 4502657678.exe
Source: order 4502657678.exe, 00000004.00000002.1363182798.000000000373B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs order 4502657678.exe
Source: order 4502657678.exe, 00000004.00000000.1267594504.0000000000648000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameifeanyi 1.exe( vs order 4502657678.exe
Source: order 4502657678.exe, 00000004.00000002.1365654712.0000000005090000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMiPro.dll, vs order 4502657678.exe
Source: order 4502657678.exe Binary or memory string: OriginalFilenameifeanyi 1.exe( vs order 4502657678.exe
Yara signature match
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: order 4502657678.exe PID: 7648, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: ghedgegehe.exe PID: 7172, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: purches order.exe PID: 1696, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 312, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.troj.adwa.evad.winEXE@14/8@0/1
Source: C:\Users\user\Desktop\order 4502657678.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\purches order.lnk Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Mutant created: NULL
Source: order 4502657678.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: order 4502657678.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\order 4502657678.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: order 4502657678.exe ReversingLabs: Detection: 23%
Source: unknown Process created: C:\Users\user\Desktop\order 4502657678.exe "C:\Users\user\Desktop\order 4502657678.exe"
Source: C:\Users\user\Desktop\order 4502657678.exe Process created: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe "C:\Users\user\AppData\Local\Temp\ghedgegehe.exe"
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\user\AppData\Local\Temp\ghedgegehe.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Users\user\Desktop\order 4502657678.exe Process created: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe "C:\Users\user\AppData\Local\Temp\ghedgegehe.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\user\AppData\Local\Temp\ghedgegehe.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: order 4502657678.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: order 4502657678.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000014.00000002.2551899389.00000000018A0000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000014.00000002.2551899389.00000000018A0000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DarkTortilla Crypter
Source: Yara match File source: 4.2.order 4502657678.exe.373b7f0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.order 4502657678.exe.373b7f0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.order 4502657678.exe.36add90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.order 4502657678.exe.36add90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.order 4502657678.exe.5090000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.order 4502657678.exe.5090000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1359801669.00000000025DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1463152963.00000000041AB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1463152963.00000000040C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.000000000373B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1459376158.0000000002FF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.000000000399B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.0000000003882000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1463152963.0000000004092000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.00000000038B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1365654712.0000000005090000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1359801669.00000000024F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1459376158.00000000030DB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2515396631.00000000027E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: order 4502657678.exe PID: 7648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ghedgegehe.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purches order.exe PID: 1696, type: MEMORYSTR
.NET source code contains method to dynamically call methods (often used by packers)
Source: order 4502657678.exe, n0LYq.cs .Net Code: NewLateBinding.LateCall(NewLateBinding.LateIndexGet(NewLateBinding.LateGet(NewLateBinding.LateIndexGet(NewLateBinding.LateGet(array2[2], (Type)null, "GetTypes", new object[0], (string[])null, (Type[])null, (bool[])null), new object[1] { 24 }, (string[])null), (Type)null, "GetMethods", new object[0], (string[])null, (Type[])null, (bool[])null), new object[1] { 0 }, (string[])null), (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Source: purches order.exe.12.dr, n0LYq.cs .Net Code: NewLateBinding.LateCall(NewLateBinding.LateIndexGet(NewLateBinding.LateGet(NewLateBinding.LateIndexGet(NewLateBinding.LateGet(array2[2], (Type)null, "GetTypes", new object[0], (string[])null, (Type[])null, (bool[])null), new object[1] { 24 }, (string[])null), (Type)null, "GetMethods", new object[0], (string[])null, (Type[])null, (bool[])null), new object[1] { 0 }, (string[])null), (Type)null, "Invoke", new object[2]{null,new object[0]}, (string[])null, (Type[])null, (bool[])null, true)
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_006EC110 pushad ; ret 4_2_006EC111
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_072E7DB5 push FFFFFF8Bh; iretd 4_2_072E7DB7
Source: C:\Users\user\Desktop\order 4502657678.exe Code function: 4_2_072E44BA pushad ; retf 4_2_072E44C1
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_02E1C110 pushad ; ret 10_2_02E1C111
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CB66E2 pushad ; retf 10_2_07CB66EB
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CB669E push eax; retf 10_2_07CB669F
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CBE58D push FFFFFF8Bh; iretd 10_2_07CBE58F
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_07CBB518 push es; ret 10_2_07CBB552
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Code function: 10_2_0817CB82 push eax; retf 10_2_0817CB89
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB1915 push ss; retf 16_2_00CB18EA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CBC110 pushad ; ret 16_2_00CBC111
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB18ED push ss; retf 16_2_00CB18EE
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB18E1 push ss; retf 16_2_00CB18E2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB18F3 push ss; retf 16_2_00CB18F6
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB18F0 push ss; retf 16_2_00CB18F2
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_00CB18F7 push ss; retf 16_2_00CB18FA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_075396C0 pushfd ; iretd 16_2_075396C9
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07535C01 push edi; retf 16_2_07535C02
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07535B7C pushfd ; retf 16_2_07535B7D
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_0795279D push FFFFFF8Bh; iretd 16_2_0795279F
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07A4CB82 push eax; retf 16_2_07A4CB89
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07A6F388 push 0000005Dh; ret 16_2_07A6F3AA
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AAE400 pushad ; ret 16_2_07AAE963
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AAC7E6 pushad ; ret 16_2_07AAC823
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AAE8FD pushad ; ret 16_2_07AAE963
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Code function: 16_2_07AAC871 pushad ; ret 16_2_07AAC823
