Edit tour

Windows Analysis Report
ysWQ4BqQrF.exe

Overview

General Information

Sample name:	ysWQ4BqQrF.exe renamed because original name is a hash value
Original sample name:	ef4948765f8caae1f84b2199e785842e19e49c39630422c12a603c93d3e6b4b4.exe
Analysis ID:	1634563
MD5:	0be3c2adea2ab8c61cd2121e65e489ff
SHA1:	161468a441925fe86e2a2d500d85f91d6eeb11e3
SHA256:	ef4948765f8caae1f84b2199e785842e19e49c39630422c12a603c93d3e6b4b4
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: CMSTP Execution Process Creation

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

ysWQ4BqQrF.exe (PID: 6408 cmdline: "C:\Users\user\Desktop\ysWQ4BqQrF.exe" MD5: 0BE3C2ADEA2AB8C61CD2121E65E489FF)

powershell.exe (PID: 6748 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 4560 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 6840 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 2720 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 496 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

cmstp.exe (PID: 6768 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

cmd.exe (PID: 7196 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 7180 cmdline: "C:\Windows\SysWOW64\cscript.exe" MD5: CB601B41D4C8074BE8A84AED564A94DC)

YNfDrfV.exe (PID: 372 cmdline: C:\Users\user\AppData\Roaming\YNfDrfV.exe MD5: 0BE3C2ADEA2AB8C61CD2121E65E489FF)

schtasks.exe (PID: 1580 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp35B3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 2584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.redgoodsgather.shop/egs9/"], "decoy": ["alliancecigars.net", "35893.pizza", "selidik.cloud", "evel789-aman.club", "wqsbr5jc.vip", "corretoraplanodesaude.shop", "balikoltada.xyz", "play-vanguard-nirvana.xyz", "paktuaslotxcxrtp.xyz", "retailzone1997.shop", "jk77juta-official.cloud", "godmoments.app", "flippinforbidsfrear.cloud", "234bets.net", "cryptobiz.tech", "construction-jobs-50157.bond", "cuficdarbiesdarleen.cloud", "t59bm675ri.skin", "ondqwxl.top", "kpde.xyz", "apoiador.xyz", "denotational.xyz", "fat-removal-40622.bond", "kqsamcsauqiagmma.xyz", "online-advertising-68283.bond", "mise96.xyz", "pokerdom55.vip", "arai.rest", "marketplace20.click", "kongou.systems", "isbnu.shop", "online-advertising-98154.bond", "pepsico.llc", "80072661.xyz", "wholesalemeat.today", "security-apps-16796.bond", "remationservices26114.shop", "kitchen-remodeling-14279.bond", "betterskin.store", "aigamestudio.xyz", "uhsrgi.info", "mentagekript.today", "box-spring-bed-50031.bond", "blood-flow.bond", "653emd.top", "venturelinks.net", "trendysolutions.store", "creativege.xyz", "sellhome.live", "petir99bro.xyz", "maipingxiu.net", "influencer-marketing-56510.bond", "czlovesys.xyz", "phpcrazy.net", "hikingk.store", "imstest.online", "bet2024.shop", "lord.land", "gobg.net", "armada77x.sbs", "msytuv.info", "buenosbufidinburez.cloud", "transeo.xyz", "deltaestates.online"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.2499237217.0000000010409000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa92:$a2: pass 0xa98:$a3: email 0xa9f:$a4: login 0xaa6:$a5: signin 0xab7:$a6: persistent 0xc8a:$r1: C:\Users\user\AppData\Roaming\1N8905E6\1N8log.ini
00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6db9:$a1: 3C 30 50 4F 53 54 74 09 40 0x351d9:$a1: 3C 30 50 4F 53 54 74 09 40 0x625f9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d6f8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4bb18:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78f38:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb537:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39957:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66d77:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1641f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x4483f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71c5f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa470:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa6ea:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38890:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38b0a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65cb0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65f2a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1621d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x4463d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71a5d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15d09:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x44129:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x71549:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1631f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x4473f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71b5f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16497:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x448b7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71cd7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb102:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x39522:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x66942:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19381:$sqlite3step: 68 34 1C 7B E1 0x19494:$sqlite3step: 68 34 1C 7B E1 0x477a1:$sqlite3step: 68 34 1C 7B E1 0x478b4:$sqlite3step: 68 34 1C 7B E1 0x74bc1:$sqlite3step: 68 34 1C 7B E1 0x74cd4:$sqlite3step: 68 34 1C 7B E1 0x193b0:$sqlite3text: 68 38 2A 90 C5 0x194d5:$sqlite3text: 68 38 2A 90 C5 0x477d0:$sqlite3text: 68 38 2A 90 C5 0x478f5:$sqlite3text: 68 38 2A 90 C5 0x74bf0:$sqlite3text: 68 38 2A 90 C5 0x74d15:$sqlite3text: 68 38 2A 90 C5 0x193c3:$sqlite3blob: 68 53 D8 7F 8C 0x194eb:$sqlite3blob: 68 53 D8 7F 8C 0x477e3:$sqlite3blob: 68 53 D8 7F 8C 0x4790b:$sqlite3blob: 68 53 D8 7F 8C 0x74c03:$sqlite3blob: 68 53 D8 7F 8C 0x74d2b:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6e69:$a1: 3C 30 50 4F 53 54 74 09 40 0x35289:$a1: 3C 30 50 4F 53 54 74 09 40 0x626a9:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d7a8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x4bbc8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x78fe8:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb5e7:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x39a07:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x66e27:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x164cf:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x448ef:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x71d0f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa520:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa79a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38940:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x38bba:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65d60:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x65fda:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x162cd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x446ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x71b0d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15db9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x441d9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x715f9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x163cf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x447ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x71c0f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x16547:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x44967:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x71d87:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb1b2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x395d2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x669f2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19431:$sqlite3step: 68 34 1C 7B E1 0x19544:$sqlite3step: 68 34 1C 7B E1 0x47851:$sqlite3step: 68 34 1C 7B E1 0x47964:$sqlite3step: 68 34 1C 7B E1 0x74c71:$sqlite3step: 68 34 1C 7B E1 0x74d84:$sqlite3step: 68 34 1C 7B E1 0x19460:$sqlite3text: 68 38 2A 90 C5 0x19585:$sqlite3text: 68 38 2A 90 C5 0x47880:$sqlite3text: 68 38 2A 90 C5 0x479a5:$sqlite3text: 68 38 2A 90 C5 0x74ca0:$sqlite3text: 68 38 2A 90 C5 0x74dc5:$sqlite3text: 68 38 2A 90 C5 0x19473:$sqlite3blob: 68 53 D8 7F 8C 0x1959b:$sqlite3blob: 68 53 D8 7F 8C 0x47893:$sqlite3blob: 68 53 D8 7F 8C 0x479bb:$sqlite3blob: 68 53 D8 7F 8C 0x74cb3:$sqlite3blob: 68 53 D8 7F 8C 0x74ddb:$sqlite3blob: 68 53 D8 7F 8C
00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: ysWQ4BqQrF.exe PID: 6408	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: ysWQ4BqQrF.exe PID: 6408	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x1acff:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 2720	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xe8a:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: YNfDrfV.exe PID: 372	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: YNfDrfV.exe PID: 372	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x47304:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmstp.exe PID: 6768	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x14c:$a1: 3C 30 50 4F 53 54 74 09 40 0x8eda:$a1: 3C 30 50 4F 53 54 74 09 40 0x122405:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cscript.exe PID: 7180	Windows_Trojan_Formbook_1112e116	unknown	unknown	0xdcc69:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 38 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
6.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: CMSTP Execution Process Creation

Source: Process started

Author: Nik Seetharaman: Data: Command: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", CommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Windows\SysWOW64\cmstp.exe", ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 6768, ParentProcessName: cmstp.exe, ProcessCommandLine: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe", ProcessId: 7196, ProcessName: cmd.exe

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ysWQ4BqQrF.exe", ParentImage: C:\Users\user\Desktop\ysWQ4BqQrF.exe, ParentProcessId: 6408, ParentProcessName: ysWQ4BqQrF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe", ProcessId: 6748, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp35B3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp35B3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\YNfDrfV.exe, ParentImage: C:\Users\user\AppData\Roaming\YNfDrfV.exe, ParentProcessId: 372, ParentProcessName: YNfDrfV.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp35B3.tmp", ProcessId: 1580, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ysWQ4BqQrF.exe", ParentImage: C:\Users\user\Desktop\ysWQ4BqQrF.exe, ParentProcessId: 6408, ParentProcessName: ysWQ4BqQrF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp", ProcessId: 6840, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\ysWQ4BqQrF.exe", ParentImage: C:\Users\user\Desktop\ysWQ4BqQrF.exe, ParentProcessId: 6408, ParentProcessName: ysWQ4BqQrF.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe", ProcessId: 6748, ProcessName: powershell.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\ysWQ4BqQrF.exe", ParentImage: C:\Users\user\Desktop\ysWQ4BqQrF.exe, ParentProcessId: 6408, ParentProcessName: ysWQ4BqQrF.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp", ProcessId: 6840, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T01:33:31.711551+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49694	15.197.225.128	80	TCP
2025-03-11T01:34:15.956404+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49692	104.21.64.1	80	TCP
2025-03-11T01:35:17.778623+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49695	104.21.69.61	80	TCP
2025-03-11T01:35:38.876414+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.6	49696	92.112.189.41	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ysWQ4BqQrF.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://www.isbnu.shop/egs9/www.aigamestudio.xyz	Avira URL Cloud: Label: malware
Source: http://www.alliancecigars.net/egs9/www.flippinforbidsfrear.cloud	Avira URL Cloud: Label: malware
Source: http://www.evel789-aman.club/egs9/www.redgoodsgather.shop	Avira URL Cloud: Label: malware
Source: http://www.flippinforbidsfrear.cloud/egs9/www.kpde.xyz	Avira URL Cloud: Label: malware
Source: https://www.kpde.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZ	Avira URL Cloud: Label: malware
Source: www.redgoodsgather.shop/egs9/	Avira URL Cloud: Label: malware
Source: http://www.flippinforbidsfrear.cloud/egs9/?K8elV=WY6dXz4hP2USskFVaG6AmVG36gfocnqcJNOT/iAq7eLnPv9oQtDKLFR9qtIXXXVluDfsS1HcVA==&mVfp=MTrLPvVhZLm	Avira URL Cloud: Label: malware
Source: http://www.evel789-aman.club	Avira URL Cloud: Label: malware
Source: http://www.kongou.systems	Avira URL Cloud: Label: malware
Source: http://www.imstest.online	Avira URL Cloud: Label: malware
Source: http://www.mentagekript.today/egs9/	Avira URL Cloud: Label: malware
Source: http://www.flippinforbidsfrear.cloud/egs9/	Avira URL Cloud: Label: malware
Source: http://www.redgoodsgather.shop/egs9/	Avira URL Cloud: Label: malware
Source: http://www.653emd.top	Avira URL Cloud: Label: malware
Source: http://www.redgoodsgather.shop/egs9/www.mentagekript.today	Avira URL Cloud: Label: malware
Source: http://www.mentagekript.today	Avira URL Cloud: Label: malware
Source: http://www.play-vanguard-nirvana.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw==	Avira URL Cloud: Label: malware
Source: http://www.play-vanguard-nirvana.xyz/egs9/www.imstest.online	Avira URL Cloud: Label: malware
Source: http://www.alliancecigars.net/egs9/?mVfp=MTrLPvVhZLm&K8elV=wA+abWeWfQrMiE4bW8SGLQYY6mDtYGtq3v+j3Td9NN12kduRfWzJue6T+YpGJtlAkwGAydKR6g==	Avira URL Cloud: Label: malware
Source: http://www.kongou.systems/egs9/	Avira URL Cloud: Label: malware
Source: http://www.evel789-aman.club/egs9/	Avira URL Cloud: Label: malware
Source: http://www.alliancecigars.net/egs9/	Avira URL Cloud: Label: malware
Source: http://www.creativege.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.imstest.online/egs9/	Avira URL Cloud: Label: malware
Source: http://www.imstest.online/egs9/www.alliancecigars.net	Avira URL Cloud: Label: malware
Source: http://www.aigamestudio.xyz	Avira URL Cloud: Label: malware
Source: http://www.petir99bro.xyz	Avira URL Cloud: Label: malware
Source: http://www.aigamestudio.xyz/egs9/www.petir99bro.xyz	Avira URL Cloud: Label: malware
Source: http://www.kpde.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.petir99bro.xyz/egs9/www.kongou.systems	Avira URL Cloud: Label: malware
Source: http://www.isbnu.shop	Avira URL Cloud: Label: malware
Source: http://www.petir99bro.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.kpde.xyz/egs9/www.t59bm675ri.skin	Avira URL Cloud: Label: malware
Source: http://www.alliancecigars.net	Avira URL Cloud: Label: malware
Source: http://www.653emd.top/egs9/	Avira URL Cloud: Label: malware
Source: http://www.kpde.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZM/DO1jiE4CQOHh/KO/hOdc1w==	Avira URL Cloud: Label: malware
Source: http://www.aigamestudio.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.isbnu.shop/egs9/	Avira URL Cloud: Label: malware
Source: http://www.t59bm675ri.skin	Avira URL Cloud: Label: malware
Source: http://www.creativege.xyz/egs9/www.hikingk.store	Avira URL Cloud: Label: malware
Source: http://www.mentagekript.today/egs9/www.653emd.top	Avira URL Cloud: Label: malware
Source: http://www.kpde.xyz	Avira URL Cloud: Label: malware
Source: http://www.play-vanguard-nirvana.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.t59bm675ri.skin/egs9/www.evel789-aman.club	Avira URL Cloud: Label: malware
Source: http://www.t59bm675ri.skin/egs9/	Avira URL Cloud: Label: malware
Source: http://www.redgoodsgather.shop	Avira URL Cloud: Label: malware
Source: http://www.flippinforbidsfrear.cloud	Avira URL Cloud: Label: malware
Source: http://www.653emd.top/egs9/www.creativege.xyz	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe

