Edit tour

Windows Analysis Report
J8bamK92a3.exe

Overview

General Information

Sample name:	J8bamK92a3.exe renamed because original name is a hash value
Original sample name:	f5c1310cde2a72e5962fb57726082052a23777e395154a0c6274430268321cc2.exe
Analysis ID:	1634799
MD5:	2024f01e9ecf11328b3862491d2388e4
SHA1:	e7fa2bf7f7938411d77605ee925791286dddf47f
SHA256:	f5c1310cde2a72e5962fb57726082052a23777e395154a0c6274430268321cc2
Tags:	exeFormbookuser-adrian__luca
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Joe Sandbox ML detected suspicious sample

Loading BitLocker PowerShell Module

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a Windows Living Off The Land Binaries (LOL bins)

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

J8bamK92a3.exe (PID: 4564 cmdline: "C:\Users\user\Desktop\J8bamK92a3.exe" MD5: 2024F01E9ECF11328B3862491D2388E4)

powershell.exe (PID: 6236 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 5300 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

schtasks.exe (PID: 2816 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 320 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 2584 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

explorer.exe (PID: 4088 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

raserver.exe (PID: 6788 cmdline: "C:\Windows\SysWOW64\raserver.exe" MD5: D1053D114847677185F248FF98C3F255)

cmd.exe (PID: 5388 cmdline: /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmstp.exe (PID: 5884 cmdline: "C:\Windows\SysWOW64\cmstp.exe" MD5: D7AABFAB5BEFD53BA3A27BD48F3CC675)

JnKLdAUJztP.exe (PID: 5460 cmdline: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe MD5: 2024F01E9ECF11328B3862491D2388E4)

schtasks.exe (PID: 4060 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp672E.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegSvcs.exe (PID: 7112 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 7136 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

svchost.exe (PID: 6476 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.redgoodsgather.shop/egs9/"], "decoy": ["alliancecigars.net", "35893.pizza", "selidik.cloud", "evel789-aman.club", "wqsbr5jc.vip", "corretoraplanodesaude.shop", "balikoltada.xyz", "play-vanguard-nirvana.xyz", "paktuaslotxcxrtp.xyz", "retailzone1997.shop", "jk77juta-official.cloud", "godmoments.app", "flippinforbidsfrear.cloud", "234bets.net", "cryptobiz.tech", "construction-jobs-50157.bond", "cuficdarbiesdarleen.cloud", "t59bm675ri.skin", "ondqwxl.top", "kpde.xyz", "apoiador.xyz", "denotational.xyz", "fat-removal-40622.bond", "kqsamcsauqiagmma.xyz", "online-advertising-68283.bond", "mise96.xyz", "pokerdom55.vip", "arai.rest", "marketplace20.click", "kongou.systems", "isbnu.shop", "online-advertising-98154.bond", "pepsico.llc", "80072661.xyz", "wholesalemeat.today", "security-apps-16796.bond", "remationservices26114.shop", "kitchen-remodeling-14279.bond", "betterskin.store", "aigamestudio.xyz", "uhsrgi.info", "mentagekript.today", "box-spring-bed-50031.bond", "blood-flow.bond", "653emd.top", "venturelinks.net", "trendysolutions.store", "creativege.xyz", "sellhome.live", "petir99bro.xyz", "maipingxiu.net", "influencer-marketing-56510.bond", "czlovesys.xyz", "phpcrazy.net", "hikingk.store", "imstest.online", "bet2024.shop", "lord.land", "gobg.net", "armada77x.sbs", "msytuv.info", "buenosbufidinburez.cloud", "transeo.xyz", "deltaestates.online"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.2128452624.0000000010CCE000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_772cc62d	unknown	unknown	0xa92:$a2: pass 0xa98:$a3: email 0xa9f:$a4: login 0xaa6:$a5: signin 0xab7:$a6: persistent 0xc8a:$r1: C:\Users\user\AppData\Roaming\3391S06C\339log.ini
00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6c09:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d548:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb387:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1626f:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa2c0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa53a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x1606d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15b59:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1616f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x162e7:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xaf52:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14dd4:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbc4b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c2af:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d2b2:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x191d1:$sqlite3step: 68 34 1C 7B E1 0x192e4:$sqlite3step: 68 34 1C 7B E1 0x19200:$sqlite3text: 68 38 2A 90 C5 0x19325:$sqlite3text: 68 38 2A 90 C5 0x19213:$sqlite3blob: 68 53 D8 7F 8C 0x1933b:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6241:$a1: 3C 30 50 4F 53 54 74 09 40 0x33661:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb80:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x49fa0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9bf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x37ddf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158a7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83 0x42cc7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x98f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x36d18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x36f92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x42ac5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x15191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x425b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x42bc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1591f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x42d3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa58a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x379aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1440c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x4182c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb283:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x386a3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8e7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x48d07:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18809:$sqlite3step: 68 34 1C 7B E1 0x1891c:$sqlite3step: 68 34 1C 7B E1 0x45c29:$sqlite3step: 68 34 1C 7B E1 0x45d3c:$sqlite3step: 68 34 1C 7B E1 0x18838:$sqlite3text: 68 38 2A 90 C5 0x1895d:$sqlite3text: 68 38 2A 90 C5 0x45c58:$sqlite3text: 68 38 2A 90 C5 0x45d7d:$sqlite3text: 68 38 2A 90 C5 0x1884b:$sqlite3blob: 68 53 D8 7F 8C 0x18973:$sqlite3blob: 68 53 D8 7F 8C 0x45c6b:$sqlite3blob: 68 53 D8 7F 8C 0x45d93:$sqlite3blob: 68 53 D8 7F 8C
0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6a91:$a1: 3C 30 50 4F 53 54 74 09 40 0x1d3d0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xb20f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x160f7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0xa148:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xa3c2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x15ef5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x159e1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x15ff7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1616f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xadda:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x14c5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xbad3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1c137:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1d13a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x19059:$sqlite3step: 68 34 1C 7B E1 0x1916c:$sqlite3step: 68 34 1C 7B E1 0x19088:$sqlite3text: 68 38 2A 90 C5 0x191ad:$sqlite3text: 68 38 2A 90 C5 0x1909b:$sqlite3blob: 68 53 D8 7F 8C 0x191c3:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: J8bamK92a3.exe PID: 4564	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: J8bamK92a3.exe PID: 4564	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x35e70:$a1: 3C 30 50 4F 53 54 74 09 40 0x37153:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: RegSvcs.exe PID: 2584	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x4a13f:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: JnKLdAUJztP.exe PID: 5460	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: JnKLdAUJztP.exe PID: 5460	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x42b03:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: raserver.exe PID: 6788	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x3cdfe:$a1: 3C 30 50 4F 53 54 74 09 40 0x40a61:$a1: 3C 30 50 4F 53 54 74 09 40 0xc3d97:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: cmstp.exe PID: 5884	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x35e7c:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 43 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
6.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.raw.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.raw.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6251:$a1: 3C 30 50 4F 53 54 74 09 40 0x1cb90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.RegSvcs.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1b8f7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1c8fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegSvcs.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x18819:$sqlite3step: 68 34 1C 7B E1 0x1892c:$sqlite3step: 68 34 1C 7B E1 0x18848:$sqlite3text: 68 38 2A 90 C5 0x1896d:$sqlite3text: 68 38 2A 90 C5 0x1885b:$sqlite3blob: 68 53 D8 7F 8C 0x18983:$sqlite3blob: 68 53 D8 7F 8C
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
6.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x5451:$a1: 3C 30 50 4F 53 54 74 09 40 0x1bd90:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
6.2.RegSvcs.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x1aaf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1bafa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
6.2.RegSvcs.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x17a19:$sqlite3step: 68 34 1C 7B E1 0x17b2c:$sqlite3step: 68 34 1C 7B E1 0x17a48:$sqlite3text: 68 38 2A 90 C5 0x17b6d:$sqlite3text: 68 38 2A 90 C5 0x17a5b:$sqlite3blob: 68 53 D8 7F 8C 0x17b83:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 5 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\J8bamK92a3.exe", ParentImage: C:\Users\user\Desktop\J8bamK92a3.exe, ParentProcessId: 4564, ParentProcessName: J8bamK92a3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe", ProcessId: 6236, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Suspicious Add Scheduled Task Parent

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp672E.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp672E.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe, ParentImage: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe, ParentProcessId: 5460, ParentProcessName: JnKLdAUJztP.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp672E.tmp", ProcessId: 4060, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\J8bamK92a3.exe", ParentImage: C:\Users\user\Desktop\J8bamK92a3.exe, ParentProcessId: 4564, ParentProcessName: J8bamK92a3.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp", ProcessId: 2816, ProcessName: schtasks.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\J8bamK92a3.exe", ParentImage: C:\Users\user\Desktop\J8bamK92a3.exe, ParentProcessId: 4564, ParentProcessName: J8bamK92a3.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe", ProcessId: 6236, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 628, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6476, ProcessName: svchost.exe

Persistence and Installation Behavior

Sigma detected: Scheduled temp file as task from temp location

Source: Process started

Author: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\J8bamK92a3.exe", ParentImage: C:\Users\user\Desktop\J8bamK92a3.exe, ParentProcessId: 4564, ParentProcessName: J8bamK92a3.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp", ProcessId: 2816, ProcessName: schtasks.exe

Suricata Signatures

ET MALWARE FormBook CnC Checkin (GET)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-03-11T04:54:34.276378+0100	2031453	1	Malware Command and Control Activity Detected	192.168.2.7	51602	104.21.16.1	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: J8bamK92a3.exe