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00417B98 push ecx; retf 20_2_00417BB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00419C86 push sp; retf 20_2_00419C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041D4B5 push eax; ret 20_2_0041D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041D56C push eax; ret 20_2_0041D572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0041D502 push eax; ret 20_2_0041D508
Source: order 4502657678.exe Static PE information: section name: .text entropy: 6.918820158334831
Source: purches order.exe.12.dr Static PE information: section name: .text entropy: 6.918820158334831
Source: order 4502657678.exe, i2C7.cs High entropy of concatenated method names: 'Jd91', 'Xt8a', 'Qj62Cz', 'r0SPw2', 'Pc4n5E', 'Wm40Yi', 'e2TNb6', 'j2B6Zg', 's0YDq8', 'm9P4Mf'
Source: purches order.exe.12.dr, i2C7.cs High entropy of concatenated method names: 'Jd91', 'Xt8a', 'Qj62Cz', 'r0SPw2', 'Pc4n5E', 'Wm40Yi', 'e2TNb6', 'j2B6Zg', 's0YDq8', 'm9P4Mf'
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Jump to dropped file

Boot Survival
barindex
Drops PE files to the startup folder
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\order 4502657678.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\purches order.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\order 4502657678.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\purches order.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe\:Zone.Identifier:$DATA Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\Desktop\order 4502657678.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe File opened: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe\:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe\:Zone.Identifier read attributes | delete Jump to behavior
Moves itself to temp directory
Source: c:\users\user\desktop\order 4502657678.exe File moved: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: order 4502657678.exe PID: 7648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ghedgegehe.exe PID: 7172, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: purches order.exe PID: 1696, type: MEMORYSTR
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20 Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\order 4502657678.exe Memory allocated: 6E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Memory allocated: 24F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Memory allocated: 2300000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Memory allocated: 2DD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Memory allocated: 2FF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Memory allocated: 2E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: CB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: 27E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: 2500000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: 7BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: 8BE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: 8DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: 9DB0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: A140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: B140000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: C140000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00409AB0 rdtsc 20_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\order 4502657678.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe API coverage: 1.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\order 4502657678.exe TID: 7704 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe TID: 7584 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe TID: 7332 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe TID: 3792 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe TID: 1864 Thread sleep time: -53000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe TID: 1528 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\order 4502657678.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: purches order.exe, 00000010.00000002.2512716806.0000000000B21000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
Source: explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: )d2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000002.2549041838.0000000000889000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000/;
Source: explorer.exe, 00000016.00000002.2549041838.0000000000889000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o;
Source: explorer.exe, 00000016.00000000.2523704295.00000000095B9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: order 4502657678.exe, 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, order 4502657678.exe, 00000004.00000002.1363182798.000000000373B000.00000004.00000800.00020000.00000000.sdmp, order 4502657678.exe, 00000004.00000002.1365654712.0000000005090000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: VBoxTray
Source: order 4502657678.exe, 00000004.00000002.1365654712.0000000005090000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: sandboxierpcssGSOFTWARE\VMware, Inc.\VMware VGAuth
Source: explorer.exe, 00000016.00000000.2523704295.00000000095B9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000016.00000000.2523704295.00000000095B9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.2522467915.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.00000000094DC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: explorer.exe, 00000016.00000000.2523704295.00000000095B9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTbrVMWare
Source: explorer.exe, 00000016.00000000.2523704295.00000000095B9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}?
Source: order 4502657678.exe, 00000004.00000002.1365909679.00000000058A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000016.00000000.2522467915.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2562512037.000000000952D000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000016.00000000.2522467915.00000000093B4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000016.00000002.2562512037.00000000094DC000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: %SystemRoot%\system32\mswsock.dlldRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000016.00000000.2522467915.00000000093B4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: ghedgegehe.exe, 0000000A.00000002.1457506563.00000000010CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: order 4502657678.exe, 00000004.00000002.1359041869.0000000000832000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: explorer.exe, 00000016.00000000.2523704295.00000000095B9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000002.2554089500.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000016.00000000.2519166634.0000000006F94000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: C:\Users\user\Desktop\order 4502657678.