Avira: detection malicious, Label: TR/Kryptik.enuja

Found malware configuration

Source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.redgoodsgather.shop/egs9/"], "decoy": ["alliancecigars.net", "35893.pizza", "selidik.cloud", "evel789-aman.club", "wqsbr5jc.vip", "corretoraplanodesaude.shop", "balikoltada.xyz", "play-vanguard-nirvana.xyz", "paktuaslotxcxrtp.xyz", "retailzone1997.shop", "jk77juta-official.cloud", "godmoments.app", "flippinforbidsfrear.cloud", "234bets.net", "cryptobiz.tech", "construction-jobs-50157.bond", "cuficdarbiesdarleen.cloud", "t59bm675ri.skin", "ondqwxl.top", "kpde.xyz", "apoiador.xyz", "denotational.xyz", "fat-removal-40622.bond", "kqsamcsauqiagmma.xyz", "online-advertising-68283.bond", "mise96.xyz", "pokerdom55.vip", "arai.rest", "marketplace20.click", "kongou.systems", "isbnu.shop", "online-advertising-98154.bond", "pepsico.llc", "80072661.xyz", "wholesalemeat.today", "security-apps-16796.bond", "remationservices26114.shop", "kitchen-remodeling-14279.bond", "betterskin.store", "aigamestudio.xyz", "uhsrgi.info", "mentagekript.today", "box-spring-bed-50031.bond", "blood-flow.bond", "653emd.top", "venturelinks.net", "trendysolutions.store", "creativege.xyz", "sellhome.live", "petir99bro.xyz", "maipingxiu.net", "influencer-marketing-56510.bond", "czlovesys.xyz", "phpcrazy.net", "hikingk.store", "imstest.online", "bet2024.shop", "lord.land", "gobg.net", "armada77x.sbs", "msytuv.info", "buenosbufidinburez.cloud", "transeo.xyz", "deltaestates.online"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe

ReversingLabs: Detection: 73%

Multi AV Scanner detection for submitted file

Source: ysWQ4BqQrF.exe	ReversingLabs: Detection: 73%
Source: ysWQ4BqQrF.exe	Virustotal: Detection: 75%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: ysWQ4BqQrF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ysWQ4BqQrF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000011.00000002.1353568783.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.1356113989.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000013.00000002.1354212242.00000000001E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1308989163.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1308491441.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478344250.0000000000140000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.2500429577.0000000010E8F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2481620369.0000000004BFF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478973491.000000000291B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1309235518.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1310681594.0000000004502000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.00000000046B0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1308646597.0000000004354000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.000000000484E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1349529051.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1351827980.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004880000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1309235518.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1310681594.0000000004502000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.00000000046B0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1308646597.0000000004354000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.000000000484E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1349529051.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1351827980.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004880000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegSvcs.exe, 00000006.00000002.1308989163.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1308491441.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478344250.0000000000140000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.2500429577.0000000010E8F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2481620369.0000000004BFF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478973491.000000000291B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cscript.pdb source: RegSvcs.exe, 00000011.00000002.1353568783.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.1356113989.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000013.00000002.1354212242.00000000001E0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 4x nop then pop esi

6_2_004172FE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49692 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49692 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49692 -> 104.21.64.1:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49695 -> 104.21.69.61:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49695 -> 104.21.69.61:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49695 -> 104.21.69.61:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49696 -> 92.112.189.41:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49696 -> 92.112.189.41:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49696 -> 92.112.189.41:80
Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49694 -> 15.197.225.128:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49694 -> 15.197.225.128:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.6:49694 -> 15.197.225.128:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 15.197.225.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.69.61 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.64.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 92.112.189.41 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.redgoodsgather.shop/egs9/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.play-vanguard-nirvana.xyz
Source:	DNS query: www.kpde.xyz

Source: global traffic	HTTP traffic detected: GET /egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw== HTTP/1.1Host: www.play-vanguard-nirvana.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /egs9/?mVfp=MTrLPvVhZLm&K8elV=wA+abWeWfQrMiE4bW8SGLQYY6mDtYGtq3v+j3Td9NN12kduRfWzJue6T+YpGJtlAkwGAydKR6g== HTTP/1.1Host: www.alliancecigars.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /egs9/?K8elV=WY6dXz4hP2USskFVaG6AmVG36gfocnqcJNOT/iAq7eLnPv9oQtDKLFR9qtIXXXVluDfsS1HcVA==&mVfp=MTrLPvVhZLm HTTP/1.1Host: www.flippinforbidsfrear.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZM/DO1jiE4CQOHh/KO/hOdc1w== HTTP/1.1Host: www.kpde.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 15.197.225.128 15.197.225.128
Source: Joe Sandbox View	IP Address: 15.197.225.128 15.197.225.128
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1
Source: Joe Sandbox View	IP Address: 104.21.64.1 104.21.64.1

Source: Joe Sandbox View	ASN Name: TANDEMUS TANDEMUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: UKRTELNETUA UKRTELNETUA

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 7_2_103F1F82 getaddrinfo,setsockopt,recv,

7_2_103F1F82

Source: global traffic	HTTP traffic detected: GET /egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw== HTTP/1.1Host: www.play-vanguard-nirvana.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /egs9/?mVfp=MTrLPvVhZLm&K8elV=wA+abWeWfQrMiE4bW8SGLQYY6mDtYGtq3v+j3Td9NN12kduRfWzJue6T+YpGJtlAkwGAydKR6g== HTTP/1.1Host: www.alliancecigars.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /egs9/?K8elV=WY6dXz4hP2USskFVaG6AmVG36gfocnqcJNOT/iAq7eLnPv9oQtDKLFR9qtIXXXVluDfsS1HcVA==&mVfp=MTrLPvVhZLm HTTP/1.1Host: www.flippinforbidsfrear.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZM/DO1jiE4CQOHh/KO/hOdc1w== HTTP/1.1Host: www.kpde.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.play-vanguard-nirvana.xyz
Source: global traffic	DNS traffic detected: DNS query: www.imstest.online
Source: global traffic	DNS traffic detected: DNS query: www.alliancecigars.net
Source: global traffic	DNS traffic detected: DNS query: www.flippinforbidsfrear.cloud
Source: global traffic	DNS traffic detected: DNS query: www.kpde.xyz

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: awselb/2.0Date: Tue, 11 Mar 2025 00:34:57 GMTContent-Length: 0Connection: closeWAFRule: 5

Source: explorer.exe, 00000007.00000002.2492681158.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1253596709.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.000000000934A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: explorer.exe, 00000007.00000002.2492681158.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1253596709.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.000000000934A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000007.00000002.2483177153.0000000004415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1252446139.0000000004415000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ns.adobeJH
Source: explorer.exe, 00000007.00000002.2492681158.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1253596709.00000000071CB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.000000000934A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000007.00000002.2492681158.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.000000000934A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl
Source: explorer.exe, 00000007.00000000.1254434187.00000000077B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2490367876.00000000077A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1254368362.0000000007700000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000007.00000002.2498060693.000000000C0D7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsof
Source: ysWQ4BqQrF.exe, 00000000.00000002.1267972369.0000000002401000.00000004.00000800.00020000.00000000.sdmp, YNfDrfV.exe, 00000008.00000002.1307720399.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.653emd.top
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.653emd.top/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.653emd.top/egs9/www.creativege.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.653emd.topReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyz/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyz/egs9/www.petir99bro.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyzReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alliancecigars.net
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alliancecigars.net/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alliancecigars.net/egs9/www.flippinforbidsfrear.cloud
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alliancecigars.netReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyz/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyz/egs9/www.hikingk.store
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyzReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evel789-aman.club
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evel789-aman.club/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evel789-aman.club/egs9/www.redgoodsgather.shop
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.evel789-aman.clubReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flippinforbidsfrear.cloud
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flippinforbidsfrear.cloud/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flippinforbidsfrear.cloud/egs9/www.kpde.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.flippinforbidsfrear.cloudReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hikingk.store
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hikingk.store/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hikingk.store/egs9/www.isbnu.shop
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hikingk.storeReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imstest.online
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imstest.online/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imstest.online/egs9/www.alliancecigars.net
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.imstest.onlineReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shop
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shop/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shop/egs9/www.aigamestudio.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shopReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kongou.systems
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kongou.systems/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kongou.systemsReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kpde.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kpde.xyz/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kpde.xyz/egs9/www.t59bm675ri.skin
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kpde.xyzReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mentagekript.today
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mentagekript.today/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mentagekript.today/egs9/www.653emd.top
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mentagekript.todayReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.petir99bro.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.petir99bro.xyz/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.petir99bro.xyz/egs9/www.kongou.systems
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.petir99bro.xyzReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyz
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyz/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyz/egs9/www.imstest.online
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyzReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shop
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shop/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shop/egs9/www.mentagekript.today
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shopReferer:
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.t59bm675ri.skin
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.t59bm675ri.skin/egs9/
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.t59bm675ri.skin/egs9/www.evel789-aman.club
Source: explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.t59bm675ri.skinReferer:
Source: explorer.exe, 00000007.00000002.2497114349.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppgr
Source: explorer.exe, 00000007.00000002.2497114349.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000007.00000002.2497114349.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOSV
Source: explorer.exe, 00000007.00000000.1256858174.00000000092FD000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000007.00000002.2492681158.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.000000000934A000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000007.00000002.2492681158.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?3
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000007.00000002.2492681158.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comP;
Source: explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000007.00000002.2497114349.000000000BD56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BD56000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comZ
Source: explorer.exe, 00000007.00000002.2500429577.000000001137F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2481620369.00000000050EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.kpde.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZ
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.2499237217.0000000010409000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: ysWQ4BqQrF.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: YNfDrfV.exe PID: 372, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 6768, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A32A NtCreateFile,	6_2_0041A32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A382 NtReadFile,	6_2_0041A382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512B60 NtClose,LdrInitializeThunk,	6_2_01512B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_01512BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512AD0 NtReadFile,LdrInitializeThunk,	6_2_01512AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_01512D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_01512D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512DD0 NtDelayExecution,LdrInitializeThunk,	6_2_01512DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_01512DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_01512C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_01512CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512F30 NtCreateSection,LdrInitializeThunk,	6_2_01512F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512FE0 NtCreateFile,LdrInitializeThunk,	6_2_01512FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_01512F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512FB0 NtResumeThread,LdrInitializeThunk,	6_2_01512FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_01512E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_01512EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01514340 NtSetContextThread,	6_2_01514340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01514650 NtSuspendThread,	6_2_01514650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512BE0 NtQueryValueKey,	6_2_01512BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512B80 NtQueryInformationFile,	6_2_01512B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512BA0 NtEnumerateValueKey,	6_2_01512BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512AF0 NtWriteFile,	6_2_01512AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512AB0 NtWaitForSingleObject,	6_2_01512AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512D00 NtSetInformationFile,	6_2_01512D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512DB0 NtEnumerateKey,	6_2_01512DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512C60 NtCreateKey,	6_2_01512C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512C00 NtQueryInformationProcess,	6_2_01512C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512CC0 NtQueryVirtualMemory,	6_2_01512CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512CF0 NtOpenProcess,	6_2_01512CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512F60 NtCreateProcessEx,	6_2_01512F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512FA0 NtQuerySection,	6_2_01512FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512E30 NtWriteVirtualMemory,	6_2_01512E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512EE0 NtQueueApcThread,	6_2_01512EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01513010 NtOpenDirectoryObject,	6_2_01513010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01513090 NtSetValueKey,	6_2_01513090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015135C0 NtCreateMutant,	6_2_015135C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015139B0 NtGetContextThread,	6_2_015139B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01513D70 NtOpenThread,	6_2_01513D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01513D10 NtOpenProcessToken,	6_2_01513D10
Source: C:\Windows\explorer.exe	Code function: 7_2_103F1232 NtCreateFile,	7_2_103F1232
Source: C:\Windows\explorer.exe	Code function: 7_2_103F2E12 NtProtectVirtualMemory,	7_2_103F2E12
Source: C:\Windows\explorer.exe	Code function: 7_2_103F2E0A NtProtectVirtualMemory,	7_2_103F2E0A

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_00AFDDAC	0_2_00AFDDAC
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_05417848	0_2_05417848
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_06E39EBE	0_2_06E39EBE
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_06E31958	0_2_06E31958
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_06E37478	0_2_06E37478
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_06E33A83	0_2_06E33A83
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_06E3194F	0_2_06E3194F
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07056670	0_2_07056670
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07056680	0_2_07056680
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07058190	0_2_07058190
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07056EE1	0_2_07056EE1
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07056EF0	0_2_07056EF0
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07058B90	0_2_07058B90
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07056AB8	0_2_07056AB8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401174	6_2_00401174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041DBC0	6_2_0041DBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041E566	6_2_0041E566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E5B	6_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D729	6_2_0041D729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01568158	6_2_01568158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0100	6_2_014D0100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157A118	6_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015981CC	6_2_015981CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A01AA	6_2_015A01AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015941A2	6_2_015941A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159A352	6_2_0159A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A03E6	6_2_015A03E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE3F0	6_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015602C0	6_2_015602C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0535	6_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A0591	6_2_015A0591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01592446	6_2_01592446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01584420	6_2_01584420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158E4F6	6_2_0158E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01504750	6_2_01504750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DC7C0	6_2_014DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FC6E0	6_2_014FC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F6962	6_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015AA9A6	6_2_015AA9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EA840	6_2_014EA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E8F0	6_2_0150E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C68B8	6_2_014C68B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159AB40	6_2_0159AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01596BD7	6_2_01596BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157CD1F	6_2_0157CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EAD00	6_2_014EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DADE0	6_2_014DADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F8DBF	6_2_014F8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0C00	6_2_014E0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0CF2	6_2_014D0CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580CB5	6_2_01580CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01554F40	6_2_01554F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01500F30	6_2_01500F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01582F30	6_2_01582F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01522F28	6_2_01522F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D2FC8	6_2_014D2FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014ECFE0	6_2_014ECFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155EFA0	6_2_0155EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0E59	6_2_014E0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159EE26	6_2_0159EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159EEDB	6_2_0159EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159CE93	6_2_0159CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F2E90	6_2_014F2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015AB16B	6_2_015AB16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0151516C	6_2_0151516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CF172	6_2_014CF172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EB1B0	6_2_014EB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158F0CC	6_2_0158F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015970E9	6_2_015970E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159F0E0	6_2_0159F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CD34C	6_2_014CD34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159132D	6_2_0159132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0152739A	6_2_0152739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FB2C0	6_2_014FB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015812ED	6_2_015812ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E52A0	6_2_014E52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01597571	6_2_01597571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157D5B0	6_2_0157D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D1460	6_2_014D1460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159F43F	6_2_0159F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159F7B0	6_2_0159F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015916CC	6_2_015916CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E9950	6_2_014E9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FB950	6_2_014FB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01575910	6_2_01575910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154D800	6_2_0154D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E38E0	6_2_014E38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159FB76	6_2_0159FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01555BF0	6_2_01555BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0151DBF9	6_2_0151DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FFB80	6_2_014FFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159FA49	6_2_0159FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01597A46	6_2_01597A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01553A6C	6_2_01553A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158DAC6	6_2_0158DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01525AA0	6_2_01525AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01581AA3	6_2_01581AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01591D5A	6_2_01591D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E3D40	6_2_014E3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01597D73	6_2_01597D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FFDC0	6_2_014FFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01559C32	6_2_01559C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159FCF2	6_2_0159FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159FF09	6_2_0159FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014A3FD2	6_2_014A3FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014A3FD5	6_2_014A3FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E1F92	6_2_014E1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159FFB1	6_2_0159FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E9EB0	6_2_014E9EB0
Source: C:\Windows\explorer.exe	Code function: 7_2_103F1232	7_2_103F1232
Source: C:\Windows\explorer.exe	Code function: 7_2_103F0036	7_2_103F0036
Source: C:\Windows\explorer.exe	Code function: 7_2_103E7082	7_2_103E7082
Source: C:\Windows\explorer.exe	Code function: 7_2_103EBB32	7_2_103EBB32
Source: C:\Windows\explorer.exe	Code function: 7_2_103EBB30	7_2_103EBB30
Source: C:\Windows\explorer.exe	Code function: 7_2_103EE912	7_2_103EE912
Source: C:\Windows\explorer.exe	Code function: 7_2_103E8D02	7_2_103E8D02
Source: C:\Windows\explorer.exe	Code function: 7_2_103F45CD	7_2_103F45CD
Source: C:\Windows\explorer.exe	Code function: 7_2_108D8082	7_2_108D8082
Source: C:\Windows\explorer.exe	Code function: 7_2_108E1036	7_2_108E1036
Source: C:\Windows\explorer.exe	Code function: 7_2_108E55CD	7_2_108E55CD
Source: C:\Windows\explorer.exe	Code function: 7_2_108D9D02	7_2_108D9D02
Source: C:\Windows\explorer.exe	Code function: 7_2_108DF912	7_2_108DF912
Source: C:\Windows\explorer.exe	Code function: 7_2_108E2232	7_2_108E2232
Source: C:\Windows\explorer.exe	Code function: 7_2_108DCB30	7_2_108DCB30
Source: C:\Windows\explorer.exe	Code function: 7_2_108DCB32	7_2_108DCB32
Source: C:\Windows\explorer.exe	Code function: 7_2_10A29082	7_2_10A29082
Source: C:\Windows\explorer.exe	Code function: 7_2_10A32036	7_2_10A32036
Source: C:\Windows\explorer.exe	Code function: 7_2_10A365CD	7_2_10A365CD
Source: C:\Windows\explorer.exe	Code function: 7_2_10A2AD02	7_2_10A2AD02
Source: C:\Windows\explorer.exe	Code function: 7_2_10A30912	7_2_10A30912
Source: C:\Windows\explorer.exe	Code function: 7_2_10A33232	7_2_10A33232
Source: C:\Windows\explorer.exe	Code function: 7_2_10A2DB32	7_2_10A2DB32
Source: C:\Windows\explorer.exe	Code function: 7_2_10A2DB30	7_2_10A2DB30
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_0106DDAC	8_2_0106DDAC
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_05027018	8_2_05027018
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_05021FF0	8_2_05021FF0
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_05020006	8_2_05020006
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_05020040	8_2_05020040
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_0502D731	8_2_0502D731
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_0502D740	8_2_0502D740
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_05027008	8_2_05027008
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_06D51398	8_2_06D51398
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_06D53521	8_2_06D53521
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_06D5138F	8_2_06D5138F
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_06D56F18	8_2_06D56F18
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_070F66D9	8_2_070F66D9
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_070F66E8	8_2_070F66E8
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_070F8388	8_2_070F8388
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_070F62B0	8_2_070F62B0
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_070F5E78	8_2_070F5E78
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_070F7988	8_2_070F7988