Avira: detected

Antivirus detection for URL or domain

Source: www.redgoodsgather.shop/egs9/	Avira URL Cloud: Label: malware
Source: http://www.ondqwxl.top	Avira URL Cloud: Label: malware
Source: http://www.denotational.xyz/egs9/www.play-vanguard-nirvana.xyz	Avira URL Cloud: Label: malware
Source: http://www.play-vanguard-nirvana.xyz/egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p	Avira URL Cloud: Label: malware
Source: http://www.redgoodsgather.shop/egs9/	Avira URL Cloud: Label: malware
Source: http://www.play-vanguard-nirvana.xyz/egs9/www.creativege.xyz	Avira URL Cloud: Label: malware
Source: http://www.jk77juta-official.cloud/egs9/	Avira URL Cloud: Label: malware
Source: http://www.wqsbr5jc.vip/egs9/www.retailzone1997.shop	Avira URL Cloud: Label: malware
Source: http://www.blood-flow.bond/egs9/	Avira URL Cloud: Label: malware
Source: http://www.blood-flow.bond/egs9/www.ondqwxl.top	Avira URL Cloud: Label: malware
Source: http://www.maipingxiu.net	Avira URL Cloud: Label: malware
Source: http://www.sellhome.live/egs9/	Avira URL Cloud: Label: malware
Source: http://www.sellhome.live	Avira URL Cloud: Label: malware
Source: http://www.remationservices26114.shop/egs9/www.redgoodsgather.shop	Avira URL Cloud: Label: malware
Source: http://www.uhsrgi.info/egs9/www.blood-flow.bond	Avira URL Cloud: Label: malware
Source: http://www.creativege.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.fat-removal-40622.bond/egs9/www.uhsrgi.info	Avira URL Cloud: Label: malware
Source: http://www.remationservices26114.shop/egs9/	Avira URL Cloud: Label: malware
Source: http://www.aigamestudio.xyz	Avira URL Cloud: Label: malware
Source: http://www.creativege.xyz/egs9/www.remationservices26114.shop	Avira URL Cloud: Label: malware
Source: http://www.isbnu.shop	Avira URL Cloud: Label: malware
Source: http://www.redgoodsgather.shop/egs9/www.jk77juta-official.cloud	Avira URL Cloud: Label: malware
Source: http://www.denotational.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.uhsrgi.info/egs9/	Avira URL Cloud: Label: malware
Source: http://www.blood-flow.bond	Avira URL Cloud: Label: malware
Source: http://www.aigamestudio.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.jk77juta-official.cloud	Avira URL Cloud: Label: malware
Source: http://www.wqsbr5jc.vip	Avira URL Cloud: Label: malware
Source: http://www.isbnu.shop/egs9/www.fat-removal-40622.bond	Avira URL Cloud: Label: malware
Source: http://www.fat-removal-40622.bond	Avira URL Cloud: Label: malware
Source: http://www.fat-removal-40622.bond/egs9/	Avira URL Cloud: Label: malware
Source: http://www.ondqwxl.top/egs9/	Avira URL Cloud: Label: malware
Source: http://www.denotational.xyz	Avira URL Cloud: Label: malware
Source: http://www.isbnu.shop/egs9/	Avira URL Cloud: Label: malware
Source: http://www.aigamestudio.xyz/egs9/www.isbnu.shop	Avira URL Cloud: Label: malware
Source: http://www.sellhome.live/egs9/www.aigamestudio.xyz	Avira URL Cloud: Label: malware
Source: http://www.uhsrgi.info	Avira URL Cloud: Label: malware
Source: http://www.remationservices26114.shop	Avira URL Cloud: Label: malware
Source: http://www.maipingxiu.net/egs9/	Avira URL Cloud: Label: malware
Source: http://www.play-vanguard-nirvana.xyz/egs9/	Avira URL Cloud: Label: malware
Source: http://www.wqsbr5jc.vip/egs9/	Avira URL Cloud: Label: malware
Source: http://www.redgoodsgather.shop	Avira URL Cloud: Label: malware
Source: http://www.ondqwxl.top/egs9/www.maipingxiu.net	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe

Avira: detection malicious, Label: TR/Kryptik.epuil

Found malware configuration

Source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.redgoodsgather.shop/egs9/"], "decoy": ["alliancecigars.net", "35893.pizza", "selidik.cloud", "evel789-aman.club", "wqsbr5jc.vip", "corretoraplanodesaude.shop", "balikoltada.xyz", "play-vanguard-nirvana.xyz", "paktuaslotxcxrtp.xyz", "retailzone1997.shop", "jk77juta-official.cloud", "godmoments.app", "flippinforbidsfrear.cloud", "234bets.net", "cryptobiz.tech", "construction-jobs-50157.bond", "cuficdarbiesdarleen.cloud", "t59bm675ri.skin", "ondqwxl.top", "kpde.xyz", "apoiador.xyz", "denotational.xyz", "fat-removal-40622.bond", "kqsamcsauqiagmma.xyz", "online-advertising-68283.bond", "mise96.xyz", "pokerdom55.vip", "arai.rest", "marketplace20.click", "kongou.systems", "isbnu.shop", "online-advertising-98154.bond", "pepsico.llc", "80072661.xyz", "wholesalemeat.today", "security-apps-16796.bond", "remationservices26114.shop", "kitchen-remodeling-14279.bond", "betterskin.store", "aigamestudio.xyz", "uhsrgi.info", "mentagekript.today", "box-spring-bed-50031.bond", "blood-flow.bond", "653emd.top", "venturelinks.net", "trendysolutions.store", "creativege.xyz", "sellhome.live", "petir99bro.xyz", "maipingxiu.net", "influencer-marketing-56510.bond", "czlovesys.xyz", "phpcrazy.net", "hikingk.store", "imstest.online", "bet2024.shop", "lord.land", "gobg.net", "armada77x.sbs", "msytuv.info", "buenosbufidinburez.cloud", "transeo.xyz", "deltaestates.online"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe

ReversingLabs: Detection: 78%

Multi AV Scanner detection for submitted file

Source: J8bamK92a3.exe	Virustotal: Detection: 81%			Perma Link
Source: J8bamK92a3.exe	ReversingLabs: Detection: 78%

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DE0115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,	12_2_00DE0115
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DDFD30 CryptExportKey,GetLastError,malloc,CryptExportKey,GetLastError,free,	12_2_00DDFD30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DDDAFB CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,SysFreeString,	12_2_00DDDAFB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DDFA58 CryptAcquireContextW,GetLastError,CryptGetUserKey,GetLastError,CryptGenKey,GetLastError,GetLastError,	12_2_00DDFA58
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DDFE35 CryptBinaryToStringW,GetLastError,malloc,CryptBinaryToStringW,GetLastError,free,SysFreeString,	12_2_00DDFE35
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DE0383 __EH_prolog3_GS,SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString,	12_2_00DE0383
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DDFF58 CryptStringToBinaryW,GetLastError,malloc,CryptStringToBinaryW,GetLastError,	12_2_00DDFF58

Source: J8bamK92a3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: J8bamK92a3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.943116968.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.937630500.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.941778001.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000008.00000002.2128097968.000000001041F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 0000000C.00000002.2114415874.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2117009769.0000000004F8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.931535294.0000000001260000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000C.00000003.932162810.0000000004898000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000003.929911941.00000000046E1000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.935657291.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.000000000531E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.939434306.0000000004FD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.931535294.0000000001260000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, raserver.exe, 0000000C.00000003.932162810.0000000004898000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000003.929911941.00000000046E1000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.935657291.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.000000000531E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.939434306.0000000004FD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: RegSvcs.exe, 00000006.00000002.931428697.0000000001220000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.930236422.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 0000000C.00000002.2114997792.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegSvcs.exe, 0000000E.00000002.943116968.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.937630500.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.941778001.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000008.00000002.2128097968.000000001041F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 0000000C.00000002.2114415874.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2117009769.0000000004F8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 00000006.00000002.931428697.0000000001220000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.930236422.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2114997792.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 4x nop then jmp 06D4FEB0h	0_2_06D4F50B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop esi	6_2_004172FE
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 4x nop then jmp 0700F188h	7_2_0700E7E3
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 4x nop then pop esi	12_2_007D72FE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2031412 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:51602 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2031449 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:51602 -> 104.21.16.1:80
Source: Network traffic	Suricata IDS: 2031453 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) : 192.168.2.7:51602 -> 104.21.16.1:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 104.21.16.1 80

Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.redgoodsgather.shop/egs9/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.denotational.xyz
Source:	DNS query: www.play-vanguard-nirvana.xyz

Source: global traffic

TCP traffic: 192.168.2.7:51591 -> 162.159.36.2:53

Source: global traffic

HTTP traffic detected: GET /egs9/?9r=2m/uVQwqKH2EIWlawszTKzvIepBfVH/HI19qzylF05nDLsWuBLn1pb4DiFDKEzYOkwPMwL8bVA==&vZR=H2MpG0p HTTP/1.1Host: www.play-vanguard-nirvana.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 104.21.16.1 104.21.16.1
Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203
Source: Joe Sandbox View	IP Address: 204.79.197.203 204.79.197.203

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 8_2_10CB6F82 getaddrinfo,setsockopt,recv,

8_2_10CB6F82

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: 18.31.95.13.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.denotational.xyz
Source: global traffic	DNS traffic detected: DNS query: 56.163.245.4.in-addr.arpa
Source: global traffic	DNS traffic detected: DNS query: www.play-vanguard-nirvana.xyz
Source: global traffic	DNS traffic detected: DNS query: www.remationservices26114.shop
Source: global traffic	DNS traffic detected: DNS query: www.redgoodsgather.shop
Source: global traffic	DNS traffic detected: DNS query: www.jk77juta-official.cloud