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_00409AB0 rdtsc 20_2_00409AB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0040ACF0 LdrLoadDll, 20_2_0040ACF0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195019F mov eax, dword ptr fs:[00000030h] 20_2_0195019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195019F mov eax, dword ptr fs:[00000030h] 20_2_0195019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195019F mov eax, dword ptr fs:[00000030h] 20_2_0195019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195019F mov eax, dword ptr fs:[00000030h] 20_2_0195019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198C188 mov eax, dword ptr fs:[00000030h] 20_2_0198C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198C188 mov eax, dword ptr fs:[00000030h] 20_2_0198C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01910185 mov eax, dword ptr fs:[00000030h] 20_2_01910185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01974180 mov eax, dword ptr fs:[00000030h] 20_2_01974180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01974180 mov eax, dword ptr fs:[00000030h] 20_2_01974180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CA197 mov eax, dword ptr fs:[00000030h] 20_2_018CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CA197 mov eax, dword ptr fs:[00000030h] 20_2_018CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CA197 mov eax, dword ptr fs:[00000030h] 20_2_018CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E1D0 mov eax, dword ptr fs:[00000030h] 20_2_0194E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E1D0 mov eax, dword ptr fs:[00000030h] 20_2_0194E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E1D0 mov ecx, dword ptr fs:[00000030h] 20_2_0194E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E1D0 mov eax, dword ptr fs:[00000030h] 20_2_0194E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E1D0 mov eax, dword ptr fs:[00000030h] 20_2_0194E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019961C3 mov eax, dword ptr fs:[00000030h] 20_2_019961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019961C3 mov eax, dword ptr fs:[00000030h] 20_2_019961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019001F8 mov eax, dword ptr fs:[00000030h] 20_2_019001F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A61E5 mov eax, dword ptr fs:[00000030h] 20_2_019A61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01990115 mov eax, dword ptr fs:[00000030h] 20_2_01990115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197A118 mov ecx, dword ptr fs:[00000030h] 20_2_0197A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197A118 mov eax, dword ptr fs:[00000030h] 20_2_0197A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197A118 mov eax, dword ptr fs:[00000030h] 20_2_0197A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197A118 mov eax, dword ptr fs:[00000030h] 20_2_0197A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov eax, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov ecx, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov eax, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov eax, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov ecx, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov eax, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov eax, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov ecx, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov eax, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E10E mov ecx, dword ptr fs:[00000030h] 20_2_0197E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01900124 mov eax, dword ptr fs:[00000030h] 20_2_01900124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01968158 mov eax, dword ptr fs:[00000030h] 20_2_01968158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01964144 mov eax, dword ptr fs:[00000030h] 20_2_01964144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01964144 mov eax, dword ptr fs:[00000030h] 20_2_01964144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01964144 mov ecx, dword ptr fs:[00000030h] 20_2_01964144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01964144 mov eax, dword ptr fs:[00000030h] 20_2_01964144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01964144 mov eax, dword ptr fs:[00000030h] 20_2_01964144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D6154 mov eax, dword ptr fs:[00000030h] 20_2_018D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D6154 mov eax, dword ptr fs:[00000030h] 20_2_018D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CC156 mov eax, dword ptr fs:[00000030h] 20_2_018CC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4164 mov eax, dword ptr fs:[00000030h] 20_2_019A4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4164 mov eax, dword ptr fs:[00000030h] 20_2_019A4164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D208A mov eax, dword ptr fs:[00000030h] 20_2_018D208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019960B8 mov eax, dword ptr fs:[00000030h] 20_2_019960B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019960B8 mov ecx, dword ptr fs:[00000030h] 20_2_019960B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C80A0 mov eax, dword ptr fs:[00000030h] 20_2_018C80A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019680A8 mov eax, dword ptr fs:[00000030h] 20_2_019680A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019520DE mov eax, dword ptr fs:[00000030h] 20_2_019520DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019120F0 mov ecx, dword ptr fs:[00000030h] 20_2_019120F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D80E9 mov eax, dword ptr fs:[00000030h] 20_2_018D80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CA0E3 mov ecx, dword ptr fs:[00000030h] 20_2_018CA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019560E0 mov eax, dword ptr fs:[00000030h] 20_2_019560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CC0F0 mov eax, dword ptr fs:[00000030h] 20_2_018CC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01954000 mov ecx, dword ptr fs:[00000030h] 20_2_01954000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01972000 mov eax, dword ptr fs:[00000030h] 20_2_01972000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE016 mov eax, dword ptr fs:[00000030h] 20_2_018EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE016 mov eax, dword ptr fs:[00000030h] 20_2_018EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE016 mov eax, dword ptr fs:[00000030h] 20_2_018EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE016 mov eax, dword ptr fs:[00000030h] 20_2_018EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01966030 mov eax, dword ptr fs:[00000030h] 20_2_01966030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CA020 mov eax, dword ptr fs:[00000030h] 20_2_018CA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CC020 mov eax, dword ptr fs:[00000030h] 20_2_018CC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956050 mov eax, dword ptr fs:[00000030h] 20_2_01956050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D2050 mov eax, dword ptr fs:[00000030h] 20_2_018D2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FC073 mov eax, dword ptr fs:[00000030h] 20_2_018FC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F438F mov eax, dword ptr fs:[00000030h] 20_2_018F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F438F mov eax, dword ptr fs:[00000030h] 20_2_018F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CE388 mov eax, dword ptr fs:[00000030h] 20_2_018CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CE388 mov eax, dword ptr fs:[00000030h] 20_2_018CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CE388 mov eax, dword ptr fs:[00000030h] 20_2_018CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C8397 mov eax, dword ptr fs:[00000030h] 20_2_018C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C8397 mov eax, dword ptr fs:[00000030h] 20_2_018C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C8397 mov eax, dword ptr fs:[00000030h] 20_2_018C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019743D4 mov eax, dword ptr fs:[00000030h] 20_2_019743D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019743D4 mov eax, dword ptr fs:[00000030h] 20_2_019743D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E3DB mov eax, dword ptr fs:[00000030h] 20_2_0197E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E3DB mov eax, dword ptr fs:[00000030h] 20_2_0197E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E3DB