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01515130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0155F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 014CB970 appears 250 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0154EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01527E54 appears 101 times

Source: ysWQ4BqQrF.exe, 00000000.00000000.1227725486.0000000000022000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameeTkJ.exe4 vs ysWQ4BqQrF.exe
Source: ysWQ4BqQrF.exe, 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ysWQ4BqQrF.exe
Source: ysWQ4BqQrF.exe, 00000000.00000002.1275967589.00000000071A0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs ysWQ4BqQrF.exe
Source: ysWQ4BqQrF.exe, 00000000.00000002.1267972369.00000000024DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs ysWQ4BqQrF.exe
Source: ysWQ4BqQrF.exe, 00000000.00000002.1274677748.0000000006CE0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs ysWQ4BqQrF.exe
Source: ysWQ4BqQrF.exe, 00000000.00000002.1265937596.00000000005EE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs ysWQ4BqQrF.exe
Source: ysWQ4BqQrF.exe	Binary or memory string: OriginalFilenameeTkJ.exe4 vs ysWQ4BqQrF.exe

Source: ysWQ4BqQrF.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.2499237217.0000000010409000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: ysWQ4BqQrF.exe PID: 6408, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2720, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: YNfDrfV.exe PID: 372, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 6768, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 7180, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: ysWQ4BqQrF.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: YNfDrfV.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@163/11@5/4

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

File created: C:\Users\user\AppData\Roaming\YNfDrfV.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Mutant created: \Sessions\1\BaseNamedObjects\GUGzbA

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

File created: C:\Users\user\AppData\Local\Temp\tmp299E.tmp

Jump to behavior

Source: ysWQ4BqQrF.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: ysWQ4BqQrF.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ysWQ4BqQrF.exe	ReversingLabs: Detection: 73%
Source: ysWQ4BqQrF.exe	Virustotal: Detection: 75%

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

File read: C:\Users\user\Desktop\ysWQ4BqQrF.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ysWQ4BqQrF.exe "C:\Users\user\Desktop\ysWQ4BqQrF.exe"
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\YNfDrfV.exe C:\Users\user\AppData\Roaming\YNfDrfV.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp35B3.tmp"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe "C:\Windows\SysWOW64\cscript.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp35B3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ysWQ4BqQrF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: ysWQ4BqQrF.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: ysWQ4BqQrF.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cscript.pdbUGP source: RegSvcs.exe, 00000011.00000002.1353568783.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.1356113989.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000013.00000002.1354212242.00000000001E0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 00000006.00000002.1308989163.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1308491441.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478344250.0000000000140000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000007.00000002.2500429577.0000000010E8F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2481620369.0000000004BFF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478973491.000000000291B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.1309235518.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1310681594.0000000004502000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.00000000046B0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1308646597.0000000004354000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.000000000484E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1349529051.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1351827980.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004880000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.1309235518.00000000014A0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1310681594.0000000004502000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.00000000046B0000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 00000010.00000003.1308646597.0000000004354000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2480535520.000000000484E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004A1E000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1349529051.0000000004520000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000003.1351827980.00000000046D9000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000013.00000002.1355033981.0000000004880000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegSvcs.exe, 00000006.00000002.1308989163.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.1308491441.0000000000F6D000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478344250.0000000000140000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000007.00000002.2500429577.0000000010E8F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2481620369.0000000004BFF000.00000004.10000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2478973491.000000000291B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cscript.pdb source: RegSvcs.exe, 00000011.00000002.1353568783.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000011.00000002.1356113989.0000000001AC0000.00000040.10000000.00040000.00000000.sdmp, cscript.exe, 00000013.00000002.1354212242.00000000001E0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: ysWQ4BqQrF.exe, BackgroundForms.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: YNfDrfV.exe.0.dr, BackgroundForms.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	.Net Code: aaU2wdb9OfolGKY5gGv System.Reflection.Assembly.Load(byte[])
Source: 0.2.ysWQ4BqQrF.exe.25ae1c0.0.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.ysWQ4BqQrF.exe.6ce0000.3.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	.Net Code: aaU2wdb9OfolGKY5gGv System.Reflection.Assembly.Load(byte[])
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	.Net Code: aaU2wdb9OfolGKY5gGv System.Reflection.Assembly.Load(byte[])
Source: 8.2.YNfDrfV.exe.2bae160.0.raw.unpack, MainForm.cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: ysWQ4BqQrF.exe

Static PE information: 0xB221FC66 [Sat Sep 13 22:49:10 2064 UTC]

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_05419558 push eax; iretd	0_2_05419559
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_06E306B0 pushfd ; ret	0_2_06E306BD
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_0705A510 push esp; iretd	0_2_0705A511
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_0705F525 push FFFFFF8Bh; iretd	0_2_0705F527
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07057431 push esp; iretd	0_2_0705743D
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Code function: 0_2_07059DE8 push FFFFFFE9h; retf	0_2_07059DB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00407820 push edx; ret	6_2_0040783D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041F0B9 push eax; ret	6_2_0041F0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040E3FA push cs; retf	6_2_0040E413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4D2 push eax; ret	6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4DB push eax; ret	6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D485 push eax; ret	6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D53C push eax; ret	6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004077EA push edx; ret	6_2_0040783D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00408793 push edx; ret	6_2_0040879A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014A225F pushad ; ret	6_2_014A27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014A27FA pushad ; ret	6_2_014A27F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D09AD push ecx; mov dword ptr [esp], ecx	6_2_014D09B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014A283D push eax; iretd	6_2_014A2858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014A135E push eax; iretd	6_2_014A1369
Source: C:\Windows\explorer.exe	Code function: 7_2_103F4B1E push esp; retn 0000h	7_2_103F4B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_103F4B02 push esp; retn 0000h	7_2_103F4B03
Source: C:\Windows\explorer.exe	Code function: 7_2_103F49B5 push esp; retn 0000h	7_2_103F4AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_108E59B5 push esp; retn 0000h	7_2_108E5AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_108E5B02 push esp; retn 0000h	7_2_108E5B03
Source: C:\Windows\explorer.exe	Code function: 7_2_108E5B1E push esp; retn 0000h	7_2_108E5B1F
Source: C:\Windows\explorer.exe	Code function: 7_2_10A369B5 push esp; retn 0000h	7_2_10A36AE7
Source: C:\Windows\explorer.exe	Code function: 7_2_10A36B02 push esp; retn 0000h	7_2_10A36B03
Source: C:\Windows\explorer.exe	Code function: 7_2_10A36B1E push esp; retn 0000h	7_2_10A36B1F
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_05026D88 pushad ; ret	8_2_05026D96
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Code function: 8_2_06D50138 pushfd ; ret	8_2_06D50145

Source: ysWQ4BqQrF.exe	Static PE information: section name: .text entropy: 7.751641969269613
Source: YNfDrfV.exe.0.dr	Static PE information: section name: .text entropy: 7.751641969269613

Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, yYN3LZeGxkWglkjOZx.cs	High entropy of concatenated method names: 'QCQosIK7dd', 'hxlojreWXu', 'oKwowqhptK', 'PJYwrWR50H', 'WcYwzKeg06', 'sseoK70AEn', 'YQ9oMtDoXS', 'WVHoYtmZwl', 'VkvotC6hVg', 'IKRo0XGgmA'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, yr2deFq2f931OIfXoy.cs	High entropy of concatenated method names: 'UsebnvGtMq', 'uPubquO3Tg', 'SEpbmiscCU', 'l2LbWVwqBO', 'rM0bhvZE6J', 'hHBbT4hicr', 'Cl5bFxAeOJ', 'I39b4dAsDR', 'fXsbgPLZqb', 'DlZbvkcbiL'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, lpYAmXddBhtVd0vRZnW.cs	High entropy of concatenated method names: 'gsPprJAfXU', 'sRHpzLpsvv', 'b5JcKOMbPt', 'FjxcM2VelB', 'Bd6cY8pGwL', 'H9bctQj1VZ', 'av1c0CFJT5', 'Y9yc8aZeIJ', 'Gqacsl4KiU', 'F7vcItfn7x'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	High entropy of concatenated method names: 'PwIIGNo3HJ', 'vvnI6o7cX3', 'OxCICBV0vB', 'ioxIAxh60l', 'xxGIHmEkUA', 'aksI1jD2CZ', 'asuIOZIOOY', 'ChmIVdgsML', 'RSIIif1B7a', 'mikIre9tVQ'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, kOuhoQrCmYX29rWygG.cs	High entropy of concatenated method names: 'rjPoex1JG2', 'OkGoPxEyCt', 'AqnoRU2RSS', 'RBHoBh6QiZ', 'pimo2RPVHA', 'vPxoa3cxaU', 'YpdodGKRy7', 'C7WonILtEK', 'qGqoqNCD49', 'sJwoy1PTQp'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, BOcxrtd5nSAGqrHLIuD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSVl7UtI97', 'L6YlpjYTmg', 'FIBlcNDKCr', 'UIvllR6uUZ', 'Kytl57AvyF', 'zeulu6ryRO', 'qE1lUNrGjB'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, BZQRJSjfxbAZaRWQR2.cs	High entropy of concatenated method names: 'ToString', 'I66Dv25Co9', 'KdgDWwTwyD', 'FoODJC8uTK', 'l46Dh7mKlG', 'moUDT8Asft', 's96DZ14OGT', 'fwuDFAyvgk', 'nkAD4QUIK8', 'NOODQ5KPn9'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, X42qarbak4yLRxGZZc.cs	High entropy of concatenated method names: 'Sllpju0PMG', 'gUFpLbFAdH', 'cDbpwA2cWQ', 'TOBpoKERIF', 'K2hp78XjJR', 'DqTpfoO0Rb', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, Rhbe9ek7JLU3oueh1L.cs	High entropy of concatenated method names: 'Dispose', 'JD1MibJmkP', 'WASYWpahHh', 'z4PlHLvf78', 'LdEMrNEFu3', 'tXWMzrcqup', 'ProcessDialogKey', 'j62YKk8yug', 'GBYYMt2etl', 'tq3YYPOVSB'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, QdMqp2hcRk37SFZxxe.cs	High entropy of concatenated method names: 'fS6NVNh5hI', 'nD8NrLBYBW', 'F6aSKqC3Nn', 'QsoSMY5vTn', 'MKBNvToB6s', 'BeoNEFc1BL', 'CwpN3F5Rhd', 'PMdNGP7oXC', 'vQlN6fJlof', 'cuaNCOfVuW'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, PR6Q88nJZ4tlIMTCQy.cs	High entropy of concatenated method names: 'TVdjBd1Ivb', 'tQ8ja88gRN', 'irwjnd7TfY', 'fjMjqhfPAE', 'wV5jX1WvpD', 'vuJjDoW8i7', 'qh6jN1w7Pi', 'HfvjSHnPo5', 'nkFj7fAZOG', 'R13jpsenmX'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, a4hSlqAP8NWEPYInyj.cs	High entropy of concatenated method names: 'wdm7mrLMQv', 'xQ17W2ISID', 'D2c7JR2e9F', 'gEN7hOyoVG', 'OpD7TwtBCi', 'hod7Z0WPpB', 'LHD7Fpt1E0', 'tv674npVjM', 'MT07QIB8VB', 'sc27gWyy1h'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	High entropy of concatenated method names: 'ew3t8xTUkS', 'nk8tsBv7Fd', 'U0qtIuSSPi', 'XmKtj9lOpX', 'ApctLH791v', 'NoRtwcRiYV', 'D3HtoaMooP', 'uqLtfNZupx', 'hrFt94xCqq', 'jkhtxe5Gm5'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, Vr5Id254pA7jDaWFEY.cs	High entropy of concatenated method names: 'XOaMo3USG9', 'niXMfUYFru', 'TGeMx0NkFw', 'Hn7MkKJuuI', 'LtfMX93Xu8', 'DLFMDLVHu2', 'WIdrMjD7n4LQFYa3ax', 'HTxCDTlrl2ifpmG6qF', 'O5uCQdZYEJhWCvH24F', 'AFfMMsYls9'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, BYXBa7J1Id9cWWmeie.cs	High entropy of concatenated method names: 'jaFw8TjaHq', 'ecMwI4DfCv', 'FRiwL3Fra3', 'hB6wox2IM4', 'CjnwfflVUt', 'PFOLH8UJJ2', 'Su6L1jFX4Z', 'KGJLOUA18H', 'uNmLVdpNjV', 'nSKLijiXp1'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, f4S276znUWDxrspgbt.cs	High entropy of concatenated method names: 'K36paM3T2m', 'HjLpnuXqK1', 'W78pq1b8Vk', 'kTopmIJFqM', 'p2dpW2AakM', 'NwrphIgryh', 'dyXpTi8deq', 'OCepUGYTP3', 'iU9pebFT9C', 'OKjpP3EKVg'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, zpZj8Iwb1BQtEkf8I7.cs	High entropy of concatenated method names: 'bCKRfK9O2', 'a3YBUBfjv', 'bcEa4uDEQ', 'SKrd9PCae', 'PjMq3gda6', 'OaByBa3S9', 'q7MaOGsf7aLGYdlBDW', 'L4a4I3orFFcs3e4QVC', 'w4USVtspk', 'IMTpKTBB0'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, HUvQLPRDSnswoPbcPM.cs	High entropy of concatenated method names: 'v4jL28BIfS', 'ig5LdUhHjS', 'LvejJ8By4L', 'vU5jhvXk72', 'tNQjTHtYlD', 't6YjZwKnxy', 'eiOjFv3lrH', 'eorj4ad9HP', 'nPVjQfvOC1', 'ilCjg2ueaS'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, Bo0FOBdilP7qFKYcZAQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SYCpv4Xec4', 'TBFpEllCJO', 'fsXp3P9wwq', 'ailpGMFkkF', 'WQJp6NK6su', 'n9NpCYMRdq', 'bK2pAf2XdD'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, WpvUyIMbFNBNBEewoY.cs	High entropy of concatenated method names: 'yIDNxVOGmA', 'qvVNkR2138', 'ToString', 'MIANskDaqU', 'CHUNIrj4mb', 'WZkNjTQPct', 'mrgNLNE6E0', 'sCENw7WL3R', 'hTONoq3gXu', 'M4CNfToVeq'
Source: 0.2.ysWQ4BqQrF.exe.368e638.2.raw.unpack, WLPOoi3IpRU3GTScqI.cs	High entropy of concatenated method names: 'kS67XGsOA1', 'zeU7NRy9lL', 'hRb778AiSQ', 'DXF7cKhc18', 'SEx75vfRiJ', 'WdJ7Ub7OtF', 'Dispose', 'xhUSsxU0VD', 'vFxSIemGCd', 'snhSjs7mOB'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, yYN3LZeGxkWglkjOZx.cs	High entropy of concatenated method names: 'QCQosIK7dd', 'hxlojreWXu', 'oKwowqhptK', 'PJYwrWR50H', 'WcYwzKeg06', 'sseoK70AEn', 'YQ9oMtDoXS', 'WVHoYtmZwl', 'VkvotC6hVg', 'IKRo0XGgmA'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, yr2deFq2f931OIfXoy.cs	High entropy of concatenated method names: 'UsebnvGtMq', 'uPubquO3Tg', 'SEpbmiscCU', 'l2LbWVwqBO', 'rM0bhvZE6J', 'hHBbT4hicr', 'Cl5bFxAeOJ', 'I39b4dAsDR', 'fXsbgPLZqb', 'DlZbvkcbiL'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, lpYAmXddBhtVd0vRZnW.cs	High entropy of concatenated method names: 'gsPprJAfXU', 'sRHpzLpsvv', 'b5JcKOMbPt', 'FjxcM2VelB', 'Bd6cY8pGwL', 'H9bctQj1VZ', 'av1c0CFJT5', 'Y9yc8aZeIJ', 'Gqacsl4KiU', 'F7vcItfn7x'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	High entropy of concatenated method names: 'PwIIGNo3HJ', 'vvnI6o7cX3', 'OxCICBV0vB', 'ioxIAxh60l', 'xxGIHmEkUA', 'aksI1jD2CZ', 'asuIOZIOOY', 'ChmIVdgsML', 'RSIIif1B7a', 'mikIre9tVQ'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, kOuhoQrCmYX29rWygG.cs	High entropy of concatenated method names: 'rjPoex1JG2', 'OkGoPxEyCt', 'AqnoRU2RSS', 'RBHoBh6QiZ', 'pimo2RPVHA', 'vPxoa3cxaU', 'YpdodGKRy7', 'C7WonILtEK', 'qGqoqNCD49', 'sJwoy1PTQp'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, BOcxrtd5nSAGqrHLIuD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSVl7UtI97', 'L6YlpjYTmg', 'FIBlcNDKCr', 'UIvllR6uUZ', 'Kytl57AvyF', 'zeulu6ryRO', 'qE1lUNrGjB'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, BZQRJSjfxbAZaRWQR2.cs	High entropy of concatenated method names: 'ToString', 'I66Dv25Co9', 'KdgDWwTwyD', 'FoODJC8uTK', 'l46Dh7mKlG', 'moUDT8Asft', 's96DZ14OGT', 'fwuDFAyvgk', 'nkAD4QUIK8', 'NOODQ5KPn9'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, X42qarbak4yLRxGZZc.cs	High entropy of concatenated method names: 'Sllpju0PMG', 'gUFpLbFAdH', 'cDbpwA2cWQ', 'TOBpoKERIF', 'K2hp78XjJR', 'DqTpfoO0Rb', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, Rhbe9ek7JLU3oueh1L.cs	High entropy of concatenated method names: 'Dispose', 'JD1MibJmkP', 'WASYWpahHh', 'z4PlHLvf78', 'LdEMrNEFu3', 'tXWMzrcqup', 'ProcessDialogKey', 'j62YKk8yug', 'GBYYMt2etl', 'tq3YYPOVSB'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, QdMqp2hcRk37SFZxxe.cs	High entropy of concatenated method names: 'fS6NVNh5hI', 'nD8NrLBYBW', 'F6aSKqC3Nn', 'QsoSMY5vTn', 'MKBNvToB6s', 'BeoNEFc1BL', 'CwpN3F5Rhd', 'PMdNGP7oXC', 'vQlN6fJlof', 'cuaNCOfVuW'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, PR6Q88nJZ4tlIMTCQy.cs	High entropy of concatenated method names: 'TVdjBd1Ivb', 'tQ8ja88gRN', 'irwjnd7TfY', 'fjMjqhfPAE', 'wV5jX1WvpD', 'vuJjDoW8i7', 'qh6jN1w7Pi', 'HfvjSHnPo5', 'nkFj7fAZOG', 'R13jpsenmX'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, a4hSlqAP8NWEPYInyj.cs	High entropy of concatenated method names: 'wdm7mrLMQv', 'xQ17W2ISID', 'D2c7JR2e9F', 'gEN7hOyoVG', 'OpD7TwtBCi', 'hod7Z0WPpB', 'LHD7Fpt1E0', 'tv674npVjM', 'MT07QIB8VB', 'sc27gWyy1h'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	High entropy of concatenated method names: 'ew3t8xTUkS', 'nk8tsBv7Fd', 'U0qtIuSSPi', 'XmKtj9lOpX', 'ApctLH791v', 'NoRtwcRiYV', 'D3HtoaMooP', 'uqLtfNZupx', 'hrFt94xCqq', 'jkhtxe5Gm5'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, Vr5Id254pA7jDaWFEY.cs	High entropy of concatenated method names: 'XOaMo3USG9', 'niXMfUYFru', 'TGeMx0NkFw', 'Hn7MkKJuuI', 'LtfMX93Xu8', 'DLFMDLVHu2', 'WIdrMjD7n4LQFYa3ax', 'HTxCDTlrl2ifpmG6qF', 'O5uCQdZYEJhWCvH24F', 'AFfMMsYls9'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, BYXBa7J1Id9cWWmeie.cs	High entropy of concatenated method names: 'jaFw8TjaHq', 'ecMwI4DfCv', 'FRiwL3Fra3', 'hB6wox2IM4', 'CjnwfflVUt', 'PFOLH8UJJ2', 'Su6L1jFX4Z', 'KGJLOUA18H', 'uNmLVdpNjV', 'nSKLijiXp1'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, f4S276znUWDxrspgbt.cs	High entropy of concatenated method names: 'K36paM3T2m', 'HjLpnuXqK1', 'W78pq1b8Vk', 'kTopmIJFqM', 'p2dpW2AakM', 'NwrphIgryh', 'dyXpTi8deq', 'OCepUGYTP3', 'iU9pebFT9C', 'OKjpP3EKVg'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, zpZj8Iwb1BQtEkf8I7.cs	High entropy of concatenated method names: 'bCKRfK9O2', 'a3YBUBfjv', 'bcEa4uDEQ', 'SKrd9PCae', 'PjMq3gda6', 'OaByBa3S9', 'q7MaOGsf7aLGYdlBDW', 'L4a4I3orFFcs3e4QVC', 'w4USVtspk', 'IMTpKTBB0'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, HUvQLPRDSnswoPbcPM.cs	High entropy of concatenated method names: 'v4jL28BIfS', 'ig5LdUhHjS', 'LvejJ8By4L', 'vU5jhvXk72', 'tNQjTHtYlD', 't6YjZwKnxy', 'eiOjFv3lrH', 'eorj4ad9HP', 'nPVjQfvOC1', 'ilCjg2ueaS'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, Bo0FOBdilP7qFKYcZAQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SYCpv4Xec4', 'TBFpEllCJO', 'fsXp3P9wwq', 'ailpGMFkkF', 'WQJp6NK6su', 'n9NpCYMRdq', 'bK2pAf2XdD'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, WpvUyIMbFNBNBEewoY.cs	High entropy of concatenated method names: 'yIDNxVOGmA', 'qvVNkR2138', 'ToString', 'MIANskDaqU', 'CHUNIrj4mb', 'WZkNjTQPct', 'mrgNLNE6E0', 'sCENw7WL3R', 'hTONoq3gXu', 'M4CNfToVeq'
Source: 0.2.ysWQ4BqQrF.exe.361c218.1.raw.unpack, WLPOoi3IpRU3GTScqI.cs	High entropy of concatenated method names: 'kS67XGsOA1', 'zeU7NRy9lL', 'hRb778AiSQ', 'DXF7cKhc18', 'SEx75vfRiJ', 'WdJ7Ub7OtF', 'Dispose', 'xhUSsxU0VD', 'vFxSIemGCd', 'snhSjs7mOB'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, yYN3LZeGxkWglkjOZx.cs	High entropy of concatenated method names: 'QCQosIK7dd', 'hxlojreWXu', 'oKwowqhptK', 'PJYwrWR50H', 'WcYwzKeg06', 'sseoK70AEn', 'YQ9oMtDoXS', 'WVHoYtmZwl', 'VkvotC6hVg', 'IKRo0XGgmA'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, yr2deFq2f931OIfXoy.cs	High entropy of concatenated method names: 'UsebnvGtMq', 'uPubquO3Tg', 'SEpbmiscCU', 'l2LbWVwqBO', 'rM0bhvZE6J', 'hHBbT4hicr', 'Cl5bFxAeOJ', 'I39b4dAsDR', 'fXsbgPLZqb', 'DlZbvkcbiL'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, lpYAmXddBhtVd0vRZnW.cs	High entropy of concatenated method names: 'gsPprJAfXU', 'sRHpzLpsvv', 'b5JcKOMbPt', 'FjxcM2VelB', 'Bd6cY8pGwL', 'H9bctQj1VZ', 'av1c0CFJT5', 'Y9yc8aZeIJ', 'Gqacsl4KiU', 'F7vcItfn7x'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, JZnwkkYXCXji1Q8Kx0.cs	High entropy of concatenated method names: 'PwIIGNo3HJ', 'vvnI6o7cX3', 'OxCICBV0vB', 'ioxIAxh60l', 'xxGIHmEkUA', 'aksI1jD2CZ', 'asuIOZIOOY', 'ChmIVdgsML', 'RSIIif1B7a', 'mikIre9tVQ'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, kOuhoQrCmYX29rWygG.cs	High entropy of concatenated method names: 'rjPoex1JG2', 'OkGoPxEyCt', 'AqnoRU2RSS', 'RBHoBh6QiZ', 'pimo2RPVHA', 'vPxoa3cxaU', 'YpdodGKRy7', 'C7WonILtEK', 'qGqoqNCD49', 'sJwoy1PTQp'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, BOcxrtd5nSAGqrHLIuD.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'fSVl7UtI97', 'L6YlpjYTmg', 'FIBlcNDKCr', 'UIvllR6uUZ', 'Kytl57AvyF', 'zeulu6ryRO', 'qE1lUNrGjB'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, BZQRJSjfxbAZaRWQR2.cs	High entropy of concatenated method names: 'ToString', 'I66Dv25Co9', 'KdgDWwTwyD', 'FoODJC8uTK', 'l46Dh7mKlG', 'moUDT8Asft', 's96DZ14OGT', 'fwuDFAyvgk', 'nkAD4QUIK8', 'NOODQ5KPn9'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, X42qarbak4yLRxGZZc.cs	High entropy of concatenated method names: 'Sllpju0PMG', 'gUFpLbFAdH', 'cDbpwA2cWQ', 'TOBpoKERIF', 'K2hp78XjJR', 'DqTpfoO0Rb', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, Rhbe9ek7JLU3oueh1L.cs	High entropy of concatenated method names: 'Dispose', 'JD1MibJmkP', 'WASYWpahHh', 'z4PlHLvf78', 'LdEMrNEFu3', 'tXWMzrcqup', 'ProcessDialogKey', 'j62YKk8yug', 'GBYYMt2etl', 'tq3YYPOVSB'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, QdMqp2hcRk37SFZxxe.cs	High entropy of concatenated method names: 'fS6NVNh5hI', 'nD8NrLBYBW', 'F6aSKqC3Nn', 'QsoSMY5vTn', 'MKBNvToB6s', 'BeoNEFc1BL', 'CwpN3F5Rhd', 'PMdNGP7oXC', 'vQlN6fJlof', 'cuaNCOfVuW'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, PR6Q88nJZ4tlIMTCQy.cs	High entropy of concatenated method names: 'TVdjBd1Ivb', 'tQ8ja88gRN', 'irwjnd7TfY', 'fjMjqhfPAE', 'wV5jX1WvpD', 'vuJjDoW8i7', 'qh6jN1w7Pi', 'HfvjSHnPo5', 'nkFj7fAZOG', 'R13jpsenmX'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, a4hSlqAP8NWEPYInyj.cs	High entropy of concatenated method names: 'wdm7mrLMQv', 'xQ17W2ISID', 'D2c7JR2e9F', 'gEN7hOyoVG', 'OpD7TwtBCi', 'hod7Z0WPpB', 'LHD7Fpt1E0', 'tv674npVjM', 'MT07QIB8VB', 'sc27gWyy1h'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, q6F2oxcomMvFsKZ5RC.cs	High entropy of concatenated method names: 'ew3t8xTUkS', 'nk8tsBv7Fd', 'U0qtIuSSPi', 'XmKtj9lOpX', 'ApctLH791v', 'NoRtwcRiYV', 'D3HtoaMooP', 'uqLtfNZupx', 'hrFt94xCqq', 'jkhtxe5Gm5'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, Vr5Id254pA7jDaWFEY.cs	High entropy of concatenated method names: 'XOaMo3USG9', 'niXMfUYFru', 'TGeMx0NkFw', 'Hn7MkKJuuI', 'LtfMX93Xu8', 'DLFMDLVHu2', 'WIdrMjD7n4LQFYa3ax', 'HTxCDTlrl2ifpmG6qF', 'O5uCQdZYEJhWCvH24F', 'AFfMMsYls9'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, BYXBa7J1Id9cWWmeie.cs	High entropy of concatenated method names: 'jaFw8TjaHq', 'ecMwI4DfCv', 'FRiwL3Fra3', 'hB6wox2IM4', 'CjnwfflVUt', 'PFOLH8UJJ2', 'Su6L1jFX4Z', 'KGJLOUA18H', 'uNmLVdpNjV', 'nSKLijiXp1'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, f4S276znUWDxrspgbt.cs	High entropy of concatenated method names: 'K36paM3T2m', 'HjLpnuXqK1', 'W78pq1b8Vk', 'kTopmIJFqM', 'p2dpW2AakM', 'NwrphIgryh', 'dyXpTi8deq', 'OCepUGYTP3', 'iU9pebFT9C', 'OKjpP3EKVg'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, zpZj8Iwb1BQtEkf8I7.cs	High entropy of concatenated method names: 'bCKRfK9O2', 'a3YBUBfjv', 'bcEa4uDEQ', 'SKrd9PCae', 'PjMq3gda6', 'OaByBa3S9', 'q7MaOGsf7aLGYdlBDW', 'L4a4I3orFFcs3e4QVC', 'w4USVtspk', 'IMTpKTBB0'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, HUvQLPRDSnswoPbcPM.cs	High entropy of concatenated method names: 'v4jL28BIfS', 'ig5LdUhHjS', 'LvejJ8By4L', 'vU5jhvXk72', 'tNQjTHtYlD', 't6YjZwKnxy', 'eiOjFv3lrH', 'eorj4ad9HP', 'nPVjQfvOC1', 'ilCjg2ueaS'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, Bo0FOBdilP7qFKYcZAQ.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'SYCpv4Xec4', 'TBFpEllCJO', 'fsXp3P9wwq', 'ailpGMFkkF', 'WQJp6NK6su', 'n9NpCYMRdq', 'bK2pAf2XdD'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, WpvUyIMbFNBNBEewoY.cs	High entropy of concatenated method names: 'yIDNxVOGmA', 'qvVNkR2138', 'ToString', 'MIANskDaqU', 'CHUNIrj4mb', 'WZkNjTQPct', 'mrgNLNE6E0', 'sCENw7WL3R', 'hTONoq3gXu', 'M4CNfToVeq'
Source: 0.2.ysWQ4BqQrF.exe.71a0000.4.raw.unpack, WLPOoi3IpRU3GTScqI.cs	High entropy of concatenated method names: 'kS67XGsOA1', 'zeU7NRy9lL', 'hRb778AiSQ', 'DXF7cKhc18', 'SEx75vfRiJ', 'WdJ7Ub7OtF', 'Dispose', 'xhUSsxU0VD', 'vFxSIemGCd', 'snhSjs7mOB'