Source: explorer.exe, 00000008.00000002.2122145010.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.885759071.000000000867B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.882191100.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: svchost.exe, 00000013.00000002.2119124793.000001D518C00000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: explorer.exe, 00000008.00000002.2122145010.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.885759071.000000000867B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.882191100.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.19.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.19.dr, qmgr.db.19.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: explorer.exe, 00000008.00000002.2122145010.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.885759071.000000000867B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.882191100.0000000006B9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000008.00000000.885759071.0000000008610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2122145010.0000000008610000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crl$
Source: explorer.exe, 00000008.00000000.883135949.00000000070C0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.883009420.0000000007010000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.2123677207.0000000008D80000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: J8bamK92a3.exe, 00000000.00000002.896055559.0000000002648000.00000004.00000800.00020000.00000000.sdmp, JnKLdAUJztP.exe, 00000007.00000002.928005261.0000000002C28000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyz
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyz/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyz/egs9/www.isbnu.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aigamestudio.xyzReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blood-flow.bond
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blood-flow.bond/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blood-flow.bond/egs9/www.ondqwxl.top
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.blood-flow.bondReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyz
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyz/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyz/egs9/www.remationservices26114.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.creativege.xyzReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.denotational.xyz
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.denotational.xyz/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.denotational.xyz/egs9/www.play-vanguard-nirvana.xyz
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.denotational.xyzReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fat-removal-40622.bond
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fat-removal-40622.bond/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fat-removal-40622.bond/egs9/www.uhsrgi.info
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fat-removal-40622.bondReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shop/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shop/egs9/www.fat-removal-40622.bond
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.isbnu.shopReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jk77juta-official.cloud
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jk77juta-official.cloud/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jk77juta-official.cloud/egs9/www.wqsbr5jc.vip
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jk77juta-official.cloudReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maipingxiu.net
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maipingxiu.net/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.maipingxiu.netReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ondqwxl.top
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ondqwxl.top/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ondqwxl.top/egs9/www.maipingxiu.net
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ondqwxl.topReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyz
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyz/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyz/egs9/www.creativege.xyz
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.play-vanguard-nirvana.xyzReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shop/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shop/egs9/www.jk77juta-official.cloud
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redgoodsgather.shopReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.remationservices26114.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.remationservices26114.shop/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.remationservices26114.shop/egs9/www.redgoodsgather.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.remationservices26114.shopReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.retailzone1997.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.retailzone1997.shop/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.retailzone1997.shop/egs9/www.sellhome.live
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.retailzone1997.shopReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sellhome.live
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sellhome.live/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sellhome.live/egs9/www.aigamestudio.xyz
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.sellhome.liveReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhsrgi.info
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhsrgi.info/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhsrgi.info/egs9/www.blood-flow.bond
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.uhsrgi.infoReferer:
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wqsbr5jc.vip
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wqsbr5jc.vip/egs9/
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wqsbr5jc.vip/egs9/www.retailzone1997.shop
Source: explorer.exe, 00000008.00000002.2126662171.000000000C013000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wqsbr5jc.vipReferer:
Source: explorer.exe, 00000008.00000002.2126028808.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.890050166.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppe#
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://aip.baidubce.com
Source: explorer.exe, 00000008.00000000.890050166.000000000BD76000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2126028808.000000000BD76000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000008.00000000.890050166.000000000BD76000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2126028808.000000000BD76000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS(
Source: explorer.exe, 00000008.00000002.2118962471.0000000006AA3000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.882191100.0000000006AA3000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000008.00000002.2122145010.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.885759071.00000000084DE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gRmH-
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://cloud.baidu.com/doc/OCR/s/fk3h7xu7h
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://cloud.tencent.com/document/product/551/35017
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://cloud.tencent.com/document/product/866/35945
Source: explorer.exe, 00000008.00000000.885759071.0000000008669000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: explorer.exe, 00000008.00000002.2126028808.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.890050166.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://fanyi-api.baidu.com/api/trans/sdk/picture
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://fanyi-api.baidu.com/api/trans/vip/translate
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://fanyi-api.baidu.com/product/113
Source: qmgr.db.19.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000013.00000003.1206986809.000001D518A50000.00000004.00000800.00020000.00000000.sdmp, edb.log.19.dr, qmgr.db.19.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: J8bamK92a3.exe, JnKLdAUJztP.exe.0.dr	String found in binary or memory: https://github.com/NPCDW/WindowsFormsOCR
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: qmgr.db.19.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe1C:
Source: explorer.exe, 00000008.00000002.2126028808.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.890050166.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000008.00000002.2126028808.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.890050166.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcemberA
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000008.00000002.2122145010.000000000885E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.885759071.000000000885E000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000008.00000002.2126028808.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.890050166.000000000BDD4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000008.00000000.882191100.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2118962471.0000000006AC4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Source: unknown

Network traffic detected: HTTP traffic on port 49671 -> 443

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DE0115 SysStringLen,CryptDestroyKey,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,SysStringLen,SysStringLen,CryptImportKey,free,SysStringLen,CryptDecrypt,SysAllocStringByteLen,SysFreeString,free,		12_2_00DE0115
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DE0383 __EH_prolog3_GS,SysStringLen,CryptImportKey,GetLastError,CryptGenKey,GetLastError,CryptEncrypt,GetLastError,free,malloc,memset,memcpy,CryptEncrypt,GetLastError,free,SysFreeString,SysFreeString,CryptDestroyKey,CryptDestroyKey,SysFreeString,		12_2_00DE0383

System Summary

Malicious sample detected (through community Yara rule)

Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2128452624.0000000010CCE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: J8bamK92a3.exe PID: 4564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 2584, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: JnKLdAUJztP.exe PID: 5460, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: raserver.exe PID: 6788, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cmstp.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A330 NtCreateFile,	6_2_0041A330
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A3E0 NtReadFile,	6_2_0041A3E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A460 NtClose,	6_2_0041A460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A510 NtAllocateVirtualMemory,	6_2_0041A510
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A32A NtCreateFile,	6_2_0041A32A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041A382 NtReadFile,	6_2_0041A382
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2B60 NtClose,LdrInitializeThunk,	6_2_012D2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	6_2_012D2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2AD0 NtReadFile,LdrInitializeThunk,	6_2_012D2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2D30 NtUnmapViewOfSection,LdrInitializeThunk,	6_2_012D2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2D10 NtMapViewOfSection,LdrInitializeThunk,	6_2_012D2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2DF0 NtQuerySystemInformation,LdrInitializeThunk,	6_2_012D2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2DD0 NtDelayExecution,LdrInitializeThunk,	6_2_012D2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2C70 NtFreeVirtualMemory,LdrInitializeThunk,	6_2_012D2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2CA0 NtQueryInformationToken,LdrInitializeThunk,	6_2_012D2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2F30 NtCreateSection,LdrInitializeThunk,	6_2_012D2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2FB0 NtResumeThread,LdrInitializeThunk,	6_2_012D2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2F90 NtProtectVirtualMemory,LdrInitializeThunk,	6_2_012D2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2FE0 NtCreateFile,LdrInitializeThunk,	6_2_012D2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	6_2_012D2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2E80 NtReadVirtualMemory,LdrInitializeThunk,	6_2_012D2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D4340 NtSetContextThread,	6_2_012D4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D4650 NtSuspendThread,	6_2_012D4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2BA0 NtEnumerateValueKey,	6_2_012D2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2B80 NtQueryInformationFile,	6_2_012D2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2BE0 NtQueryValueKey,	6_2_012D2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2AB0 NtWaitForSingleObject,	6_2_012D2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2AF0 NtWriteFile,	6_2_012D2AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2D00 NtSetInformationFile,	6_2_012D2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2DB0 NtEnumerateKey,	6_2_012D2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2C00 NtQueryInformationProcess,	6_2_012D2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2C60 NtCreateKey,	6_2_012D2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2CF0 NtOpenProcess,	6_2_012D2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2CC0 NtQueryVirtualMemory,	6_2_012D2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2F60 NtCreateProcessEx,	6_2_012D2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2FA0 NtQuerySection,	6_2_012D2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2E30 NtWriteVirtualMemory,	6_2_012D2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2EE0 NtQueueApcThread,	6_2_012D2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D3010 NtOpenDirectoryObject,	6_2_012D3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D3090 NtSetValueKey,	6_2_012D3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D35C0 NtCreateMutant,	6_2_012D35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D39B0 NtGetContextThread,	6_2_012D39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D3D10 NtOpenProcessToken,	6_2_012D3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D3D70 NtOpenThread,	6_2_012D3D70
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB7E12 NtProtectVirtualMemory,	8_2_10CB7E12
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB6232 NtCreateFile,	8_2_10CB6232
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB7E0A NtProtectVirtualMemory,	8_2_10CB7E0A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2CA0 NtQueryInformationToken,LdrInitializeThunk,	12_2_04AB2CA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2C60 NtCreateKey,LdrInitializeThunk,	12_2_04AB2C60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2C70 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_04AB2C70
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2DF0 NtQuerySystemInformation,LdrInitializeThunk,	12_2_04AB2DF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2DD0 NtDelayExecution,LdrInitializeThunk,	12_2_04AB2DD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2D10 NtMapViewOfSection,LdrInitializeThunk,	12_2_04AB2D10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_04AB2EA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2FE0 NtCreateFile,LdrInitializeThunk,	12_2_04AB2FE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2F30 NtCreateSection,LdrInitializeThunk,	12_2_04AB2F30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2AD0 NtReadFile,LdrInitializeThunk,	12_2_04AB2AD0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2BE0 NtQueryValueKey,LdrInitializeThunk,	12_2_04AB2BE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_04AB2BF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2B60 NtClose,LdrInitializeThunk,	12_2_04AB2B60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB35C0 NtCreateMutant,LdrInitializeThunk,	12_2_04AB35C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB4650 NtSuspendThread,	12_2_04AB4650
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB4340 NtSetContextThread,	12_2_04AB4340
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2CF0 NtOpenProcess,	12_2_04AB2CF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2CC0 NtQueryVirtualMemory,	12_2_04AB2CC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2C00 NtQueryInformationProcess,	12_2_04AB2C00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2DB0 NtEnumerateKey,	12_2_04AB2DB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2D30 NtUnmapViewOfSection,	12_2_04AB2D30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2D00 NtSetInformationFile,	12_2_04AB2D00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2E80 NtReadVirtualMemory,	12_2_04AB2E80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2EE0 NtQueueApcThread,	12_2_04AB2EE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2E30 NtWriteVirtualMemory,	12_2_04AB2E30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2FA0 NtQuerySection,	12_2_04AB2FA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2FB0 NtResumeThread,	12_2_04AB2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2F90 NtProtectVirtualMemory,	12_2_04AB2F90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2F60 NtCreateProcessEx,	12_2_04AB2F60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2AB0 NtWaitForSingleObject,	12_2_04AB2AB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2AF0 NtWriteFile,	12_2_04AB2AF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2BA0 NtEnumerateValueKey,	12_2_04AB2BA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB2B80 NtQueryInformationFile,	12_2_04AB2B80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB3090 NtSetValueKey,	12_2_04AB3090
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB3010 NtOpenDirectoryObject,	12_2_04AB3010
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB3D10 NtOpenProcessToken,	12_2_04AB3D10
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB3D70 NtOpenThread,	12_2_04AB3D70
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB39B0 NtGetContextThread,	12_2_04AB39B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007DA330 NtCreateFile,	12_2_007DA330
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007DA3E0 NtReadFile,	12_2_007DA3E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007DA460 NtClose,	12_2_007DA460
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007DA510 NtAllocateVirtualMemory,	12_2_007DA510
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007DA32A NtCreateFile,	12_2_007DA32A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007DA382 NtReadFile,	12_2_007DA382
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_0478A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,NtQueueApcThread,NtResumeThread,	12_2_0478A036
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04789BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	12_2_04789BAF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_0478A042 NtQueryInformationProcess,	12_2_0478A042
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04789BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	12_2_04789BB2