mov ecx, dword ptr fs:[00000030h] 20_2_0197E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197E3DB mov eax, dword ptr fs:[00000030h] 20_2_0197E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA3C0 mov eax, dword ptr fs:[00000030h] 20_2_018DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA3C0 mov eax, dword ptr fs:[00000030h] 20_2_018DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA3C0 mov eax, dword ptr fs:[00000030h] 20_2_018DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA3C0 mov eax, dword ptr fs:[00000030h] 20_2_018DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA3C0 mov eax, dword ptr fs:[00000030h] 20_2_018DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA3C0 mov eax, dword ptr fs:[00000030h] 20_2_018DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D83C0 mov eax, dword ptr fs:[00000030h] 20_2_018D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D83C0 mov eax, dword ptr fs:[00000030h] 20_2_018D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D83C0 mov eax, dword ptr fs:[00000030h] 20_2_018D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D83C0 mov eax, dword ptr fs:[00000030h] 20_2_018D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198C3CD mov eax, dword ptr fs:[00000030h] 20_2_0198C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E03E9 mov eax, dword ptr fs:[00000030h] 20_2_018E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019063FF mov eax, dword ptr fs:[00000030h] 20_2_019063FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE3F0 mov eax, dword ptr fs:[00000030h] 20_2_018EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE3F0 mov eax, dword ptr fs:[00000030h] 20_2_018EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE3F0 mov eax, dword ptr fs:[00000030h] 20_2_018EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A30B mov eax, dword ptr fs:[00000030h] 20_2_0190A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A30B mov eax, dword ptr fs:[00000030h] 20_2_0190A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A30B mov eax, dword ptr fs:[00000030h] 20_2_0190A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CC310 mov ecx, dword ptr fs:[00000030h] 20_2_018CC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F0310 mov ecx, dword ptr fs:[00000030h] 20_2_018F0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A8324 mov eax, dword ptr fs:[00000030h] 20_2_019A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A8324 mov ecx, dword ptr fs:[00000030h] 20_2_019A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A8324 mov eax, dword ptr fs:[00000030h] 20_2_019A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A8324 mov eax, dword ptr fs:[00000030h] 20_2_019A8324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01978350 mov ecx, dword ptr fs:[00000030h] 20_2_01978350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195035C mov eax, dword ptr fs:[00000030h] 20_2_0195035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195035C mov eax, dword ptr fs:[00000030h] 20_2_0195035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195035C mov eax, dword ptr fs:[00000030h] 20_2_0195035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195035C mov ecx, dword ptr fs:[00000030h] 20_2_0195035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195035C mov eax, dword ptr fs:[00000030h] 20_2_0195035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195035C mov eax, dword ptr fs:[00000030h] 20_2_0195035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199A352 mov eax, dword ptr fs:[00000030h] 20_2_0199A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A634F mov eax, dword ptr fs:[00000030h] 20_2_019A634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01952349 mov eax, dword ptr fs:[00000030h] 20_2_01952349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197437C mov eax, dword ptr fs:[00000030h] 20_2_0197437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E284 mov eax, dword ptr fs:[00000030h] 20_2_0190E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E284 mov eax, dword ptr fs:[00000030h] 20_2_0190E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01950283 mov eax, dword ptr fs:[00000030h] 20_2_01950283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01950283 mov eax, dword ptr fs:[00000030h] 20_2_01950283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01950283 mov eax, dword ptr fs:[00000030h] 20_2_01950283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E02A0 mov eax, dword ptr fs:[00000030h] 20_2_018E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E02A0 mov eax, dword ptr fs:[00000030h] 20_2_018E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019662A0 mov eax, dword ptr fs:[00000030h] 20_2_019662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019662A0 mov ecx, dword ptr fs:[00000030h] 20_2_019662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019662A0 mov eax, dword ptr fs:[00000030h] 20_2_019662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019662A0 mov eax, dword ptr fs:[00000030h] 20_2_019662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019662A0 mov eax, dword ptr fs:[00000030h] 20_2_019662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019662A0 mov eax, dword ptr fs:[00000030h] 20_2_019662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A62D6 mov eax, dword ptr fs:[00000030h] 20_2_019A62D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA2C3 mov eax, dword ptr fs:[00000030h] 20_2_018DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA2C3 mov eax, dword ptr fs:[00000030h] 20_2_018DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA2C3 mov eax, dword ptr fs:[00000030h] 20_2_018DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA2C3 mov eax, dword ptr fs:[00000030h] 20_2_018DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA2C3 mov eax, dword ptr fs:[00000030h] 20_2_018DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E02E1 mov eax, dword ptr fs:[00000030h] 20_2_018E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E02E1 mov eax, dword ptr fs:[00000030h] 20_2_018E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E02E1 mov eax, dword ptr fs:[00000030h] 20_2_018E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C823B mov eax, dword ptr fs:[00000030h] 20_2_018C823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A625D mov eax, dword ptr fs:[00000030h] 20_2_019A625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198A250 mov eax, dword ptr fs:[00000030h] 20_2_0198A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198A250 mov eax, dword ptr fs:[00000030h] 20_2_0198A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D6259 mov eax, dword ptr fs:[00000030h] 20_2_018D6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01958243 mov eax, dword ptr fs:[00000030h] 20_2_01958243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01958243 mov ecx, dword ptr fs:[00000030h] 20_2_01958243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CA250 mov eax, dword ptr fs:[00000030h] 20_2_018CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C826B mov eax, dword ptr fs:[00000030h] 20_2_018C826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01980274 mov eax, dword ptr fs:[00000030h] 20_2_01980274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D4260 mov eax, dword ptr fs:[00000030h] 20_2_018D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D4260 mov eax, dword ptr fs:[00000030h] 20_2_018D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D4260 mov eax, dword ptr fs:[00000030h] 20_2_018D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E59C mov eax, dword ptr fs:[00000030h] 20_2_0190E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D2582 mov eax, dword ptr fs:[00000030h] 