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

File created: C:\Users\user\AppData\Roaming\YNfDrfV.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEA

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: ysWQ4BqQrF.exe PID: 6408, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: YNfDrfV.exe PID: 372, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105CD324
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105D0774
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105CD944
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105CD504
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105CD544
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105CD1E4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105D0154
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105CD8A4
Source: C:\Windows\SysWOW64\cmstp.exe	API/Special instruction interceptor: Address: 7FF9105CDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2589904 second address: 258990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 2589B7E second address: 2589B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 27A9904 second address: 27A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 27A9B7E second address: 27A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: 2400000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: 8810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: 7360000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: 9810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: A810000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: 1060000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: 2A00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: 2920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: 8BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: 6DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: 9BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: 7470000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6051	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3533	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 9878	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 2949	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Window / User API: threadDelayed 7021	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

API coverage: 1.7 %

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe TID: 6480	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1788	Thread sleep time: -6456360425798339s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7424	Thread sleep count: 9878 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7424	Thread sleep time: -19756000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7424	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7424	Thread sleep time: -104000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe TID: 1064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7292	Thread sleep count: 2949 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7292	Thread sleep time: -5898000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7292	Thread sleep count: 7021 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe TID: 7292	Thread sleep time: -14042000s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmstp.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000007.00000002.2485688085.00000000070CF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000n
Source: explorer.exe, 00000007.00000000.1256858174.000000000936A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: ysWQ4BqQrF.exe, 00000000.00000002.1265937596.0000000000655000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000007.00000002.2492681158.000000000934A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.000000000934A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000007.00000002.2492681158.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: explorer.exe, 00000007.00000002.2492681158.0000000009315000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.0000000009315000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW\MP
Source: explorer.exe, 00000007.00000002.2492681158.0000000009474000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000l
Source: explorer.exe, 00000007.00000002.2479086792.0000000000963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000007.00000002.2492681158.0000000009474000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.1256858174.000000000955C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000007.00000002.2479086792.0000000000963000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01568158 mov eax, dword ptr fs:[00000030h]	6_2_01568158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01564144 mov eax, dword ptr fs:[00000030h]	6_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01564144 mov eax, dword ptr fs:[00000030h]	6_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01564144 mov ecx, dword ptr fs:[00000030h]	6_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01564144 mov eax, dword ptr fs:[00000030h]	6_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01564144 mov eax, dword ptr fs:[00000030h]	6_2_01564144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6154 mov eax, dword ptr fs:[00000030h]	6_2_014D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6154 mov eax, dword ptr fs:[00000030h]	6_2_014D6154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CC156 mov eax, dword ptr fs:[00000030h]	6_2_014CC156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01590115 mov eax, dword ptr fs:[00000030h]	6_2_01590115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157A118 mov ecx, dword ptr fs:[00000030h]	6_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157A118 mov eax, dword ptr fs:[00000030h]	6_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157A118 mov eax, dword ptr fs:[00000030h]	6_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157A118 mov eax, dword ptr fs:[00000030h]	6_2_0157A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov eax, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov ecx, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov eax, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov eax, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov ecx, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov eax, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov eax, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov ecx, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov eax, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E10E mov ecx, dword ptr fs:[00000030h]	6_2_0157E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01500124 mov eax, dword ptr fs:[00000030h]	6_2_01500124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0154E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015961C3 mov eax, dword ptr fs:[00000030h]	6_2_015961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015961C3 mov eax, dword ptr fs:[00000030h]	6_2_015961C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015001F8 mov eax, dword ptr fs:[00000030h]	6_2_015001F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A61E5 mov eax, dword ptr fs:[00000030h]	6_2_015A61E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155019F mov eax, dword ptr fs:[00000030h]	6_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155019F mov eax, dword ptr fs:[00000030h]	6_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155019F mov eax, dword ptr fs:[00000030h]	6_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155019F mov eax, dword ptr fs:[00000030h]	6_2_0155019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158C188 mov eax, dword ptr fs:[00000030h]	6_2_0158C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158C188 mov eax, dword ptr fs:[00000030h]	6_2_0158C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01510185 mov eax, dword ptr fs:[00000030h]	6_2_01510185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01574180 mov eax, dword ptr fs:[00000030h]	6_2_01574180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01574180 mov eax, dword ptr fs:[00000030h]	6_2_01574180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CA197 mov eax, dword ptr fs:[00000030h]	6_2_014CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CA197 mov eax, dword ptr fs:[00000030h]	6_2_014CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CA197 mov eax, dword ptr fs:[00000030h]	6_2_014CA197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556050 mov eax, dword ptr fs:[00000030h]	6_2_01556050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D2050 mov eax, dword ptr fs:[00000030h]	6_2_014D2050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FC073 mov eax, dword ptr fs:[00000030h]	6_2_014FC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01554000 mov ecx, dword ptr fs:[00000030h]	6_2_01554000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01572000 mov eax, dword ptr fs:[00000030h]	6_2_01572000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE016 mov eax, dword ptr fs:[00000030h]	6_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE016 mov eax, dword ptr fs:[00000030h]	6_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE016 mov eax, dword ptr fs:[00000030h]	6_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE016 mov eax, dword ptr fs:[00000030h]	6_2_014EE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01566030 mov eax, dword ptr fs:[00000030h]	6_2_01566030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CA020 mov eax, dword ptr fs:[00000030h]	6_2_014CA020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CC020 mov eax, dword ptr fs:[00000030h]	6_2_014CC020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015520DE mov eax, dword ptr fs:[00000030h]	6_2_015520DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015120F0 mov ecx, dword ptr fs:[00000030h]	6_2_015120F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D80E9 mov eax, dword ptr fs:[00000030h]	6_2_014D80E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CA0E3 mov ecx, dword ptr fs:[00000030h]	6_2_014CA0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015560E0 mov eax, dword ptr fs:[00000030h]	6_2_015560E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CC0F0 mov eax, dword ptr fs:[00000030h]	6_2_014CC0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D208A mov eax, dword ptr fs:[00000030h]	6_2_014D208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015960B8 mov eax, dword ptr fs:[00000030h]	6_2_015960B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015960B8 mov ecx, dword ptr fs:[00000030h]	6_2_015960B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015680A8 mov eax, dword ptr fs:[00000030h]	6_2_015680A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155035C mov eax, dword ptr fs:[00000030h]	6_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155035C mov eax, dword ptr fs:[00000030h]	6_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155035C mov eax, dword ptr fs:[00000030h]	6_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155035C mov ecx, dword ptr fs:[00000030h]	6_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155035C mov eax, dword ptr fs:[00000030h]	6_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155035C mov eax, dword ptr fs:[00000030h]	6_2_0155035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159A352 mov eax, dword ptr fs:[00000030h]	6_2_0159A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01552349 mov eax, dword ptr fs:[00000030h]	6_2_01552349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157437C mov eax, dword ptr fs:[00000030h]	6_2_0157437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A30B mov eax, dword ptr fs:[00000030h]	6_2_0150A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A30B mov eax, dword ptr fs:[00000030h]	6_2_0150A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A30B mov eax, dword ptr fs:[00000030h]	6_2_0150A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CC310 mov ecx, dword ptr fs:[00000030h]	6_2_014CC310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F0310 mov ecx, dword ptr fs:[00000030h]	6_2_014F0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015743D4 mov eax, dword ptr fs:[00000030h]	6_2_015743D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015743D4 mov eax, dword ptr fs:[00000030h]	6_2_015743D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E3DB mov eax, dword ptr fs:[00000030h]	6_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E3DB mov eax, dword ptr fs:[00000030h]	6_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E3DB mov ecx, dword ptr fs:[00000030h]	6_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157E3DB mov eax, dword ptr fs:[00000030h]	6_2_0157E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	6_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	6_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	6_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	6_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	6_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA3C0 mov eax, dword ptr fs:[00000030h]	6_2_014DA3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D83C0 mov eax, dword ptr fs:[00000030h]	6_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D83C0 mov eax, dword ptr fs:[00000030h]	6_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D83C0 mov eax, dword ptr fs:[00000030h]	6_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D83C0 mov eax, dword ptr fs:[00000030h]	6_2_014D83C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158C3CD mov eax, dword ptr fs:[00000030h]	6_2_0158C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015563C0 mov eax, dword ptr fs:[00000030h]	6_2_015563C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E03E9 mov eax, dword ptr fs:[00000030h]	6_2_014E03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015063FF mov eax, dword ptr fs:[00000030h]	6_2_015063FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE3F0 mov eax, dword ptr fs:[00000030h]	6_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE3F0 mov eax, dword ptr fs:[00000030h]	6_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE3F0 mov eax, dword ptr fs:[00000030h]	6_2_014EE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F438F mov eax, dword ptr fs:[00000030h]	6_2_014F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F438F mov eax, dword ptr fs:[00000030h]	6_2_014F438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CE388 mov eax, dword ptr fs:[00000030h]	6_2_014CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CE388 mov eax, dword ptr fs:[00000030h]	6_2_014CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CE388 mov eax, dword ptr fs:[00000030h]	6_2_014CE388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C8397 mov eax, dword ptr fs:[00000030h]	6_2_014C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C8397 mov eax, dword ptr fs:[00000030h]	6_2_014C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C8397 mov eax, dword ptr fs:[00000030h]	6_2_014C8397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158A250 mov eax, dword ptr fs:[00000030h]	6_2_0158A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158A250 mov eax, dword ptr fs:[00000030h]	6_2_0158A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6259 mov eax, dword ptr fs:[00000030h]	6_2_014D6259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01558243 mov eax, dword ptr fs:[00000030h]	6_2_01558243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01558243 mov ecx, dword ptr fs:[00000030h]	6_2_01558243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CA250 mov eax, dword ptr fs:[00000030h]	6_2_014CA250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C826B mov eax, dword ptr fs:[00000030h]	6_2_014C826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01580274 mov eax, dword ptr fs:[00000030h]	6_2_01580274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D4260 mov eax, dword ptr fs:[00000030h]	6_2_014D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D4260 mov eax, dword ptr fs:[00000030h]	6_2_014D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D4260 mov eax, dword ptr fs:[00000030h]	6_2_014D4260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C823B mov eax, dword ptr fs:[00000030h]	6_2_014C823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	6_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	6_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	6_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	6_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA2C3 mov eax, dword ptr fs:[00000030h]	6_2_014DA2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E02E1 mov eax, dword ptr fs:[00000030h]	6_2_014E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E02E1 mov eax, dword ptr fs:[00000030h]	6_2_014E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E02E1 mov eax, dword ptr fs:[00000030h]	6_2_014E02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E284 mov eax, dword ptr fs:[00000030h]	6_2_0150E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E284 mov eax, dword ptr fs:[00000030h]	6_2_0150E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01550283 mov eax, dword ptr fs:[00000030h]	6_2_01550283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01550283 mov eax, dword ptr fs:[00000030h]	6_2_01550283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01550283 mov eax, dword ptr fs:[00000030h]	6_2_01550283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E02A0 mov eax, dword ptr fs:[00000030h]	6_2_014E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E02A0 mov eax, dword ptr fs:[00000030h]	6_2_014E02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015662A0 mov eax, dword ptr fs:[00000030h]	6_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015662A0 mov ecx, dword ptr fs:[00000030h]	6_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015662A0 mov eax, dword ptr fs:[00000030h]	6_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015662A0 mov eax, dword ptr fs:[00000030h]	6_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015662A0 mov eax, dword ptr fs:[00000030h]	6_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015662A0 mov eax, dword ptr fs:[00000030h]	6_2_015662A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8550 mov eax, dword ptr fs:[00000030h]	6_2_014D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8550 mov eax, dword ptr fs:[00000030h]	6_2_014D8550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150656A mov eax, dword ptr fs:[00000030h]	6_2_0150656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150656A mov eax, dword ptr fs:[00000030h]	6_2_0150656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150656A mov eax, dword ptr fs:[00000030h]	6_2_0150656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01566500 mov eax, dword ptr fs:[00000030h]	6_2_01566500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4500 mov eax, dword ptr fs:[00000030h]	6_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4500 mov eax, dword ptr fs:[00000030h]	6_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4500 mov eax, dword ptr fs:[00000030h]	6_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4500 mov eax, dword ptr fs:[00000030h]	6_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4500 mov eax, dword ptr fs:[00000030h]	6_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4500 mov eax, dword ptr fs:[00000030h]	6_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4500 mov eax, dword ptr fs:[00000030h]	6_2_015A4500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE53E mov eax, dword ptr fs:[00000030h]	6_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE53E mov eax, dword ptr fs:[00000030h]	6_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE53E mov eax, dword ptr fs:[00000030h]	6_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE53E mov eax, dword ptr fs:[00000030h]	6_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE53E mov eax, dword ptr fs:[00000030h]	6_2_014FE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0535 mov eax, dword ptr fs:[00000030h]	6_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0535 mov eax, dword ptr fs:[00000030h]	6_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0535 mov eax, dword ptr fs:[00000030h]	6_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0535 mov eax, dword ptr fs:[00000030h]	6_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0535 mov eax, dword ptr fs:[00000030h]	6_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0535 mov eax, dword ptr fs:[00000030h]	6_2_014E0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0150A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A5D0 mov eax, dword ptr fs:[00000030h]	6_2_0150A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D65D0 mov eax, dword ptr fs:[00000030h]	6_2_014D65D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E5CF mov eax, dword ptr fs:[00000030h]	6_2_0150E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E5CF mov eax, dword ptr fs:[00000030h]	6_2_0150E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE5E7 mov eax, dword ptr fs:[00000030h]	6_2_014FE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D25E0 mov eax, dword ptr fs:[00000030h]	6_2_014D25E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C5ED mov eax, dword ptr fs:[00000030h]	6_2_0150C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C5ED mov eax, dword ptr fs:[00000030h]	6_2_0150C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E59C mov eax, dword ptr fs:[00000030h]	6_2_0150E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D2582 mov eax, dword ptr fs:[00000030h]	6_2_014D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D2582 mov ecx, dword ptr fs:[00000030h]	6_2_014D2582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01504588 mov eax, dword ptr fs:[00000030h]	6_2_01504588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015505A7 mov eax, dword ptr fs:[00000030h]	6_2_015505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015505A7 mov eax, dword ptr fs:[00000030h]	6_2_015505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015505A7 mov eax, dword ptr fs:[00000030h]	6_2_015505A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F45B1 mov eax, dword ptr fs:[00000030h]	6_2_014F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F45B1 mov eax, dword ptr fs:[00000030h]	6_2_014F45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158A456 mov eax, dword ptr fs:[00000030h]	6_2_0158A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C645D mov eax, dword ptr fs:[00000030h]	6_2_014C645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150E443 mov eax, dword ptr fs:[00000030h]	6_2_0150E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F245A mov eax, dword ptr fs:[00000030h]	