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_00E58380	0_2_00E58380
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_00E58370	0_2_00E58370
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C525B0	0_2_04C525B0
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C57D00	0_2_04C57D00
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C50040	0_2_04C50040
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C509F0	0_2_04C509F0
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C50A00	0_2_04C50A00
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C57CE0	0_2_04C57CE0
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C77858	0_2_04C77858
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C76AAB	0_2_04C76AAB
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C76AB4	0_2_04C76AB4
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_06D49438	0_2_06D49438
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_06D4A0E0	0_2_06D4A0E0
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_06D49CA8	0_2_06D49CA8
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_06D4B8F8	0_2_06D4B8F8
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_06D4B8E8	0_2_06D4B8E8
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_06D49870	0_2_06D49870
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_0B5A1930	0_2_0B5A1930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401030	6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00401174	6_2_00401174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041DBC0	6_2_0041DBC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041E566	6_2_0041E566
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402D90	6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E5B	6_2_00409E5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00409E60	6_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D729	6_2_0041D729
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00402FB0	6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290100	6_2_01290100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133A118	6_2_0133A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01328158	6_2_01328158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013541A2	6_2_013541A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013601AA	6_2_013601AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013581CC	6_2_013581CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135A352	6_2_0135A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013603E6	6_2_013603E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE3F0	6_2_012AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013202C0	6_2_013202C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0535	6_2_012A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01360591	6_2_01360591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01344420	6_2_01344420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01352446	6_2_01352446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134E4F6	6_2_0134E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C4750	6_2_012C4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129C7C0	6_2_0129C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BC6E0	6_2_012BC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B6962	6_2_012B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0136A9A6	6_2_0136A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A2840	6_2_012A2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AA840	6_2_012AA840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012868B8	6_2_012868B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE8F0	6_2_012CE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135AB40	6_2_0135AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01356BD7	6_2_01356BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AAD00	6_2_012AAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133CD1F	6_2_0133CD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B8DBF	6_2_012B8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129ADE0	6_2_0129ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0C00	6_2_012A0C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340CB5	6_2_01340CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290CF2	6_2_01290CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01342F30	6_2_01342F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E2F28	6_2_012E2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C0F30	6_2_012C0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01314F40	6_2_01314F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131EFA0	6_2_0131EFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012ACFE0	6_2_012ACFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01292FC8	6_2_01292FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135EE26	6_2_0135EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0E59	6_2_012A0E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135CE93	6_2_0135CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B2E90	6_2_012B2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135EEDB	6_2_0135EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D516C	6_2_012D516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128F172	6_2_0128F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0136B16B	6_2_0136B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AB1B0	6_2_012AB1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135F0E0	6_2_0135F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013570E9	6_2_013570E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A70C0	6_2_012A70C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134F0CC	6_2_0134F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135132D	6_2_0135132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128D34C	6_2_0128D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E739A	6_2_012E739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A52A0	6_2_012A52A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013412ED	6_2_013412ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BB2C0	6_2_012BB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01357571	6_2_01357571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133D5B0	6_2_0133D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013695C3	6_2_013695C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135F43F	6_2_0135F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01291460	6_2_01291460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135F7B0	6_2_0135F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E5630	6_2_012E5630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013516CC	6_2_013516CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01335910	6_2_01335910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A9950	6_2_012A9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BB950	6_2_012BB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130D800	6_2_0130D800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A38E0	6_2_012A38E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135FB76	6_2_0135FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BFB80	6_2_012BFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01315BF0	6_2_01315BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012DDBF9	6_2_012DDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01313A6C	6_2_01313A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01357A46	6_2_01357A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135FA49	6_2_0135FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E5AA0	6_2_012E5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01341AA3	6_2_01341AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133DAAC	6_2_0133DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134DAC6	6_2_0134DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01357D73	6_2_01357D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A3D40	6_2_012A3D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01351D5A	6_2_01351D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BFDC0	6_2_012BFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01319C32	6_2_01319C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135FCF2	6_2_0135FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135FF09	6_2_0135FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135FFB1	6_2_0135FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A1F92	6_2_012A1F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01263FD5	6_2_01263FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01263FD2	6_2_01263FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A9EB0	6_2_012A9EB0
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_011A8380	7_2_011A8380
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_011A8370	7_2_011A8370
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_050E7858	7_2_050E7858
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_050E6AB4	7_2_050E6AB4
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_06D6A490	7_2_06D6A490
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_06D698A8	7_2_06D698A8
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_06D60040	7_2_06D60040
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_06D60007	7_2_06D60007
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_06D69DB8	7_2_06D69DB8
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_07009438	7_2_07009438
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_0700A0E0	7_2_0700A0E0
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_07009CA8	7_2_07009CA8
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_07009870	7_2_07009870
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_0700B8E8	7_2_0700B8E8
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_0700B8F8	7_2_0700B8F8
Source: C:\Windows\explorer.exe	Code function: 8_2_0DFA85CD	8_2_0DFA85CD
Source: C:\Windows\explorer.exe	Code function: 8_2_0DFA2912	8_2_0DFA2912
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF9CD02	8_2_0DF9CD02
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF9B082	8_2_0DF9B082
Source: C:\Windows\explorer.exe	Code function: 8_2_0DFA4036	8_2_0DFA4036
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF9FB30	8_2_0DF9FB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0DF9FB32	8_2_0DF9FB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0DFA5232	8_2_0DFA5232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E102232	8_2_0E102232
Source: C:\Windows\explorer.exe	Code function: 8_2_0E0FCB32	8_2_0E0FCB32
Source: C:\Windows\explorer.exe	Code function: 8_2_0E0FCB30	8_2_0E0FCB30
Source: C:\Windows\explorer.exe	Code function: 8_2_0E101036	8_2_0E101036
Source: C:\Windows\explorer.exe	Code function: 8_2_0E0F8082	8_2_0E0F8082
Source: C:\Windows\explorer.exe	Code function: 8_2_0E0F9D02	8_2_0E0F9D02
Source: C:\Windows\explorer.exe	Code function: 8_2_0E0FF912	8_2_0E0FF912
Source: C:\Windows\explorer.exe	Code function: 8_2_0E1055CD	8_2_0E1055CD
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB6232	8_2_10CB6232
Source: C:\Windows\explorer.exe	Code function: 8_2_10CAC082	8_2_10CAC082
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB5036	8_2_10CB5036
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB95CD	8_2_10CB95CD
Source: C:\Windows\explorer.exe	Code function: 8_2_10CADD02	8_2_10CADD02
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB3912	8_2_10CB3912
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB0B32	8_2_10CB0B32
Source: C:\Windows\explorer.exe	Code function: 8_2_10CB0B30	8_2_10CB0B30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DD5F64	12_2_00DD5F64
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B2E4F6	12_2_04B2E4F6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B32446	12_2_04B32446
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B40591	12_2_04B40591
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A80535	12_2_04A80535
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A9C6E0	12_2_04A9C6E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A7C7C0	12_2_04A7C7C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A80770	12_2_04A80770
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AA4750	12_2_04AA4750
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B12000	12_2_04B12000
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B401AA	12_2_04B401AA
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B381CC	12_2_04B381CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A70100	12_2_04A70100
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B1A118	12_2_04B1A118
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B08158	12_2_04B08158
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B002C0	12_2_04B002C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B20274	12_2_04B20274
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B403E6	12_2_04B403E6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A8E3F0	12_2_04A8E3F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3A352	12_2_04B3A352
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B20CB5	12_2_04B20CB5
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A70CF2	12_2_04A70CF2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A80C00	12_2_04A80C00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A98DBF	12_2_04A98DBF
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A7ADE0	12_2_04A7ADE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A8AD00	12_2_04A8AD00
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3CE93	12_2_04B3CE93
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A92E90	12_2_04A92E90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3EEDB	12_2_04B3EEDB
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3EE26	12_2_04B3EE26
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A80E59	12_2_04A80E59
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AFEFA0	12_2_04AFEFA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A8CFE0	12_2_04A8CFE0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A72FC8	12_2_04A72FC8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AC2F28	12_2_04AC2F28
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AA0F30	12_2_04AA0F30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AF4F40	12_2_04AF4F40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A668B8	12_2_04A668B8
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AAE8F0	12_2_04AAE8F0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A8A840	12_2_04A8A840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A82840	12_2_04A82840
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A829A0	12_2_04A829A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B4A9A6	12_2_04B4A9A6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A96962	12_2_04A96962
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A7EA80	12_2_04A7EA80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B36BD7	12_2_04B36BD7
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3AB40	12_2_04B3AB40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3F43F	12_2_04B3F43F
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A71460	12_2_04A71460
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B1D5B0	12_2_04B1D5B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B37571	12_2_04B37571
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B316CC	12_2_04B316CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3F7B0	12_2_04B3F7B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3F0E0	12_2_04B3F0E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B370E9	12_2_04B370E9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A870C0	12_2_04A870C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B2F0CC	12_2_04B2F0CC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A8B1B0	12_2_04A8B1B0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AB516C	12_2_04AB516C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A6F172	12_2_04A6F172
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B4B16B	12_2_04B4B16B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A852A0	12_2_04A852A0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B212ED	12_2_04B212ED
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A9B2C0	12_2_04A9B2C0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AC739A	12_2_04AC739A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3132D	12_2_04B3132D
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A6D34C	12_2_04A6D34C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3FCF2	12_2_04B3FCF2
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AF9C32	12_2_04AF9C32
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A9FDC0	12_2_04A9FDC0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B37D73	12_2_04B37D73
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A83D40	12_2_04A83D40
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B31D5A	12_2_04B31D5A
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A89EB0	12_2_04A89EB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3FFB1	12_2_04B3FFB1
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A81F92	12_2_04A81F92
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3FF09	12_2_04B3FF09
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A838E0	12_2_04A838E0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AED800	12_2_04AED800
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B15910	12_2_04B15910
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A89950	12_2_04A89950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A9B950	12_2_04A9B950
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AC5AA0	12_2_04AC5AA0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B1DAAC	12_2_04B1DAAC
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B2DAC6	12_2_04B2DAC6
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AF3A6C	12_2_04AF3A6C
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B37A46	12_2_04B37A46
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3FA49	12_2_04B3FA49
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04A9FB80	12_2_04A9FB80
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04ABDBF9	12_2_04ABDBF9
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04AF5BF0	12_2_04AF5BF0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04B3FB76	12_2_04B3FB76
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007DE566	12_2_007DE566
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007C2D90	12_2_007C2D90
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007C9E60	12_2_007C9E60
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007C9E5B	12_2_007C9E5B
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_007C2FB0	12_2_007C2FB0
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_0478A036	12_2_0478A036
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04782D02	12_2_04782D02
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_0478E5CD	12_2_0478E5CD
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04781082	12_2_04781082
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04788912	12_2_04788912
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_0478B232	12_2_0478B232
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04785B30	12_2_04785B30
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_04785B32	12_2_04785B32