20_2_018D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D2582 mov ecx, dword ptr fs:[00000030h] 20_2_018D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01904588 mov eax, dword ptr fs:[00000030h] 20_2_01904588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019505A7 mov eax, dword ptr fs:[00000030h] 20_2_019505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019505A7 mov eax, dword ptr fs:[00000030h] 20_2_019505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019505A7 mov eax, dword ptr fs:[00000030h] 20_2_019505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F45B1 mov eax, dword ptr fs:[00000030h] 20_2_018F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F45B1 mov eax, dword ptr fs:[00000030h] 20_2_018F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A5D0 mov eax, dword ptr fs:[00000030h] 20_2_0190A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A5D0 mov eax, dword ptr fs:[00000030h] 20_2_0190A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D65D0 mov eax, dword ptr fs:[00000030h] 20_2_018D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E5CF mov eax, dword ptr fs:[00000030h] 20_2_0190E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E5CF mov eax, dword ptr fs:[00000030h] 20_2_0190E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE5E7 mov eax, dword ptr fs:[00000030h] 20_2_018FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D25E0 mov eax, dword ptr fs:[00000030h] 20_2_018D25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C5ED mov eax, dword ptr fs:[00000030h] 20_2_0190C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C5ED mov eax, dword ptr fs:[00000030h] 20_2_0190C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01966500 mov eax, dword ptr fs:[00000030h] 20_2_01966500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4500 mov eax, dword ptr fs:[00000030h] 20_2_019A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4500 mov eax, dword ptr fs:[00000030h] 20_2_019A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4500 mov eax, dword ptr fs:[00000030h] 20_2_019A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4500 mov eax, dword ptr fs:[00000030h] 20_2_019A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4500 mov eax, dword ptr fs:[00000030h] 20_2_019A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4500 mov eax, dword ptr fs:[00000030h] 20_2_019A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4500 mov eax, dword ptr fs:[00000030h] 20_2_019A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE53E mov eax, dword ptr fs:[00000030h] 20_2_018FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE53E mov eax, dword ptr fs:[00000030h] 20_2_018FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE53E mov eax, dword ptr fs:[00000030h] 20_2_018FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE53E mov eax, dword ptr fs:[00000030h] 20_2_018FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE53E mov eax, dword ptr fs:[00000030h] 20_2_018FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0535 mov eax, dword ptr fs:[00000030h] 20_2_018E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0535 mov eax, dword ptr fs:[00000030h] 20_2_018E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0535 mov eax, dword ptr fs:[00000030h] 20_2_018E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0535 mov eax, dword ptr fs:[00000030h] 20_2_018E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0535 mov eax, dword ptr fs:[00000030h] 20_2_018E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0535 mov eax, dword ptr fs:[00000030h] 20_2_018E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8550 mov eax, dword ptr fs:[00000030h] 20_2_018D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8550 mov eax, dword ptr fs:[00000030h] 20_2_018D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190656A mov eax, dword ptr fs:[00000030h] 20_2_0190656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190656A mov eax, dword ptr fs:[00000030h] 20_2_0190656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190656A mov eax, dword ptr fs:[00000030h] 20_2_0190656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198A49A mov eax, dword ptr fs:[00000030h] 20_2_0198A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019044B0 mov ecx, dword ptr fs:[00000030h] 20_2_019044B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195A4B0 mov eax, dword ptr fs:[00000030h] 20_2_0195A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D64AB mov eax, dword ptr fs:[00000030h] 20_2_018D64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D04E5 mov ecx, dword ptr fs:[00000030h] 20_2_018D04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01908402 mov eax, dword ptr fs:[00000030h] 20_2_01908402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01908402 mov eax, dword ptr fs:[00000030h] 20_2_01908402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01908402 mov eax, dword ptr fs:[00000030h] 20_2_01908402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A430 mov eax, dword ptr fs:[00000030h] 20_2_0190A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CC427 mov eax, dword ptr fs:[00000030h] 20_2_018CC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CE420 mov eax, dword ptr fs:[00000030h] 20_2_018CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CE420 mov eax, dword ptr fs:[00000030h] 20_2_018CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CE420 mov eax, dword ptr fs:[00000030h] 20_2_018CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956420 mov eax, dword ptr fs:[00000030h] 20_2_01956420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956420 mov eax, dword ptr fs:[00000030h] 20_2_01956420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956420 mov eax, dword ptr fs:[00000030h] 20_2_01956420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956420 mov eax, dword ptr fs:[00000030h] 20_2_01956420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956420 mov eax, dword ptr fs:[00000030h] 20_2_01956420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956420 mov eax, dword ptr fs:[00000030h] 20_2_01956420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01956420 mov eax, dword ptr fs:[00000030h] 20_2_01956420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0198A456 mov eax, dword ptr fs:[00000030h] 20_2_0198A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C645D mov eax, dword ptr fs:[00000030h] 20_2_018C645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190E443 mov eax, dword ptr fs:[00000030h] 20_2_0190E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F245A mov eax, dword ptr fs:[00000030h] 20_2_018F245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195C460 mov ecx, dword ptr fs:[00000030h] 20_2_0195C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FA470 mov eax, dword ptr fs:[00000030h] 20_2_018FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FA470 mov eax, dword ptr fs:[00000030h] 20_2_018FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FA470 mov eax, dword ptr fs:[00000030h] 20_2_018FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197678E mov eax, dword ptr fs:[00000030h] 20_2_0197678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D07AF mov eax, dword ptr fs:[00000030h] 20_2_018D07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019847A0 mov eax, dword ptr fs:[00000030h] 20_2_019847A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DC7C0 mov eax, dword ptr fs:[00000030h] 20_2_018DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019507C3 mov eax, dword ptr fs:[00000030h] 20_2_019507C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F27ED mov eax, dword ptr fs:[00000030h] 20_2_018F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F27ED