6_2_014F245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155C460 mov ecx, dword ptr fs:[00000030h]	6_2_0155C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FA470 mov eax, dword ptr fs:[00000030h]	6_2_014FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FA470 mov eax, dword ptr fs:[00000030h]	6_2_014FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FA470 mov eax, dword ptr fs:[00000030h]	6_2_014FA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01508402 mov eax, dword ptr fs:[00000030h]	6_2_01508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01508402 mov eax, dword ptr fs:[00000030h]	6_2_01508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01508402 mov eax, dword ptr fs:[00000030h]	6_2_01508402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A430 mov eax, dword ptr fs:[00000030h]	6_2_0150A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CC427 mov eax, dword ptr fs:[00000030h]	6_2_014CC427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CE420 mov eax, dword ptr fs:[00000030h]	6_2_014CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CE420 mov eax, dword ptr fs:[00000030h]	6_2_014CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CE420 mov eax, dword ptr fs:[00000030h]	6_2_014CE420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556420 mov eax, dword ptr fs:[00000030h]	6_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556420 mov eax, dword ptr fs:[00000030h]	6_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556420 mov eax, dword ptr fs:[00000030h]	6_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556420 mov eax, dword ptr fs:[00000030h]	6_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556420 mov eax, dword ptr fs:[00000030h]	6_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556420 mov eax, dword ptr fs:[00000030h]	6_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01556420 mov eax, dword ptr fs:[00000030h]	6_2_01556420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D04E5 mov ecx, dword ptr fs:[00000030h]	6_2_014D04E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0158A49A mov eax, dword ptr fs:[00000030h]	6_2_0158A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015044B0 mov ecx, dword ptr fs:[00000030h]	6_2_015044B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0155A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D64AB mov eax, dword ptr fs:[00000030h]	6_2_014D64AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01554755 mov eax, dword ptr fs:[00000030h]	6_2_01554755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512750 mov eax, dword ptr fs:[00000030h]	6_2_01512750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512750 mov eax, dword ptr fs:[00000030h]	6_2_01512750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155E75D mov eax, dword ptr fs:[00000030h]	6_2_0155E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150674D mov esi, dword ptr fs:[00000030h]	6_2_0150674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150674D mov eax, dword ptr fs:[00000030h]	6_2_0150674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150674D mov eax, dword ptr fs:[00000030h]	6_2_0150674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0750 mov eax, dword ptr fs:[00000030h]	6_2_014D0750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8770 mov eax, dword ptr fs:[00000030h]	6_2_014D8770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0770 mov eax, dword ptr fs:[00000030h]	6_2_014E0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01500710 mov eax, dword ptr fs:[00000030h]	6_2_01500710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C700 mov eax, dword ptr fs:[00000030h]	6_2_0150C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0710 mov eax, dword ptr fs:[00000030h]	6_2_014D0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154C730 mov eax, dword ptr fs:[00000030h]	6_2_0154C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150273C mov eax, dword ptr fs:[00000030h]	6_2_0150273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150273C mov ecx, dword ptr fs:[00000030h]	6_2_0150273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150273C mov eax, dword ptr fs:[00000030h]	6_2_0150273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C720 mov eax, dword ptr fs:[00000030h]	6_2_0150C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C720 mov eax, dword ptr fs:[00000030h]	6_2_0150C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DC7C0 mov eax, dword ptr fs:[00000030h]	6_2_014DC7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015507C3 mov eax, dword ptr fs:[00000030h]	6_2_015507C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F27ED mov eax, dword ptr fs:[00000030h]	6_2_014F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F27ED mov eax, dword ptr fs:[00000030h]	6_2_014F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F27ED mov eax, dword ptr fs:[00000030h]	6_2_014F27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155E7E1 mov eax, dword ptr fs:[00000030h]	6_2_0155E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D47FB mov eax, dword ptr fs:[00000030h]	6_2_014D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D47FB mov eax, dword ptr fs:[00000030h]	6_2_014D47FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157678E mov eax, dword ptr fs:[00000030h]	6_2_0157678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D07AF mov eax, dword ptr fs:[00000030h]	6_2_014D07AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015847A0 mov eax, dword ptr fs:[00000030h]	6_2_015847A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EC640 mov eax, dword ptr fs:[00000030h]	6_2_014EC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01502674 mov eax, dword ptr fs:[00000030h]	6_2_01502674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A660 mov eax, dword ptr fs:[00000030h]	6_2_0150A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A660 mov eax, dword ptr fs:[00000030h]	6_2_0150A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159866E mov eax, dword ptr fs:[00000030h]	6_2_0159866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159866E mov eax, dword ptr fs:[00000030h]	6_2_0159866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E260B mov eax, dword ptr fs:[00000030h]	6_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E260B mov eax, dword ptr fs:[00000030h]	6_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E260B mov eax, dword ptr fs:[00000030h]	6_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E260B mov eax, dword ptr fs:[00000030h]	6_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E260B mov eax, dword ptr fs:[00000030h]	6_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E260B mov eax, dword ptr fs:[00000030h]	6_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E260B mov eax, dword ptr fs:[00000030h]	6_2_014E260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01512619 mov eax, dword ptr fs:[00000030h]	6_2_01512619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E609 mov eax, dword ptr fs:[00000030h]	6_2_0154E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D262C mov eax, dword ptr fs:[00000030h]	6_2_014D262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EE627 mov eax, dword ptr fs:[00000030h]	6_2_014EE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01506620 mov eax, dword ptr fs:[00000030h]	6_2_01506620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01508620 mov eax, dword ptr fs:[00000030h]	6_2_01508620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A6C7 mov ebx, dword ptr fs:[00000030h]	6_2_0150A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A6C7 mov eax, dword ptr fs:[00000030h]	6_2_0150A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015506F1 mov eax, dword ptr fs:[00000030h]	6_2_015506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015506F1 mov eax, dword ptr fs:[00000030h]	6_2_015506F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0154E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D4690 mov eax, dword ptr fs:[00000030h]	6_2_014D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D4690 mov eax, dword ptr fs:[00000030h]	6_2_014D4690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015066B0 mov eax, dword ptr fs:[00000030h]	6_2_015066B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C6A6 mov eax, dword ptr fs:[00000030h]	6_2_0150C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01550946 mov eax, dword ptr fs:[00000030h]	6_2_01550946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155C97C mov eax, dword ptr fs:[00000030h]	6_2_0155C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F6962 mov eax, dword ptr fs:[00000030h]	6_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F6962 mov eax, dword ptr fs:[00000030h]	6_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F6962 mov eax, dword ptr fs:[00000030h]	6_2_014F6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01574978 mov eax, dword ptr fs:[00000030h]	6_2_01574978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01574978 mov eax, dword ptr fs:[00000030h]	6_2_01574978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0151096E mov eax, dword ptr fs:[00000030h]	6_2_0151096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0151096E mov edx, dword ptr fs:[00000030h]	6_2_0151096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0151096E mov eax, dword ptr fs:[00000030h]	6_2_0151096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155C912 mov eax, dword ptr fs:[00000030h]	6_2_0155C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C8918 mov eax, dword ptr fs:[00000030h]	6_2_014C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C8918 mov eax, dword ptr fs:[00000030h]	6_2_014C8918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E908 mov eax, dword ptr fs:[00000030h]	6_2_0154E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154E908 mov eax, dword ptr fs:[00000030h]	6_2_0154E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0156892B mov eax, dword ptr fs:[00000030h]	6_2_0156892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155892A mov eax, dword ptr fs:[00000030h]	6_2_0155892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015049D0 mov eax, dword ptr fs:[00000030h]	6_2_015049D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159A9D3 mov eax, dword ptr fs:[00000030h]	6_2_0159A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015669C0 mov eax, dword ptr fs:[00000030h]	6_2_015669C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	6_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	6_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	6_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	6_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	6_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DA9D0 mov eax, dword ptr fs:[00000030h]	6_2_014DA9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015029F9 mov eax, dword ptr fs:[00000030h]	6_2_015029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015029F9 mov eax, dword ptr fs:[00000030h]	6_2_015029F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155E9E0 mov eax, dword ptr fs:[00000030h]	6_2_0155E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D09AD mov eax, dword ptr fs:[00000030h]	6_2_014D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D09AD mov eax, dword ptr fs:[00000030h]	6_2_014D09AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015589B3 mov esi, dword ptr fs:[00000030h]	6_2_015589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015589B3 mov eax, dword ptr fs:[00000030h]	6_2_015589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015589B3 mov eax, dword ptr fs:[00000030h]	6_2_015589B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01500854 mov eax, dword ptr fs:[00000030h]	6_2_01500854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D4859 mov eax, dword ptr fs:[00000030h]	6_2_014D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D4859 mov eax, dword ptr fs:[00000030h]	6_2_014D4859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01566870 mov eax, dword ptr fs:[00000030h]	6_2_01566870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01566870 mov eax, dword ptr fs:[00000030h]	6_2_01566870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155E872 mov eax, dword ptr fs:[00000030h]	6_2_0155E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155E872 mov eax, dword ptr fs:[00000030h]	6_2_0155E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155C810 mov eax, dword ptr fs:[00000030h]	6_2_0155C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150A830 mov eax, dword ptr fs:[00000030h]	6_2_0150A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157483A mov eax, dword ptr fs:[00000030h]	6_2_0157483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157483A mov eax, dword ptr fs:[00000030h]	6_2_0157483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F2835 mov eax, dword ptr fs:[00000030h]	6_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F2835 mov eax, dword ptr fs:[00000030h]	6_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F2835 mov eax, dword ptr fs:[00000030h]	6_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F2835 mov ecx, dword ptr fs:[00000030h]	6_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F2835 mov eax, dword ptr fs:[00000030h]	6_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F2835 mov eax, dword ptr fs:[00000030h]	6_2_014F2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FE8C0 mov eax, dword ptr fs:[00000030h]	6_2_014FE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0150C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150C8F9 mov eax, dword ptr fs:[00000030h]	6_2_0150C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159A8E4 mov eax, dword ptr fs:[00000030h]	6_2_0159A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155C89D mov eax, dword ptr fs:[00000030h]	6_2_0155C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0887 mov eax, dword ptr fs:[00000030h]	6_2_014D0887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157EB50 mov eax, dword ptr fs:[00000030h]	6_2_0157EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01584B4B mov eax, dword ptr fs:[00000030h]	6_2_01584B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01584B4B mov eax, dword ptr fs:[00000030h]	6_2_01584B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01578B42 mov eax, dword ptr fs:[00000030h]	6_2_01578B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01566B40 mov eax, dword ptr fs:[00000030h]	6_2_01566B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01566B40 mov eax, dword ptr fs:[00000030h]	6_2_01566B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0159AB40 mov eax, dword ptr fs:[00000030h]	6_2_0159AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014CCB7E mov eax, dword ptr fs:[00000030h]	6_2_014CCB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154EB1D mov eax, dword ptr fs:[00000030h]	6_2_0154EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FEB20 mov eax, dword ptr fs:[00000030h]	6_2_014FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FEB20 mov eax, dword ptr fs:[00000030h]	6_2_014FEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01598B28 mov eax, dword ptr fs:[00000030h]	6_2_01598B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01598B28 mov eax, dword ptr fs:[00000030h]	6_2_01598B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0BCD mov eax, dword ptr fs:[00000030h]	6_2_014D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0BCD mov eax, dword ptr fs:[00000030h]	6_2_014D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0BCD mov eax, dword ptr fs:[00000030h]	6_2_014D0BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F0BCB mov eax, dword ptr fs:[00000030h]	6_2_014F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F0BCB mov eax, dword ptr fs:[00000030h]	6_2_014F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F0BCB mov eax, dword ptr fs:[00000030h]	6_2_014F0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157EBD0 mov eax, dword ptr fs:[00000030h]	6_2_0157EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155CBF0 mov eax, dword ptr fs:[00000030h]	6_2_0155CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FEBFC mov eax, dword ptr fs:[00000030h]	6_2_014FEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8BF0 mov eax, dword ptr fs:[00000030h]	6_2_014D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8BF0 mov eax, dword ptr fs:[00000030h]	6_2_014D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8BF0 mov eax, dword ptr fs:[00000030h]	6_2_014D8BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01584BB0 mov eax, dword ptr fs:[00000030h]	6_2_01584BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01584BB0 mov eax, dword ptr fs:[00000030h]	6_2_01584BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0BBE mov eax, dword ptr fs:[00000030h]	6_2_014E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0BBE mov eax, dword ptr fs:[00000030h]	6_2_014E0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0A5B mov eax, dword ptr fs:[00000030h]	6_2_014E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014E0A5B mov eax, dword ptr fs:[00000030h]	6_2_014E0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6A50 mov eax, dword ptr fs:[00000030h]	6_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6A50 mov eax, dword ptr fs:[00000030h]	6_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6A50 mov eax, dword ptr fs:[00000030h]	6_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6A50 mov eax, dword ptr fs:[00000030h]	6_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6A50 mov eax, dword ptr fs:[00000030h]	6_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6A50 mov eax, dword ptr fs:[00000030h]	6_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D6A50 mov eax, dword ptr fs:[00000030h]	6_2_014D6A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154CA72 mov eax, dword ptr fs:[00000030h]	6_2_0154CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0154CA72 mov eax, dword ptr fs:[00000030h]	6_2_0154CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0157EA60 mov eax, dword ptr fs:[00000030h]	6_2_0157EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150CA6F mov eax, dword ptr fs:[00000030h]	6_2_0150CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150CA6F mov eax, dword ptr fs:[00000030h]	6_2_0150CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150CA6F mov eax, dword ptr fs:[00000030h]	6_2_0150CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0155CA11 mov eax, dword ptr fs:[00000030h]	6_2_0155CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FEA2E mov eax, dword ptr fs:[00000030h]	6_2_014FEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150CA38 mov eax, dword ptr fs:[00000030h]	6_2_0150CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150CA24 mov eax, dword ptr fs:[00000030h]	6_2_0150CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F4A35 mov eax, dword ptr fs:[00000030h]	6_2_014F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014F4A35 mov eax, dword ptr fs:[00000030h]	6_2_014F4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01504AD0 mov eax, dword ptr fs:[00000030h]	6_2_01504AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01504AD0 mov eax, dword ptr fs:[00000030h]	6_2_01504AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0AD0 mov eax, dword ptr fs:[00000030h]	6_2_014D0AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01526ACC mov eax, dword ptr fs:[00000030h]	6_2_01526ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01526ACC mov eax, dword ptr fs:[00000030h]	6_2_01526ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01526ACC mov eax, dword ptr fs:[00000030h]	6_2_01526ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150AAEE mov eax, dword ptr fs:[00000030h]	6_2_0150AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0150AAEE mov eax, dword ptr fs:[00000030h]	6_2_0150AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01508A90 mov edx, dword ptr fs:[00000030h]	6_2_01508A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014DEA80 mov eax, dword ptr fs:[00000030h]	6_2_014DEA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_015A4A80 mov eax, dword ptr fs:[00000030h]	6_2_015A4A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8AA0 mov eax, dword ptr fs:[00000030h]	6_2_014D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8AA0 mov eax, dword ptr fs:[00000030h]	6_2_014D8AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01526AA4 mov eax, dword ptr fs:[00000030h]	6_2_01526AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0D59 mov eax, dword ptr fs:[00000030h]	6_2_014D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0D59 mov eax, dword ptr fs:[00000030h]	6_2_014D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D0D59 mov eax, dword ptr fs:[00000030h]	6_2_014D0D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8D59 mov eax, dword ptr fs:[00000030h]	6_2_014D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8D59 mov eax, dword ptr fs:[00000030h]	6_2_014D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8D59 mov eax, dword ptr fs:[00000030h]	6_2_014D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8D59 mov eax, dword ptr fs:[00000030h]	6_2_014D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014D8D59 mov eax, dword ptr fs:[00000030h]	6_2_014D8D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01568D6B mov eax, dword ptr fs:[00000030h]	6_2_01568D6B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01588D10 mov eax, dword ptr fs:[00000030h]	6_2_01588D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01588D10 mov eax, dword ptr fs:[00000030h]	6_2_01588D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01504D1D mov eax, dword ptr fs:[00000030h]	6_2_01504D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EAD00 mov eax, dword ptr fs:[00000030h]	6_2_014EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EAD00 mov eax, dword ptr fs:[00000030h]	6_2_014EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014EAD00 mov eax, dword ptr fs:[00000030h]	6_2_014EAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C6D10 mov eax, dword ptr fs:[00000030h]	6_2_014C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C6D10 mov eax, dword ptr fs:[00000030h]	6_2_014C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014C6D10 mov eax, dword ptr fs:[00000030h]	6_2_014C6D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01558D20 mov eax, dword ptr fs:[00000030h]	6_2_01558D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01554DD7 mov eax, dword ptr fs:[00000030h]	6_2_01554DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01554DD7 mov eax, dword ptr fs:[00000030h]	6_2_01554DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_014FEDD3 mov eax, dword ptr fs:[00000030h]	6_2_014FEDD3