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0128B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0131F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012E7E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0130EA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012D5130 appears 58 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04A6B970 appears 275 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04AEEA12 appears 86 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04AB5130 appears 57 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 00DE0FD2 appears 117 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04AC7E54 appears 100 times
Source: C:\Windows\SysWOW64\raserver.exe	Code function: String function: 04AFF290 appears 105 times

Source: J8bamK92a3.exe, 00000000.00000000.845735732.000000000038A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameUXHI.exe@ vs J8bamK92a3.exe
Source: J8bamK92a3.exe, 00000000.00000002.899817586.0000000005040000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs J8bamK92a3.exe
Source: J8bamK92a3.exe, 00000000.00000002.894239184.000000000098E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs J8bamK92a3.exe
Source: J8bamK92a3.exe, 00000000.00000002.896055559.00000000026EF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTL.dll" vs J8bamK92a3.exe
Source: J8bamK92a3.exe, 00000000.00000002.901624094.00000000080F0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMontero.dll8 vs J8bamK92a3.exe
Source: J8bamK92a3.exe	Binary or memory string: OriginalFilenameUXHI.exe@ vs J8bamK92a3.exe

Source: J8bamK92a3.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"			Jump to behavior

Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2128452624.0000000010CCE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: J8bamK92a3.exe PID: 4564, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 2584, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: JnKLdAUJztP.exe PID: 5460, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: raserver.exe PID: 6788, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cmstp.exe PID: 5884, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: J8bamK92a3.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JnKLdAUJztP.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, T5iZxq4mrvcS2VW4xW.cs	Security API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, T5iZxq4mrvcS2VW4xW.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, T5iZxq4mrvcS2VW4xW.cs	Security API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, jVm9uJnGhuoaPx5VJa.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, jVm9uJnGhuoaPx5VJa.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@483/15@7/3

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 12_2_00DDA010 CoCreateInstance,

12_2_00DDA010

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 12_2_00DD52BB __EH_prolog3_catch_GS,LoadLibraryExW,FindResourceExW,LoadResource,SizeofResource,MultiByteToWideChar,FreeLibrary,

12_2_00DD52BB

Source: C:\Users\user\Desktop\J8bamK92a3.exe

File created: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4760:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5376:120:WilError_03
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Mutant created: \Sessions\1\BaseNamedObjects\uFUzLvsCWbXPNiQBAWGWvnLJSea
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03

Source: C:\Users\user\Desktop\J8bamK92a3.exe

File created: C:\Users\user\AppData\Local\Temp\tmp58A8.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe

Command line argument: offerraupdate

12_2_00DD9AC5

Source: J8bamK92a3.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: J8bamK92a3.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\J8bamK92a3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\J8bamK92a3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: J8bamK92a3.exe	Virustotal: Detection: 81%
Source: J8bamK92a3.exe	ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\J8bamK92a3.exe

File read: C:\Users\user\Desktop\J8bamK92a3.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\J8bamK92a3.exe "C:\Users\user\Desktop\J8bamK92a3.exe"
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp672E.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp672E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\raserver.exe "C:\Windows\SysWOW64\raserver.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cmstp.exe "C:\Windows\SysWOW64\cmstp.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscinterop.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wscapi.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: werconcpl.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: hcproviders.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: cmutil.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmstp.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll

Source: C:\Users\user\Desktop\J8bamK92a3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\J8bamK92a3.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: J8bamK92a3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: J8bamK92a3.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: J8bamK92a3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 0000000E.00000002.943116968.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.937630500.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.941778001.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000008.00000002.2128097968.000000001041F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 0000000C.00000002.2114415874.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2117009769.0000000004F8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.931535294.0000000001260000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000C.00000003.932162810.0000000004898000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000003.929911941.00000000046E1000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.935657291.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.000000000531E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.939434306.0000000004FD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000006.00000002.931535294.0000000001260000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, raserver.exe, 0000000C.00000003.932162810.0000000004898000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000003.929911941.00000000046E1000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004BDE000.00000040.00001000.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2115988758.0000000004A40000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.0000000005180000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.935657291.0000000004E23000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.942729935.000000000531E000.00000040.00001000.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000003.939434306.0000000004FD6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RAServer.pdb source: RegSvcs.exe, 00000006.00000002.931428697.0000000001220000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.930236422.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, raserver.exe, 0000000C.00000002.2114997792.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: cmstp.pdb source: RegSvcs.exe, 0000000E.00000002.943116968.0000000000F50000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000E.00000002.937630500.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, cmstp.exe, 0000000F.00000002.941778001.0000000000EB0000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000008.00000002.2128097968.000000001041F000.00000004.80000000.00040000.00000000.sdmp, raserver.exe, 0000000C.00000002.2114415874.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2117009769.0000000004F8F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 00000006.00000002.931428697.0000000001220000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.930236422.0000000000E08000.00000004.00000020.00020000.00000000.sdmp, raserver.exe, 0000000C.00000002.2114997792.0000000000DD0000.00000040.80000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: J8bamK92a3.exe, MainForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: JnKLdAUJztP.exe.0.dr, MainForm.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.J8bamK92a3.exe.5040000.2.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.J8bamK92a3.exe.276381c.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, T5iZxq4mrvcS2VW4xW.cs	.Net Code: D6EiG2Fuau System.Reflection.Assembly.Load(byte[])
Source: 7.2.JnKLdAUJztP.exe.2d438f4.1.raw.unpack, .cs	.Net Code: System.Reflection.Assembly.Load(byte[])

Source: J8bamK92a3.exe

Static PE information: 0xDC937A04 [Tue Apr 8 15:02:28 2087 UTC]

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 12_2_00DDACA0 LoadLibraryW,GetProcAddress,GetProcAddress,WTSEnumerateSessionsW,GetProcessHeap,HeapAlloc,WTSFreeMemory,WTSFreeMemory,WTSQuerySessionInformationW,WTSQuerySessionInformationW,StrCmpIW,GetProcessHeap,HeapAlloc,SafeArrayCreateVector,SafeArrayAccessData,SysAllocString,SafeArrayUnaccessData,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,WTSFreeMemory,WTSFreeMemory,WTSFreeMemory,SafeArrayDestroy,SysFreeString,