mov eax, dword ptr fs:[00000030h] 20_2_018F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F27ED mov eax, dword ptr fs:[00000030h] 20_2_018F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195E7E1 mov eax, dword ptr fs:[00000030h] 20_2_0195E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D47FB mov eax, dword ptr fs:[00000030h] 20_2_018D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D47FB mov eax, dword ptr fs:[00000030h] 20_2_018D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01900710 mov eax, dword ptr fs:[00000030h] 20_2_01900710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C700 mov eax, dword ptr fs:[00000030h] 20_2_0190C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0710 mov eax, dword ptr fs:[00000030h] 20_2_018D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194C730 mov eax, dword ptr fs:[00000030h] 20_2_0194C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190273C mov eax, dword ptr fs:[00000030h] 20_2_0190273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190273C mov ecx, dword ptr fs:[00000030h] 20_2_0190273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190273C mov eax, dword ptr fs:[00000030h] 20_2_0190273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C720 mov eax, dword ptr fs:[00000030h] 20_2_0190C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C720 mov eax, dword ptr fs:[00000030h] 20_2_0190C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01954755 mov eax, dword ptr fs:[00000030h] 20_2_01954755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912750 mov eax, dword ptr fs:[00000030h] 20_2_01912750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912750 mov eax, dword ptr fs:[00000030h] 20_2_01912750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195E75D mov eax, dword ptr fs:[00000030h] 20_2_0195E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190674D mov esi, dword ptr fs:[00000030h] 20_2_0190674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190674D mov eax, dword ptr fs:[00000030h] 20_2_0190674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190674D mov eax, dword ptr fs:[00000030h] 20_2_0190674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0750 mov eax, dword ptr fs:[00000030h] 20_2_018D0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8770 mov eax, dword ptr fs:[00000030h] 20_2_018D8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0770 mov eax, dword ptr fs:[00000030h] 20_2_018E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D4690 mov eax, dword ptr fs:[00000030h] 20_2_018D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D4690 mov eax, dword ptr fs:[00000030h] 20_2_018D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019066B0 mov eax, dword ptr fs:[00000030h] 20_2_019066B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C6A6 mov eax, dword ptr fs:[00000030h] 20_2_0190C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A6C7 mov ebx, dword ptr fs:[00000030h] 20_2_0190A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A6C7 mov eax, dword ptr fs:[00000030h] 20_2_0190A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019506F1 mov eax, dword ptr fs:[00000030h] 20_2_019506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019506F1 mov eax, dword ptr fs:[00000030h] 20_2_019506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E6F2 mov eax, dword ptr fs:[00000030h] 20_2_0194E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E6F2 mov eax, dword ptr fs:[00000030h] 20_2_0194E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E6F2 mov eax, dword ptr fs:[00000030h] 20_2_0194E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E6F2 mov eax, dword ptr fs:[00000030h] 20_2_0194E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E260B mov eax, dword ptr fs:[00000030h] 20_2_018E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E260B mov eax, dword ptr fs:[00000030h] 20_2_018E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E260B mov eax, dword ptr fs:[00000030h] 20_2_018E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E260B mov eax, dword ptr fs:[00000030h] 20_2_018E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E260B mov eax, dword ptr fs:[00000030h] 20_2_018E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E260B mov eax, dword ptr fs:[00000030h] 20_2_018E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E260B mov eax, dword ptr fs:[00000030h] 20_2_018E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01912619 mov eax, dword ptr fs:[00000030h] 20_2_01912619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E609 mov eax, dword ptr fs:[00000030h] 20_2_0194E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D262C mov eax, dword ptr fs:[00000030h] 20_2_018D262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EE627 mov eax, dword ptr fs:[00000030h] 20_2_018EE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01906620 mov eax, dword ptr fs:[00000030h] 20_2_01906620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01908620 mov eax, dword ptr fs:[00000030h] 20_2_01908620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018EC640 mov eax, dword ptr fs:[00000030h] 20_2_018EC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01902674 mov eax, dword ptr fs:[00000030h] 20_2_01902674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A660 mov eax, dword ptr fs:[00000030h] 20_2_0190A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A660 mov eax, dword ptr fs:[00000030h] 20_2_0190A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199866E mov eax, dword ptr fs:[00000030h] 20_2_0199866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199866E mov eax, dword ptr fs:[00000030h] 20_2_0199866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D09AD mov eax, dword ptr fs:[00000030h] 20_2_018D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D09AD mov eax, dword ptr fs:[00000030h] 20_2_018D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019589B3 mov esi, dword ptr fs:[00000030h] 20_2_019589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019589B3 mov eax, dword ptr fs:[00000030h] 20_2_019589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019589B3 mov eax, dword ptr fs:[00000030h] 20_2_019589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E29A0 mov eax, dword ptr fs:[00000030h] 20_2_018E29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019049D0 mov eax, dword ptr fs:[00000030h] 20_2_019049D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199A9D3 mov eax, dword ptr fs:[00000030h] 20_2_0199A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019669C0 mov eax, dword ptr fs:[00000030h] 20_2_019669C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA9D0 mov eax, dword ptr fs:[00000030h] 20_2_018DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA9D0 mov eax, dword ptr fs:[00000030h] 20_2_018DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA9D0 mov eax, dword ptr fs:[00000030h] 20_2_018DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA9D0 mov eax, dword ptr fs:[00000030h] 20_2_018DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA9D0 mov eax, dword ptr fs:[00000030h] 20_2_018DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DA9D0 mov eax, dword ptr fs:[00000030h] 20_2_018DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019029F9 mov eax, dword ptr fs:[00000030h] 20_2_019029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019029F9 mov eax, dword ptr fs:[00000030h] 20_2_019029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195E9E0 mov eax, dword ptr fs:[00000030h] 20_2_0195E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195C912 mov eax, dword ptr fs:[00000030h] 20_2_0195C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C8918 mov