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 15.197.225.128 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.69.61 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.64.1 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 92.112.189.41 80	Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe"
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x142A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x171A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x171A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x142A56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 496	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Thread register set: target process: 496	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 496	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: 140000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: 1E0000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D4A008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F4D008	Jump to behavior

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\YNfDrfV.exe"	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp299E.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YNfDrfV" /XML "C:\Users\user\AppData\Local\Temp\tmp35B3.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: explorer.exe, 00000007.00000000.1249998615.0000000000949000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2479086792.0000000000949000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progmanh
Source: explorer.exe, 00000007.00000000.1253340661.0000000004510000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2480899625.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2492681158.00000000094C7000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.2480899625.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1250455699.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.2480899625.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1250455699.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerW
Source: explorer.exe, 00000007.00000002.2480899625.00000000010F1000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1250455699.00000000010F1000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Queries volume information: C:\Users\user\Desktop\ysWQ4BqQrF.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Queries volume information: C:\Users\user\AppData\Roaming\YNfDrfV.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\YNfDrfV.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\ysWQ4BqQrF.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000010.00000002.2479408214.0000000002B10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.1307896206.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2478604450.0000000002580000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.1354407609.00000000027A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1269762480.00000000034F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1316836574.0000000003AF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2479481626.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	812 Process Injection	1 Rootkit	1 Credential API Hooking	321 Security Software Discovery	Remote Services	1 Credential API Hooking	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Shared Modules	1 DLL Side-Loading	1 Scheduled Task/Job	1 Masquerading	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	41 Virtualization/Sandbox Evasion	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	812 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Deobfuscate/Decode Files or Information	Cached Domain Credentials	212 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Abuse Elevation Control Mechanism	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	4 Obfuscated Files or Information	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	12 Software Packing	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Timestomp	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 DLL Side-Loading	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ysWQ4BqQrF.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook
ysWQ4BqQrF.exe	75%	Virustotal		Browse
ysWQ4BqQrF.exe	100%	Avira	TR/Kryptik.enuja

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\YNfDrfV.exe	100%	Avira	TR/Kryptik.enuja
C:\Users\user\AppData\Roaming\YNfDrfV.exe	74%	ReversingLabs	ByteCode-MSIL.Backdoor.FormBook