12_2_00DDACA0

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C5E72A push ebx; ret	0_2_04C5E72E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C5EA1F pushad ; ret	0_2_04C5EA2E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C5D2B7 push ecx; ret	0_2_04C5D2C6
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C7F461 push es; ret	0_2_04C7F46E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C77520 push eax; mov dword ptr [esp], ecx	0_2_04C77534
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C74241 push ecx; ret	0_2_04C7420E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C74261 push ecx; ret	0_2_04C7420E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C74200 push ecx; ret	0_2_04C7420E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C7FC28 push es; ret	0_2_04C7FC36
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C7CD8A push es; ret	0_2_04C7CD8B
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C72E90 push esp; ret	0_2_04C72EBE
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C74F40 push ecx; ret	0_2_04C74F4E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C7EF78 push es; ret	0_2_04C7EF86
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C72F30 push cs; ret	0_2_04C72F3E
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Code function: 0_2_04C729FF push cs; ret	0_2_04C72A1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00407820 push edx; ret	6_2_0040783D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041F0B9 push eax; ret	6_2_0041F0C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0040E3FA push cs; retf	6_2_0040E413
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4D2 push eax; ret	6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D4DB push eax; ret	6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D485 push eax; ret	6_2_0041D4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0041D53C push eax; ret	6_2_0041D542
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_004077EA push edx; ret	6_2_0040783D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00408793 push edx; ret	6_2_0040879A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0126225F pushad ; ret	6_2_012627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012627FA pushad ; ret	6_2_012627F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012909AD push ecx; mov dword ptr [esp], ecx	6_2_012909B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0126283D push eax; iretd	6_2_01262858
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01261368 push eax; iretd	6_2_01261369
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_050E7520 push eax; mov dword ptr [esp], ecx	7_2_050E7534
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Code function: 7_2_0A63140D push FFFFFF8Bh; iretd	7_2_0A63140F

Source: J8bamK92a3.exe	Static PE information: section name: .text entropy: 7.657872715186067
Source: JnKLdAUJztP.exe.0.dr	Static PE information: section name: .text entropy: 7.657872715186067

Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, w5NTaiobT6YidiGv4A.cs	High entropy of concatenated method names: 'tQgx3MHQvM', 'e8lxMnUAEI', 'sXRxGoonhJ', 'mPSx7vpZvv', 'lU9x8l6rlO', 'RgBxJaKw0X', 'TWxxCRdku8', 'lndxnGnfC9', 'UhmxqDBoJe', 'EUZx5BQWBK'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, BsCNXa5DS7kOJXkGRL.cs	High entropy of concatenated method names: 'g8J18dQwLk', 'ElA1C3oHqh', 'aMaAI2Vwt0', 'NtPA2GD7u9', 'F3xAPPYBT3', 'g4NA9ljVjd', 'BSIAZdZtFY', 'JaBATl38y9', 'CURAoM5yKY', 'nwoAQ2veMs'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, cVxi5CzO90ASiluFBi.cs	High entropy of concatenated method names: 'tPnOJR43L8', 'ERsOnBsdgf', 'YguOqGdNa8', 'c4eOf8mq1x', 'pcBOcte4S6', 'qBfO2ZYY3E', 'ys8OP6TjRB', 'jEVO0te2X3', 'dypO3sCxei', 'UfFOMMu5My'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, BB7O8biMXI3xaTZu5m.cs	High entropy of concatenated method names: 'xhKExVm9uJ', 'zhuE4oaPx5', 'jOjEhYQjWd', 'f17E6yJsCN', 'QkGESRLfEo', 'vbCEjDxHYN', 'Bv3b7NIFsDGZs9wvfn', 'FknmRc9TLdWWKS2KMW', 'aeIEEfcwZJ', 'cP6Emu1HqX'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, gUZwlKqOjYQjWdN17y.cs	High entropy of concatenated method names: 'hKbA7V9qBv', 'uq5AJ82Ppc', 'Fx6AnuPMtY', 'JBtAqiiASm', 'Po1ASyqEmK', 'p7XAjRjd4G', 'LpMAWQE956', 'pXDALUnskZ', 'JLSApGfjqc', 'L5kAOYLvty'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, L71xl5EE8ByNSseyfNk.cs	High entropy of concatenated method names: 'r1aOvfdlag', 'InWOz59FTo', 'oEYHDsXPXm', 'RCqHEP57W4', 'a4bHRIyWOs', 'cibHm6Uqgt', 'nyyHi70dwd', 'nkCHe3UKhT', 'eYSHNRVqd0', 'G82HBewSok'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, M3xuu8RcNGbXL42B6O.cs	High entropy of concatenated method names: 'HQBGp6gYR', 'li67VnZ35', 'JWCJ4GBYE', 'e96CXDf5Q', 'KZeqZwitt', 'st45NOqGl', 'qXWDse8BSh6QGQs5gR', 'hxKobLekV5XWN1ELNi', 'bdCLSdhMB', 'nJQOTdH3O'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, d1caLf27xmWpl8ZAMA.cs	High entropy of concatenated method names: 'UAtK0jbEOT', 'Xt6K3eFFLy', 'NnZKG4vNyp', 'r2nK7gPuJ7', 'WZRKJmqPkS', 'jloKC7wk5f', 'ufMKqXXl69', 'aWoK5QWJYF', 'yLh06mRG6Ed3ma3KQ2p', 'G7MLuqRcuRR5WgZKcMs'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, KUiNc5wWJ1JNa725fw.cs	High entropy of concatenated method names: 'SXfpfJZ2uf', 'X9MpcxPniP', 'QxbpIliTwC', 'x36p21737p', 'MFZpPZIhFx', 'jh2p9T81c5', 'qBapZO6pvg', 'qVcpTYVShV', 'Xq5poIOTy5', 'eZ5pQk4iDY'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, jVm9uJnGhuoaPx5VJa.cs	High entropy of concatenated method names: 'rI9BXGI4iI', 'w6xBgifc4C', 'lvHBFj5WIU', 'a6WBrLps2w', 'TM3BbdrXEp', 'RBmBYmkDRt', 'nc4BuB4FQ1', 'AscBt9Vngu', 'HGtBwSfmKd', 'VOpBvERF2L'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, KYi6M2ZbIr76CsGkM8.cs	High entropy of concatenated method names: 'YfnxNgAE3j', 'En7xABI9nB', 'WjdxK7oepi', 'fUFKvj5o5L', 'k1JKzXAQnm', 'iZIxDVnRRq', 'uN5xEliEcQ', 'QJvxR7o9t0', 'Y2KxmEhHSy', 'vSGxiH7HU8'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, n72L20ukRB2D7gUTp7.cs	High entropy of concatenated method names: 'SmfpSBKIYh', 'hd7pWIEwgE', 'xteppThOGy', 'URWpHLUOMO', 'etMpabVIpC', 'YkQp0WInoV', 'Dispose', 'CoULNvbqJT', 'ywpLBl2h6j', 'EBhLAMtEBb'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, HugBT2EiPaDrRUddHC3.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ScOlpSS6Nx', 'L5KlOJsMLr', 'SWslHKx9iZ', 'G8Ull54H0y', 'Jd8laTFyIp', 'UrUlyqM0Js', 'AXul0qicUY'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, vKXKXrEDqhhJu3wHUL5.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oD5OUHfTXu', 'XAyOs9cWkK', 'iC4OdiwZCH', 'APGOXUmnP5', 'EYeOgguSsx', 'DANOFYOxg4', 'dlUOrI7ye8'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, bfdACsBY9YIEYFKDst.cs	High entropy of concatenated method names: 'Dispose', 'g2DEw7gUTp', 'RgiRc92nH3', 'fGkAUI6yjf', 'AFKEvAA1ho', 'DPiEzJFswu', 'ProcessDialogKey', 'c09RDUiNc5', 'qJ1REJNa72', 'FfwRRwpi5B'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, osjUcYdQA70m8Y0tRm.cs	High entropy of concatenated method names: 'UT9knnLX9d', 'myYkqB9gc9', 'H6JkfOTF3x', 'r9UkcK1DCH', 'tRsk2vFBBL', 'is9kPrZxiu', 'd2mkZ2794G', 'TMfkTd8sKV', 'eX1kQ1Y4Nf', 'RTxkU5qk4c'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, cFvusAXSlJiUNqgrog.cs	High entropy of concatenated method names: 'rxISQW4Asm', 'mUCSsJyStg', 'jxtSXGhwJ8', 'NRnSgJq4ZS', 'c8cSchxQdD', 'wNnSIdXgl7', 'D5cS2fRFHJ', 'g1SSPPEAhV', 'brpS9g9IjG', 'B3iSZE2heU'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, GEoabCfDxHYNpilRfG.cs	High entropy of concatenated method names: 'WivKe07MkM', 'PirKBPqNuw', 'aj7K179Rhl', 'cPIKxqZZsI', 'WdhK41F7W9', 'tv81bZuJid', 'FHn1YmYpNU', 'zZQ1ucPPuV', 'KpI1tgWEn1', 'TPm1wLhdbc'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, l7scj3YgPqT9oVqrc7.cs	High entropy of concatenated method names: 'WUvWtAA8H1', 'Q33Wvegv1E', 'UCALDQPUZI', 'OAgLE03Z22', 'SoFWUOkgTY', 'CQfWsIPVkx', 'bg7Wdean2D', 'jxBWXw3pYj', 'qtRWg3J9m9', 'IXGWFIpdEx'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, T5iZxq4mrvcS2VW4xW.cs	High entropy of concatenated method names: 'sLdmeIZ2tR', 'mofmN0swjv', 'NObmBY2mCX', 'MyBmAriefu', 'A0cm1Lthap', 'aOxmKhMiLX', 'LErmxZ4VmT', 'HbGm4gqtRy', 'H6cmVFNahV', 'PFpmhaXqiP'
Source: 0.2.J8bamK92a3.exe.80f0000.3.raw.unpack, Xpi5Byv10GJGDI7gZ5.cs	High entropy of concatenated method names: 'QRaOAsyer0', 'P9bO10T9qT', 'TWYOKbDfcj', 'R2FOxhRxiv', 'yV9OpEKmri', 'uumO4qITZF', 'Next', 'Next', 'Next', 'NextBytes'