eax, dword ptr fs:[00000030h] 20_2_018C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C8918 mov eax, dword ptr fs:[00000030h] 20_2_018C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E908 mov eax, dword ptr fs:[00000030h] 20_2_0194E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194E908 mov eax, dword ptr fs:[00000030h] 20_2_0194E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0196892B mov eax, dword ptr fs:[00000030h] 20_2_0196892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195892A mov eax, dword ptr fs:[00000030h] 20_2_0195892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01950946 mov eax, dword ptr fs:[00000030h] 20_2_01950946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4940 mov eax, dword ptr fs:[00000030h] 20_2_019A4940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195C97C mov eax, dword ptr fs:[00000030h] 20_2_0195C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F6962 mov eax, dword ptr fs:[00000030h] 20_2_018F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F6962 mov eax, dword ptr fs:[00000030h] 20_2_018F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F6962 mov eax, dword ptr fs:[00000030h] 20_2_018F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01974978 mov eax, dword ptr fs:[00000030h] 20_2_01974978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01974978 mov eax, dword ptr fs:[00000030h] 20_2_01974978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0191096E mov eax, dword ptr fs:[00000030h] 20_2_0191096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0191096E mov edx, dword ptr fs:[00000030h] 20_2_0191096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0191096E mov eax, dword ptr fs:[00000030h] 20_2_0191096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195C89D mov eax, dword ptr fs:[00000030h] 20_2_0195C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0887 mov eax, dword ptr fs:[00000030h] 20_2_018D0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FE8C0 mov eax, dword ptr fs:[00000030h] 20_2_018FE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A08C0 mov eax, dword ptr fs:[00000030h] 20_2_019A08C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C8F9 mov eax, dword ptr fs:[00000030h] 20_2_0190C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190C8F9 mov eax, dword ptr fs:[00000030h] 20_2_0190C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199A8E4 mov eax, dword ptr fs:[00000030h] 20_2_0199A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195C810 mov eax, dword ptr fs:[00000030h] 20_2_0195C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190A830 mov eax, dword ptr fs:[00000030h] 20_2_0190A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197483A mov eax, dword ptr fs:[00000030h] 20_2_0197483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197483A mov eax, dword ptr fs:[00000030h] 20_2_0197483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F2835 mov eax, dword ptr fs:[00000030h] 20_2_018F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F2835 mov eax, dword ptr fs:[00000030h] 20_2_018F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F2835 mov eax, dword ptr fs:[00000030h] 20_2_018F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F2835 mov ecx, dword ptr fs:[00000030h] 20_2_018F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F2835 mov eax, dword ptr fs:[00000030h] 20_2_018F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F2835 mov eax, dword ptr fs:[00000030h] 20_2_018F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01900854 mov eax, dword ptr fs:[00000030h] 20_2_01900854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E2840 mov ecx, dword ptr fs:[00000030h] 20_2_018E2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D4859 mov eax, dword ptr fs:[00000030h] 20_2_018D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D4859 mov eax, dword ptr fs:[00000030h] 20_2_018D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01966870 mov eax, dword ptr fs:[00000030h] 20_2_01966870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01966870 mov eax, dword ptr fs:[00000030h] 20_2_01966870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195E872 mov eax, dword ptr fs:[00000030h] 20_2_0195E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195E872 mov eax, dword ptr fs:[00000030h] 20_2_0195E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01984BB0 mov eax, dword ptr fs:[00000030h] 20_2_01984BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01984BB0 mov eax, dword ptr fs:[00000030h] 20_2_01984BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0BBE mov eax, dword ptr fs:[00000030h] 20_2_018E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0BBE mov eax, dword ptr fs:[00000030h] 20_2_018E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0BCD mov eax, dword ptr fs:[00000030h] 20_2_018D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0BCD mov eax, dword ptr fs:[00000030h] 20_2_018D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0BCD mov eax, dword ptr fs:[00000030h] 20_2_018D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F0BCB mov eax, dword ptr fs:[00000030h] 20_2_018F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F0BCB mov eax, dword ptr fs:[00000030h] 20_2_018F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F0BCB mov eax, dword ptr fs:[00000030h] 20_2_018F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197EBD0 mov eax, dword ptr fs:[00000030h] 20_2_0197EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195CBF0 mov eax, dword ptr fs:[00000030h] 20_2_0195CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FEBFC mov eax, dword ptr fs:[00000030h] 20_2_018FEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8BF0 mov eax, dword ptr fs:[00000030h] 20_2_018D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8BF0 mov eax, dword ptr fs:[00000030h] 20_2_018D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8BF0 mov eax, dword ptr fs:[00000030h] 20_2_018D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0194EB1D mov eax, dword ptr fs:[00000030h] 20_2_0194EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4B00 mov eax, dword ptr fs:[00000030h] 20_2_019A4B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FEB20 mov eax, dword ptr fs:[00000030h] 20_2_018FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FEB20 mov eax, dword ptr fs:[00000030h] 20_2_018FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01998B28 mov eax, dword ptr fs:[00000030h] 20_2_01998B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01998B28 mov eax, dword ptr fs:[00000030h] 20_2_01998B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0197EB50 mov eax, dword ptr fs:[00000030h] 20_2_0197EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A2B57 mov eax, dword ptr fs:[00000030h] 20_2_019A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A2B57 mov eax, dword ptr fs:[00000030h] 20_2_019A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A2B57 mov eax, dword ptr fs:[00000030h] 20_2_019A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A2B57 mov eax, dword ptr fs:[00000030h] 20_2_019A2B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01984B4B mov eax, dword ptr fs:[00000030h] 20_2_01984B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01984B4B mov eax, dword ptr fs:[00000030h] 20_2_01984B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01978B42 mov eax, dword ptr fs:[00000030h] 20_2_01978B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01966B40 mov eax, dword ptr fs:[00000030h] 20_2_01966B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01966B40 mov eax, dword ptr fs:[00000030h] 20_2_01966B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0199AB40 mov eax, dword ptr