Source	Detection	Scanner	Label
http://www.isbnu.shop/egs9/www.aigamestudio.xyz	100%	Avira URL Cloud	malware
https://android.notify.windows.com/iOSV	0%	Avira URL Cloud	safe
http://ns.adobeJH	0%	Avira URL Cloud	safe
http://www.hikingk.storeReferer:	0%	Avira URL Cloud	safe
http://www.alliancecigars.net/egs9/www.flippinforbidsfrear.cloud	100%	Avira URL Cloud	malware
http://www.evel789-aman.club/egs9/www.redgoodsgather.shop	100%	Avira URL Cloud	malware
http://www.flippinforbidsfrear.cloud/egs9/www.kpde.xyz	100%	Avira URL Cloud	malware
https://www.kpde.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZ	100%	Avira URL Cloud	malware
https://word.office.comZ	0%	Avira URL Cloud	safe
www.redgoodsgather.shop/egs9/	100%	Avira URL Cloud	malware
http://www.petir99bro.xyzReferer:	0%	Avira URL Cloud	safe
http://www.flippinforbidsfrear.cloud/egs9/?K8elV=WY6dXz4hP2USskFVaG6AmVG36gfocnqcJNOT/iAq7eLnPv9oQtDKLFR9qtIXXXVluDfsS1HcVA==&mVfp=MTrLPvVhZLm	100%	Avira URL Cloud	malware
http://www.evel789-aman.club	100%	Avira URL Cloud	malware
http://www.kongou.systems	100%	Avira URL Cloud	malware
http://www.hikingk.store/egs9/www.isbnu.shop	0%	Avira URL Cloud	safe
http://www.imstest.online	100%	Avira URL Cloud	malware
http://www.mentagekript.today/egs9/	100%	Avira URL Cloud	malware
http://www.flippinforbidsfrear.cloud/egs9/	100%	Avira URL Cloud	malware
http://www.redgoodsgather.shop/egs9/	100%	Avira URL Cloud	malware
http://www.653emd.top	100%	Avira URL Cloud	malware
http://www.play-vanguard-nirvana.xyzReferer:	0%	Avira URL Cloud	safe
http://www.redgoodsgather.shop/egs9/www.mentagekript.today	100%	Avira URL Cloud	malware
http://www.imstest.onlineReferer:	0%	Avira URL Cloud	safe
http://schemas.microsof	0%	Avira URL Cloud	safe
http://www.mentagekript.today	100%	Avira URL Cloud	malware
http://www.play-vanguard-nirvana.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw==	100%	Avira URL Cloud	malware
http://www.redgoodsgather.shopReferer:	0%	Avira URL Cloud	safe
http://www.play-vanguard-nirvana.xyz/egs9/www.imstest.online	100%	Avira URL Cloud	malware
http://www.alliancecigars.netReferer:	0%	Avira URL Cloud	safe
http://www.alliancecigars.net/egs9/?mVfp=MTrLPvVhZLm&K8elV=wA+abWeWfQrMiE4bW8SGLQYY6mDtYGtq3v+j3Td9NN12kduRfWzJue6T+YpGJtlAkwGAydKR6g==	100%	Avira URL Cloud	malware
http://www.kongou.systems/egs9/	100%	Avira URL Cloud	malware
http://www.evel789-aman.club/egs9/	100%	Avira URL Cloud	malware
https://outlook.comP;	0%	Avira URL Cloud	safe
http://www.alliancecigars.net/egs9/	100%	Avira URL Cloud	malware
http://www.creativege.xyzReferer:	0%	Avira URL Cloud	safe
http://www.flippinforbidsfrear.cloudReferer:	0%	Avira URL Cloud	safe
http://www.creativege.xyz/egs9/	100%	Avira URL Cloud	malware
http://www.imstest.online/egs9/	100%	Avira URL Cloud	malware
http://www.imstest.online/egs9/www.alliancecigars.net	100%	Avira URL Cloud	malware
http://www.aigamestudio.xyz	100%	Avira URL Cloud	malware
http://www.kpde.xyzReferer:	0%	Avira URL Cloud	safe
http://www.petir99bro.xyz	100%	Avira URL Cloud	malware
http://www.aigamestudio.xyz/egs9/www.petir99bro.xyz	100%	Avira URL Cloud	malware
http://www.kpde.xyz/egs9/	100%	Avira URL Cloud	malware
http://www.petir99bro.xyz/egs9/www.kongou.systems	100%	Avira URL Cloud	malware
http://www.isbnu.shop	100%	Avira URL Cloud	malware
http://www.t59bm675ri.skinReferer:	0%	Avira URL Cloud	safe
http://www.petir99bro.xyz/egs9/	100%	Avira URL Cloud	malware
http://www.kpde.xyz/egs9/www.t59bm675ri.skin	100%	Avira URL Cloud	malware
http://www.hikingk.store	0%	Avira URL Cloud	safe
http://www.alliancecigars.net	100%	Avira URL Cloud	malware
http://www.653emd.top/egs9/	100%	Avira URL Cloud	malware
http://www.kpde.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZM/DO1jiE4CQOHh/KO/hOdc1w==	100%	Avira URL Cloud	malware
http://www.kongou.systemsReferer:	0%	Avira URL Cloud	safe
http://www.aigamestudio.xyz/egs9/	100%	Avira URL Cloud	malware
http://www.evel789-aman.clubReferer:	0%	Avira URL Cloud	safe
http://www.mentagekript.todayReferer:	0%	Avira URL Cloud	safe
http://www.isbnu.shopReferer:	0%	Avira URL Cloud	safe
http://www.isbnu.shop/egs9/	100%	Avira URL Cloud	malware
http://www.t59bm675ri.skin	100%	Avira URL Cloud	malware
http://www.creativege.xyz/egs9/www.hikingk.store	100%	Avira URL Cloud	malware
http://www.mentagekript.today/egs9/www.653emd.top	100%	Avira URL Cloud	malware
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	0%	Avira URL Cloud	safe
http://www.hikingk.store/egs9/	0%	Avira URL Cloud	safe
http://www.kpde.xyz	100%	Avira URL Cloud	malware
http://www.play-vanguard-nirvana.xyz/egs9/	100%	Avira URL Cloud	malware
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	0%	Avira URL Cloud	safe
http://www.t59bm675ri.skin/egs9/www.evel789-aman.club	100%	Avira URL Cloud	malware
http://www.t59bm675ri.skin/egs9/	100%	Avira URL Cloud	malware
http://www.aigamestudio.xyzReferer:	0%	Avira URL Cloud	safe
http://www.redgoodsgather.shop	100%	Avira URL Cloud	malware
http://www.653emd.topReferer:	0%	Avira URL Cloud	safe
http://www.flippinforbidsfrear.cloud	100%	Avira URL Cloud	malware
http://www.653emd.top/egs9/www.creativege.xyz	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.play-vanguard-nirvana.xyz	104.21.64.1	true	true	unknown
kpde.xyz	92.112.189.41	true	true	unknown
www.flippinforbidsfrear.cloud	104.21.69.61	true	true	unknown
alliancecigars.net	15.197.225.128	true	true	unknown
www.alliancecigars.net	unknown	unknown	true	unknown
www.kpde.xyz	unknown	unknown	true	unknown
www.imstest.online	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.redgoodsgather.shop/egs9/	true	Avira URL Cloud: malware	unknown
http://www.flippinforbidsfrear.cloud/egs9/?K8elV=WY6dXz4hP2USskFVaG6AmVG36gfocnqcJNOT/iAq7eLnPv9oQtDKLFR9qtIXXXVluDfsS1HcVA==&mVfp=MTrLPvVhZLm	true	Avira URL Cloud: malware	unknown
http://www.play-vanguard-nirvana.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDzbC4NqmTLwL8cGw==	true	Avira URL Cloud: malware	unknown
http://www.alliancecigars.net/egs9/?mVfp=MTrLPvVhZLm&K8elV=wA+abWeWfQrMiE4bW8SGLQYY6mDtYGtq3v+j3Td9NN12kduRfWzJue6T+YpGJtlAkwGAydKR6g==	true	Avira URL Cloud: malware	unknown
http://www.kpde.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZM/DO1jiE4CQOHh/KO/hOdc1w==	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.kpde.xyz/egs9/?mVfp=MTrLPvVhZLm&K8elV=fanjuyis9OEXqqgHmTGuWHUOyMSWU2Qq009AAAE4Y9ljRR84yZ	explorer.exe, 00000007.00000002.2500429577.000000001137F000.00000004.80000000.00040000.00000000.sdmp, cmstp.exe, 00000010.00000002.2481620369.00000000050EF000.00000004.10000000.00040000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.flippinforbidsfrear.cloud/egs9/www.kpde.xyz	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOSV	explorer.exe, 00000007.00000002.2497114349.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.evel789-aman.club/egs9/www.redgoodsgather.shop	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.comZ	explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ns.adobeJH	explorer.exe, 00000007.00000002.2483177153.0000000004415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1252446139.0000000004415000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alliancecigars.net/egs9/www.flippinforbidsfrear.cloud	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://excel.office.com	explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hikingk.storeReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.isbnu.shop/egs9/www.aigamestudio.xyz	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.flippinforbidsfrear.cloud/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.petir99bro.xyzReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kongou.systems	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.evel789-aman.club	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mentagekript.today/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.imstest.online	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.redgoodsgather.shop/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.hikingk.store/egs9/www.isbnu.shop	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.653emd.top	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://wns.windows.com/	explorer.exe, 00000007.00000002.2497114349.000000000BD56000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BD56000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	ysWQ4BqQrF.exe, 00000000.00000002.1267972369.0000000002401000.00000004.00000800.00020000.00000000.sdmp, YNfDrfV.exe, 00000008.00000002.1307720399.0000000002A4B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.microsof	explorer.exe, 00000007.00000002.2498060693.000000000C0D7000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.play-vanguard-nirvana.xyzReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.redgoodsgather.shop/egs9/www.mentagekript.today	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.imstest.onlineReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.mentagekript.today	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alliancecigars.netReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.play-vanguard-nirvana.xyz/egs9/www.imstest.online	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.redgoodsgather.shopReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kongou.systems/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://outlook.comP;	explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppgr	explorer.exe, 00000007.00000002.2497114349.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.evel789-aman.club/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.imstest.online/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.creativege.xyz/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000007.00000002.2497114349.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE5D000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.creativege.xyzReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.flippinforbidsfrear.cloudReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.alliancecigars.net/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aigamestudio.xyz	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.imstest.online/egs9/www.alliancecigars.net	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kpde.xyzReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.petir99bro.xyz	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aigamestudio.xyz/egs9/www.petir99bro.xyz	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kpde.xyz/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.isbnu.shop	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.petir99bro.xyz/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kpde.xyz/egs9/www.t59bm675ri.skin	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.t59bm675ri.skinReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.petir99bro.xyz/egs9/www.kongou.systems	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hikingk.store	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000007.00000000.1254434187.00000000077B0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000002.2490367876.00000000077A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000007.00000000.1254368362.0000000007700000.00000002.00000001.00040000.00000000.sdmp	false		high
http://www.alliancecigars.net	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.653emd.top/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kongou.systemsReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aigamestudio.xyz/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.mentagekript.todayReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.isbnu.shopReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.t59bm675ri.skin	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.evel789-aman.clubReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.isbnu.shop/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.creativege.xyz/egs9/www.hikingk.store	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.mentagekript.today/egs9/www.653emd.top	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hikingk.store/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://powerpoint.office.com	explorer.exe, 00000007.00000002.2497114349.000000000BE14000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1262378990.000000000BE14000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.kpde.xyz	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.t59bm675ri.skin/egs9/www.evel789-aman.club	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.play-vanguard-nirvana.xyz/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.t59bm675ri.skin/egs9/	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aigamestudio.xyzReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.redgoodsgather.shop	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.653emd.topReferer:	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?3	explorer.exe, 00000007.00000002.2492681158.00000000091E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000000.1256858174.00000000091E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.flippinforbidsfrear.cloud	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.653emd.top/egs9/www.creativege.xyz	explorer.exe, 00000007.00000002.2498060693.000000000C07E000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation	explorer.exe, 00000007.00000000.1253596709.0000000007124000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2485688085.0000000007124000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/	explorer.exe, 00000007.00000000.1256858174.00000000092FD000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
15.197.225.128	alliancecigars.net	United States	7430	TANDEMUS	true
104.21.69.61	www.flippinforbidsfrear.cloud	United States	13335	CLOUDFLARENETUS	true
104.21.64.1	www.play-vanguard-nirvana.xyz	United States	13335	CLOUDFLARENETUS	true
92.112.189.41	kpde.xyz	Ukraine	6849	UKRTELNETUA	true

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1634563
Start date and time:	2025-03-11 01:32:39 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ysWQ4BqQrF.exe renamed because original name is a hash value
Original Sample Name:	ef4948765f8caae1f84b2199e785842e19e49c39630422c12a603c93d3e6b4b4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@163/11@5/4
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 115 Number of non-executed functions: 308
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.60.203.209, 172.202.163.200, 20.109.210.53
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
01:33:37	Task Scheduler	Run new task: YNfDrfV path: C:\Users\user\AppData\Roaming\YNfDrfV.exe
20:33:35	API Interceptor	1x Sleep call for process: ysWQ4BqQrF.exe modified
20:33:37	API Interceptor	12x Sleep call for process: powershell.exe modified
20:33:38	API Interceptor	1x Sleep call for process: YNfDrfV.exe modified
20:33:39	API Interceptor	1387313x Sleep call for process: explorer.exe modified
20:34:22	API Interceptor	1603692x Sleep call for process: cmstp.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
15.197.225.128	New order supply.exe	Get hash	malicious	FormBook	Browse	www.asd.xyz/mg63/?_TAT3f=UfdXJdopwhMD&nHuxmL=hgsIXgenzHj9Fkp6isw5BpuEkHtEb16KEV9dCbOGsgIaBwgoQwsGBGK5T7l+ed3Z6T90
	http://www.schoolboxstuff.com	Get hash	malicious	Unknown	Browse	www.schoolboxstuff.com/
	rMTO.exe	Get hash	malicious	FormBook	Browse	www.asd.xyz/mg63/?Wr=hgsIXgenzHj9Fkp6isw5BpuEkHtEb16KEV9dCbOGsgIaBwgoQwsGBGK5T4duIMbh7zclEm4g7A==&GFNL1=9r1DJRB85
	http://yesincs.com	Get hash	malicious	Unknown	Browse	yesincs.com/
	http://wtsevent.com	Get hash	malicious	TechSupportScam	Browse	wtsevent.com/
	RyJhC2oYnM.exe	Get hash	malicious	Pony	Browse	abes.co/forum/viewtopic.php
	236236236.elf	Get hash	malicious	Unknown	Browse	littlemoneybigmoneyracing.com/
	Lab07-01.exe	Get hash	malicious	Unknown	Browse	www.practicalmalwareanalysis.com/ODA6NmU6NmY6NmU6Njk6NjMtam9uZXMa/a.png
	Lab07-01.exe	Get hash	malicious	Unknown	Browse	www.practicalmalwareanalysis.com/ODA6NmU6NmY6NmU6Njk6NjMtam9uZXMa/a.png
	URGENT REQUEST FOR QUOTATION.exe	Get hash	malicious	FormBook	Browse	www.linkwave.cloud/l8vr/
104.21.64.1	TXzf0xX2uq.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	begin.exe	Get hash	malicious	DarkTortilla, FormBook	Browse	www.kdrqcyusevx.info/z84n/
	Payment receipt PO 1437 1_ Payment receipt PO #1437 2.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/fix/five/fre.php
	Payment.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	7RryusxiMtHBz80.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sss2/five/fre.php
	Request for quotation -6001845515-XLSX.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/tking3/five/fre.php
	vsf098633534.exe	Get hash	malicious	Lokibot	Browse	touxzw.ir/sccc/five/fre.php
	laser.ps1	Get hash	malicious	FormBook	Browse	www.lucynoel6465.shop/jgkl/
	UPDATED SOA.pdf.exe	Get hash	malicious	FormBook	Browse	www.shlomi.app/t3l4/
	QUOTE OF DRY DOCK REPAIR.exe	Get hash	malicious	FormBook	Browse	www.arryongro-nambe.live/ljgq/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UKRTELNETUA	sh4.elf	Get hash	malicious	Mirai, Moobot	Browse	92.112.68.144
	jklmpsl.elf	Get hash	malicious	Unknown	Browse	37.55.245.40
	apep.m68k.elf	Get hash	malicious	Unknown	Browse	178.95.206.201
	u.elf	Get hash	malicious	Unknown	Browse	95.133.64.36
	apep.ppc.elf	Get hash	malicious	Unknown	Browse	92.113.237.46
	jklarm7.elf	Get hash	malicious	Unknown	Browse	37.52.39.65
	nabarm.elf	Get hash	malicious	Unknown	Browse	178.95.235.41
	cbr.mips.elf	Get hash	malicious	Mirai	Browse	46.201.252.65
	splppc.elf	Get hash	malicious	Unknown	Browse	95.133.64.20
	splarm5.elf	Get hash	malicious	Unknown	Browse	37.52.188.197
TANDEMUS	Online Notification.pdf	Get hash	malicious	HTMLPhisher	Browse	15.197.254.78
	ulQGCeP6wq.exe	Get hash	malicious	FormBook	Browse	15.197.172.60
	https://0utl00k_secure_pdfsharing.wesendit.com/dl/9WeFG1R9WGJTbgaCO/a3Jpc3RhbC5wbGFpc3RlZEBzb2RleG8uY29t__;!!P5FZM7ryyeY!UznDjsW7gO6EJncqNmJhgeM1Zawk4R__aUyCoG6Jb-mYlr-79K2gn3tFm6bOpnkuKuN_n69fA8HZASZsr-9bQyk$	Get hash	malicious	Unknown	Browse	15.197.198.189
	https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwl	Get hash	malicious	Unknown	Browse	15.197.213.252
	https://aa1selfstorage.com/ioeloro/?wptouch_switch=mobile&redirect=//gamma.app/docs/Untitled-fw6wys6ubo63z1u?mode=present#card-wdvd2twm5f65uwl	Get hash	malicious	Unknown	Browse	15.197.213.252
	nabppc.elf	Get hash	malicious	Unknown	Browse	128.88.27.27
	Cbonline Q1 Handbook-0782794.pdf	Get hash	malicious	HTMLPhisher, Invisible JS	Browse	15.197.175.4
	updated quotation.exe	Get hash	malicious	FormBook	Browse	15.197.172.60
	updated quotation.exe	Get hash	malicious	FormBook	Browse	15.197.172.60
	http://paytrace.com	Get hash	malicious	Unknown	Browse	15.197.193.217
CLOUDFLARENETUS	yXNsOgimLV.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	hh01FRs81x.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	2k3GtCY6Zz.exe	Get hash	malicious	FormBook	Browse	104.21.41.115
	yXNsOgimLV.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	yxoY9FvULu.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	QS1BxkXZoD.exe	Get hash	malicious	FormBook	Browse	104.21.54.112
	amXZOaAQ8i.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	104.21.16.1
	LmK9xpRW3B.exe	Get hash	malicious	FormBook	Browse	104.21.79.189
	TXzf0xX2uq.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1
CLOUDFLARENETUS	yXNsOgimLV.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	hh01FRs81x.exe	Get hash	malicious	FormBook	Browse	104.21.96.1
	2k3GtCY6Zz.exe	Get hash	malicious	FormBook	Browse	104.21.41.115
	yXNsOgimLV.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.16.1
	yxoY9FvULu.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	QS1BxkXZoD.exe	Get hash	malicious	FormBook	Browse	104.21.54.112
	amXZOaAQ8i.exe	Get hash	malicious	MSIL Logger, MassLogger RAT	Browse	104.21.80.1
	UhuGtHUgHf.exe	Get hash	malicious	FormBook	Browse	104.21.16.1
	LmK9xpRW3B.exe	Get hash	malicious	FormBook	Browse	104.21.79.189
	TXzf0xX2uq.exe	Get hash	malicious	Lokibot	Browse	104.21.64.1

Process:	C:\Users\user\AppData\Roaming\YNfDrfV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.34331486778365
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhg84qXKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3ogvitHo6hAHKzea
MD5:	E193AFF55D4BDD9951CB4287A7D79653
SHA1:	F94AD920B9E0EB43B5005D74552AB84EAA38E985
SHA-256:	08DD5825B4EDCC256AEB08525DCBCDA342252A9C9746BE23FBC70A801F5A596E
SHA-512:	86F6ECDB47C1A7FFA460F3BC6038ACAFC9D4DED4D1E8D1FB7B8FE9145D9D384AB4EE7A7C3BE959A25B265AFEDB8FD31BA10073EC116B65BFE3326EF2C53394E6
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ysWQ4BqQrF.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YNfDrfV.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ysWQ4BqQrF.exe.log

Windows Analysis Report
ysWQ4BqQrF.exe