Source: C:\Users\user\Desktop\J8bamK92a3.exe

File created: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\J8bamK92a3.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp"

Hooking and other Techniques for Hiding and Protection

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Source: initial sample

Icon embedded in binary file: icon matches a legit application icon: icon (4339).png

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Modifies the prolog of user mode functions (user mode inline hooks)

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xEF

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: J8bamK92a3.exe PID: 4564, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: JnKLdAUJztP.exe PID: 5460, type: MEMORYSTR

Switches to a custom stack to bypass stack traces

Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B60D324
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B610774
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B60D944
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B60D504
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B60D544
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B60D1E4
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B610154
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B60D8A4
Source: C:\Windows\SysWOW64\raserver.exe	API/Special instruction interceptor: Address: 7FFC1B60DA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 7C9904 second address: 7C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\raserver.exe	RDTSC instruction interceptor: First address: 7C9B7E second address: 7C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 3229904 second address: 322990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmstp.exe	RDTSC instruction interceptor: First address: 3229B7E second address: 3229B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: 2600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: 4600000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: 8270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: 9270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: 9460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: A460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: 11A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: 73D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: 83D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: 8560000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: 9560000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7300	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2132	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4124	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5812	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 893	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 863	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Window / User API: threadDelayed 9833	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\raserver.exe	API coverage: 1.5 %

Source: C:\Users\user\Desktop\J8bamK92a3.exe TID: 7032	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 396	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5164	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe TID: 5240	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6556	Thread sleep count: 4124 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6556	Thread sleep time: -8248000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6556	Thread sleep count: 5812 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6556	Thread sleep time: -11624000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 4788	Thread sleep count: 136 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 4788	Thread sleep time: -272000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 4788	Thread sleep count: 9833 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe TID: 4788	Thread sleep time: -19666000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 1328	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\raserver.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000008.00000002.2122145010.00000000087C6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00ssB1n
Source: svchost.exe, 00000013.00000002.2116705630.000001D51362B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: explorer.exe, 00000008.00000002.2122145010.0000000008610000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000008.00000002.2122145010.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.885759071.00000000084DE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-GB\vhdmp.inf_loc
Source: explorer.exe, 00000008.00000000.885759071.0000000008669000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2122145010.0000000008669000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000013.00000002.2119344703.000001D518C55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000008.00000002.2122145010.0000000008774000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000erf
Source: explorer.exe, 00000008.00000000.879201370.0000000000584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000a;
Source: explorer.exe, 00000008.00000000.885759071.000000000867B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000000.885759071.0000000008610000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2122145010.0000000008610000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: explorer.exe, 00000008.00000002.2122145010.0000000008610000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: =War&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000008.00000000.879201370.0000000000584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000008.00000002.2122145010.000000000874E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}/
Source: explorer.exe, 00000008.00000002.2122145010.000000000874E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000002.2122145010.000000000874E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}o
Source: explorer.exe, 00000008.00000000.885759071.00000000084DE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I
Source: explorer.exe, 00000008.00000000.879201370.0000000000584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\J8bamK92a3.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\cmstp.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_00409AB0 rdtsc

6_2_00409AB0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 6_2_0040ACF0 LdrLoadDll,