fs:[00000030h] 20_2_0199AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018C8B50 mov eax, dword ptr fs:[00000030h] 20_2_018C8B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018CCB7E mov eax, dword ptr fs:[00000030h] 20_2_018CCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01908A90 mov edx, dword ptr fs:[00000030h] 20_2_01908A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018DEA80 mov eax, dword ptr fs:[00000030h] 20_2_018DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_019A4A80 mov eax, dword ptr fs:[00000030h] 20_2_019A4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8AA0 mov eax, dword ptr fs:[00000030h] 20_2_018D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D8AA0 mov eax, dword ptr fs:[00000030h] 20_2_018D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01926AA4 mov eax, dword ptr fs:[00000030h] 20_2_01926AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01904AD0 mov eax, dword ptr fs:[00000030h] 20_2_01904AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01904AD0 mov eax, dword ptr fs:[00000030h] 20_2_01904AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D0AD0 mov eax, dword ptr fs:[00000030h] 20_2_018D0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01926ACC mov eax, dword ptr fs:[00000030h] 20_2_01926ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01926ACC mov eax, dword ptr fs:[00000030h] 20_2_01926ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_01926ACC mov eax, dword ptr fs:[00000030h] 20_2_01926ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190AAEE mov eax, dword ptr fs:[00000030h] 20_2_0190AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190AAEE mov eax, dword ptr fs:[00000030h] 20_2_0190AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0195CA11 mov eax, dword ptr fs:[00000030h] 20_2_0195CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018FEA2E mov eax, dword ptr fs:[00000030h] 20_2_018FEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190CA38 mov eax, dword ptr fs:[00000030h] 20_2_0190CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_0190CA24 mov eax, dword ptr fs:[00000030h] 20_2_0190CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F4A35 mov eax, dword ptr fs:[00000030h] 20_2_018F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018F4A35 mov eax, dword ptr fs:[00000030h] 20_2_018F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0A5B mov eax, dword ptr fs:[00000030h] 20_2_018E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018E0A5B mov eax, dword ptr fs:[00000030h] 20_2_018E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D6A50 mov eax, dword ptr fs:[00000030h] 20_2_018D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D6A50 mov eax, dword ptr fs:[00000030h] 20_2_018D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Code function: 20_2_018D6A50 mov eax, dword ptr fs:[00000030h] 20_2_018D6A50
Enables debug privileges
Source: C:\Users\user\Desktop\order 4502657678.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 1139008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\order 4502657678.exe Process created: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe "C:\Users\user\AppData\Local\Temp\ghedgegehe.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "C:\Users\user\AppData\Local\Temp\ghedgegehe.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" && ping 127.0.0.1 -n 20 > nul && "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 20 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "c:\users\user\appdata\local\temp\ghedgegehe.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\skype\purches order.exe" && ping 127.0.0.1 -n 20 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\skype\purches order.exe"
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd" /c ping 127.0.0.1 -n 20 > nul && copy "c:\users\user\appdata\local\temp\ghedgegehe.exe" "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\skype\purches order.exe" && ping 127.0.0.1 -n 20 > nul && "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\skype\purches order.exe" Jump to behavior
Source: explorer.exe, 00000016.00000002.2563984081.00000000095B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000000.2530675285.000000000D5C0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2551944962.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000016.00000002.2551944962.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.2516288310.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000016.00000002.2551944962.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.2516288310.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: EProgram Manager
Source: explorer.exe, 00000016.00000000.2515831260.0000000000889000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.2549041838.0000000000889000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman
Source: explorer.exe, 00000016.00000002.2551944962.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000016.00000000.2516288310.0000000001080000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\order 4502657678.exe Queries volume information: C:\Users\user\Desktop\order 4502657678.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ghedgegehe.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\order 4502657678.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000016.00000002.2562378664.0000000009159000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.000000000367C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.00000000037E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2548486119.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.1463152963.00000000042E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.0000000003535000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000037E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1363182798.00000000035D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2532555388.0000000003ACC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430351 Sample: order 4502657678.exe Startdate: 23/04/2024 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Malicious sample detected (through community Yara rule) 2->47 49 Multi AV Scanner detection for dropped file 2->49 51 9 other signatures 2->51 10 order 4502657678.exe 5 2->10         started        process3 signatures4 61 Moves itself to temp directory 10->61 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->63 13 ghedgegehe.exe 4 10->13         started        process5 signatures6 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->65 16 cmd.exe 3 13->16         started        process7 file8 35 C:\Users\user\AppData\...\purches order.exe, PE32 16->35 dropped 39 Uses ping.exe to sleep 16->39 41 Drops PE files to the startup folder 16->41 43 Uses ping.exe to check the status of other devices and networks 16->43 20 purches order.exe 3 16->20         started        23 PING.EXE 1 16->23         started        26 conhost.exe 16->26         started        28 PING.EXE 1 16->28         started        signatures9 process10 dnsIp11 53 Writes to foreign memory regions 20->53 55 Allocates memory in foreign processes 20->55 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->57 59 Injects a PE file into a foreign processes 20->59 30 AddInProcess32.exe 20->30         started        37 127.0.0.1 unknown unknown 23->37 signatures12 process13 signatures14 67 Maps a DLL or memory area into another process 30->67 69 Tries to detect virtualization through RDTSC time measurements 30->69 33 explorer.exe 30->33 injected process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious

Private

IP
127.0.0.1

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.budget-harmony.com/ij84/ true
  • Avira URL Cloud: safe
 low