6_2_0040ACF0

Source: C:\Windows\SysWOW64\raserver.exe

12_2_00DDACA0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C0124 mov eax, dword ptr fs:[00000030h]	6_2_012C0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01350115 mov eax, dword ptr fs:[00000030h]	6_2_01350115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133A118 mov ecx, dword ptr fs:[00000030h]	6_2_0133A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133A118 mov eax, dword ptr fs:[00000030h]	6_2_0133A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133A118 mov eax, dword ptr fs:[00000030h]	6_2_0133A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133A118 mov eax, dword ptr fs:[00000030h]	6_2_0133A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov eax, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov ecx, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov eax, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov eax, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov ecx, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov eax, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov eax, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov ecx, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov eax, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E10E mov ecx, dword ptr fs:[00000030h]	6_2_0133E10E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364164 mov eax, dword ptr fs:[00000030h]	6_2_01364164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364164 mov eax, dword ptr fs:[00000030h]	6_2_01364164
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01328158 mov eax, dword ptr fs:[00000030h]	6_2_01328158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01324144 mov eax, dword ptr fs:[00000030h]	6_2_01324144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01324144 mov eax, dword ptr fs:[00000030h]	6_2_01324144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01324144 mov ecx, dword ptr fs:[00000030h]	6_2_01324144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01324144 mov eax, dword ptr fs:[00000030h]	6_2_01324144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01324144 mov eax, dword ptr fs:[00000030h]	6_2_01324144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296154 mov eax, dword ptr fs:[00000030h]	6_2_01296154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296154 mov eax, dword ptr fs:[00000030h]	6_2_01296154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128C156 mov eax, dword ptr fs:[00000030h]	6_2_0128C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D0185 mov eax, dword ptr fs:[00000030h]	6_2_012D0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131019F mov eax, dword ptr fs:[00000030h]	6_2_0131019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131019F mov eax, dword ptr fs:[00000030h]	6_2_0131019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131019F mov eax, dword ptr fs:[00000030h]	6_2_0131019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131019F mov eax, dword ptr fs:[00000030h]	6_2_0131019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01334180 mov eax, dword ptr fs:[00000030h]	6_2_01334180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01334180 mov eax, dword ptr fs:[00000030h]	6_2_01334180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134C188 mov eax, dword ptr fs:[00000030h]	6_2_0134C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134C188 mov eax, dword ptr fs:[00000030h]	6_2_0134C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128A197 mov eax, dword ptr fs:[00000030h]	6_2_0128A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128A197 mov eax, dword ptr fs:[00000030h]	6_2_0128A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128A197 mov eax, dword ptr fs:[00000030h]	6_2_0128A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013661E5 mov eax, dword ptr fs:[00000030h]	6_2_013661E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C01F8 mov eax, dword ptr fs:[00000030h]	6_2_012C01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0130E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0130E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E1D0 mov ecx, dword ptr fs:[00000030h]	6_2_0130E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0130E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E1D0 mov eax, dword ptr fs:[00000030h]	6_2_0130E1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013561C3 mov eax, dword ptr fs:[00000030h]	6_2_013561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013561C3 mov eax, dword ptr fs:[00000030h]	6_2_013561C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01326030 mov eax, dword ptr fs:[00000030h]	6_2_01326030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128A020 mov eax, dword ptr fs:[00000030h]	6_2_0128A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128C020 mov eax, dword ptr fs:[00000030h]	6_2_0128C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01314000 mov ecx, dword ptr fs:[00000030h]	6_2_01314000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01332000 mov eax, dword ptr fs:[00000030h]	6_2_01332000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE016 mov eax, dword ptr fs:[00000030h]	6_2_012AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE016 mov eax, dword ptr fs:[00000030h]	6_2_012AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE016 mov eax, dword ptr fs:[00000030h]	6_2_012AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE016 mov eax, dword ptr fs:[00000030h]	6_2_012AE016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BC073 mov eax, dword ptr fs:[00000030h]	6_2_012BC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316050 mov eax, dword ptr fs:[00000030h]	6_2_01316050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01292050 mov eax, dword ptr fs:[00000030h]	6_2_01292050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012880A0 mov eax, dword ptr fs:[00000030h]	6_2_012880A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013560B8 mov eax, dword ptr fs:[00000030h]	6_2_013560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013560B8 mov ecx, dword ptr fs:[00000030h]	6_2_013560B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013280A8 mov eax, dword ptr fs:[00000030h]	6_2_013280A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129208A mov eax, dword ptr fs:[00000030h]	6_2_0129208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012980E9 mov eax, dword ptr fs:[00000030h]	6_2_012980E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128A0E3 mov ecx, dword ptr fs:[00000030h]	6_2_0128A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013160E0 mov eax, dword ptr fs:[00000030h]	6_2_013160E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128C0F0 mov eax, dword ptr fs:[00000030h]	6_2_0128C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D20F0 mov ecx, dword ptr fs:[00000030h]	6_2_012D20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013120DE mov eax, dword ptr fs:[00000030h]	6_2_013120DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01368324 mov eax, dword ptr fs:[00000030h]	6_2_01368324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01368324 mov ecx, dword ptr fs:[00000030h]	6_2_01368324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01368324 mov eax, dword ptr fs:[00000030h]	6_2_01368324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01368324 mov eax, dword ptr fs:[00000030h]	6_2_01368324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA30B mov eax, dword ptr fs:[00000030h]	6_2_012CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA30B mov eax, dword ptr fs:[00000030h]	6_2_012CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA30B mov eax, dword ptr fs:[00000030h]	6_2_012CA30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128C310 mov ecx, dword ptr fs:[00000030h]	6_2_0128C310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B0310 mov ecx, dword ptr fs:[00000030h]	6_2_012B0310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133437C mov eax, dword ptr fs:[00000030h]	6_2_0133437C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01338350 mov ecx, dword ptr fs:[00000030h]	6_2_01338350
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135A352 mov eax, dword ptr fs:[00000030h]	6_2_0135A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131035C mov eax, dword ptr fs:[00000030h]	6_2_0131035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131035C mov eax, dword ptr fs:[00000030h]	6_2_0131035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131035C mov eax, dword ptr fs:[00000030h]	6_2_0131035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131035C mov ecx, dword ptr fs:[00000030h]	6_2_0131035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131035C mov eax, dword ptr fs:[00000030h]	6_2_0131035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131035C mov eax, dword ptr fs:[00000030h]	6_2_0131035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01312349 mov eax, dword ptr fs:[00000030h]	6_2_01312349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0136634F mov eax, dword ptr fs:[00000030h]	6_2_0136634F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128E388 mov eax, dword ptr fs:[00000030h]	6_2_0128E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128E388 mov eax, dword ptr fs:[00000030h]	6_2_0128E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128E388 mov eax, dword ptr fs:[00000030h]	6_2_0128E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B438F mov eax, dword ptr fs:[00000030h]	6_2_012B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B438F mov eax, dword ptr fs:[00000030h]	6_2_012B438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01288397 mov eax, dword ptr fs:[00000030h]	6_2_01288397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01288397 mov eax, dword ptr fs:[00000030h]	6_2_01288397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01288397 mov eax, dword ptr fs:[00000030h]	6_2_01288397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A03E9 mov eax, dword ptr fs:[00000030h]	6_2_012A03E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C63FF mov eax, dword ptr fs:[00000030h]	6_2_012C63FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE3F0 mov eax, dword ptr fs:[00000030h]	6_2_012AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE3F0 mov eax, dword ptr fs:[00000030h]	6_2_012AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE3F0 mov eax, dword ptr fs:[00000030h]	6_2_012AE3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013343D4 mov eax, dword ptr fs:[00000030h]	6_2_013343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013343D4 mov eax, dword ptr fs:[00000030h]	6_2_013343D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E3DB mov eax, dword ptr fs:[00000030h]	6_2_0133E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E3DB mov eax, dword ptr fs:[00000030h]	6_2_0133E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E3DB mov ecx, dword ptr fs:[00000030h]	6_2_0133E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133E3DB mov eax, dword ptr fs:[00000030h]	6_2_0133E3DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0129A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0129A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0129A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0129A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0129A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A3C0 mov eax, dword ptr fs:[00000030h]	6_2_0129A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012983C0 mov eax, dword ptr fs:[00000030h]	6_2_012983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012983C0 mov eax, dword ptr fs:[00000030h]	6_2_012983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012983C0 mov eax, dword ptr fs:[00000030h]	6_2_012983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012983C0 mov eax, dword ptr fs:[00000030h]	6_2_012983C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013163C0 mov eax, dword ptr fs:[00000030h]	6_2_013163C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134C3CD mov eax, dword ptr fs:[00000030h]	6_2_0134C3CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128823B mov eax, dword ptr fs:[00000030h]	6_2_0128823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01340274 mov eax, dword ptr fs:[00000030h]	6_2_01340274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128826B mov eax, dword ptr fs:[00000030h]	6_2_0128826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01294260 mov eax, dword ptr fs:[00000030h]	6_2_01294260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01294260 mov eax, dword ptr fs:[00000030h]	6_2_01294260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01294260 mov eax, dword ptr fs:[00000030h]	6_2_01294260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134A250 mov eax, dword ptr fs:[00000030h]	6_2_0134A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134A250 mov eax, dword ptr fs:[00000030h]	6_2_0134A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0136625D mov eax, dword ptr fs:[00000030h]	6_2_0136625D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296259 mov eax, dword ptr fs:[00000030h]	6_2_01296259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01318243 mov eax, dword ptr fs:[00000030h]	6_2_01318243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01318243 mov ecx, dword ptr fs:[00000030h]	6_2_01318243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128A250 mov eax, dword ptr fs:[00000030h]	6_2_0128A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A02A0 mov eax, dword ptr fs:[00000030h]	6_2_012A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A02A0 mov eax, dword ptr fs:[00000030h]	6_2_012A02A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013262A0 mov eax, dword ptr fs:[00000030h]	6_2_013262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013262A0 mov ecx, dword ptr fs:[00000030h]	6_2_013262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013262A0 mov eax, dword ptr fs:[00000030h]	6_2_013262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013262A0 mov eax, dword ptr fs:[00000030h]	6_2_013262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013262A0 mov eax, dword ptr fs:[00000030h]	6_2_013262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013262A0 mov eax, dword ptr fs:[00000030h]	6_2_013262A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE284 mov eax, dword ptr fs:[00000030h]	6_2_012CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE284 mov eax, dword ptr fs:[00000030h]	6_2_012CE284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01310283 mov eax, dword ptr fs:[00000030h]	6_2_01310283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01310283 mov eax, dword ptr fs:[00000030h]	6_2_01310283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01310283 mov eax, dword ptr fs:[00000030h]	6_2_01310283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A02E1 mov eax, dword ptr fs:[00000030h]	6_2_012A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A02E1 mov eax, dword ptr fs:[00000030h]	6_2_012A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A02E1 mov eax, dword ptr fs:[00000030h]	6_2_012A02E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013662D6 mov eax, dword ptr fs:[00000030h]	6_2_013662D6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE53E mov eax, dword ptr fs:[00000030h]	6_2_012BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE53E mov eax, dword ptr fs:[00000030h]	6_2_012BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE53E mov eax, dword ptr fs:[00000030h]	6_2_012BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE53E mov eax, dword ptr fs:[00000030h]	6_2_012BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE53E mov eax, dword ptr fs:[00000030h]	6_2_012BE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0535 mov eax, dword ptr fs:[00000030h]	6_2_012A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0535 mov eax, dword ptr fs:[00000030h]	6_2_012A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0535 mov eax, dword ptr fs:[00000030h]	6_2_012A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0535 mov eax, dword ptr fs:[00000030h]	6_2_012A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0535 mov eax, dword ptr fs:[00000030h]	6_2_012A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0535 mov eax, dword ptr fs:[00000030h]	6_2_012A0535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01326500 mov eax, dword ptr fs:[00000030h]	6_2_01326500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364500 mov eax, dword ptr fs:[00000030h]	6_2_01364500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364500 mov eax, dword ptr fs:[00000030h]	6_2_01364500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364500 mov eax, dword ptr fs:[00000030h]	6_2_01364500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364500 mov eax, dword ptr fs:[00000030h]	6_2_01364500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364500 mov eax, dword ptr fs:[00000030h]	6_2_01364500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364500 mov eax, dword ptr fs:[00000030h]	6_2_01364500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364500 mov eax, dword ptr fs:[00000030h]	6_2_01364500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C656A mov eax, dword ptr fs:[00000030h]	6_2_012C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C656A mov eax, dword ptr fs:[00000030h]	6_2_012C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C656A mov eax, dword ptr fs:[00000030h]	6_2_012C656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298550 mov eax, dword ptr fs:[00000030h]	6_2_01298550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298550 mov eax, dword ptr fs:[00000030h]	6_2_01298550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013105A7 mov eax, dword ptr fs:[00000030h]	6_2_013105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013105A7 mov eax, dword ptr fs:[00000030h]	6_2_013105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013105A7 mov eax, dword ptr fs:[00000030h]	6_2_013105A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B45B1 mov eax, dword ptr fs:[00000030h]	6_2_012B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B45B1 mov eax, dword ptr fs:[00000030h]	6_2_012B45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C4588 mov eax, dword ptr fs:[00000030h]	6_2_012C4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01292582 mov eax, dword ptr fs:[00000030h]	6_2_01292582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01292582 mov ecx, dword ptr fs:[00000030h]	6_2_01292582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE59C mov eax, dword ptr fs:[00000030h]	6_2_012CE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC5ED mov eax, dword ptr fs:[00000030h]	6_2_012CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC5ED mov eax, dword ptr fs:[00000030h]	6_2_012CC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012925E0 mov eax, dword ptr fs:[00000030h]	6_2_012925E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE5E7 mov eax, dword ptr fs:[00000030h]	6_2_012BE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE5CF mov eax, dword ptr fs:[00000030h]	6_2_012CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE5CF mov eax, dword ptr fs:[00000030h]	6_2_012CE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012965D0 mov eax, dword ptr fs:[00000030h]	6_2_012965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA5D0 mov eax, dword ptr fs:[00000030h]	6_2_012CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA5D0 mov eax, dword ptr fs:[00000030h]	6_2_012CA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128E420 mov eax, dword ptr fs:[00000030h]	6_2_0128E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128E420 mov eax, dword ptr fs:[00000030h]	6_2_0128E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128E420 mov eax, dword ptr fs:[00000030h]	6_2_0128E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128C427 mov eax, dword ptr fs:[00000030h]	6_2_0128C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316420 mov eax, dword ptr fs:[00000030h]	6_2_01316420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316420 mov eax, dword ptr fs:[00000030h]	6_2_01316420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316420 mov eax, dword ptr fs:[00000030h]	6_2_01316420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316420 mov eax, dword ptr fs:[00000030h]	6_2_01316420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316420 mov eax, dword ptr fs:[00000030h]	6_2_01316420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316420 mov eax, dword ptr fs:[00000030h]	6_2_01316420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01316420 mov eax, dword ptr fs:[00000030h]	6_2_01316420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA430 mov eax, dword ptr fs:[00000030h]	6_2_012CA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C8402 mov eax, dword ptr fs:[00000030h]	6_2_012C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C8402 mov eax, dword ptr fs:[00000030h]	6_2_012C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C8402 mov eax, dword ptr fs:[00000030h]	6_2_012C8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131C460 mov ecx, dword ptr fs:[00000030h]	6_2_0131C460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BA470 mov eax, dword ptr fs:[00000030h]	6_2_012BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BA470 mov eax, dword ptr fs:[00000030h]	6_2_012BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BA470 mov eax, dword ptr fs:[00000030h]	6_2_012BA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134A456 mov eax, dword ptr fs:[00000030h]	6_2_0134A456
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CE443 mov eax, dword ptr fs:[00000030h]	6_2_012CE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B245A mov eax, dword ptr fs:[00000030h]	6_2_012B245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128645D mov eax, dword ptr fs:[00000030h]	6_2_0128645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131A4B0 mov eax, dword ptr fs:[00000030h]	6_2_0131A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012964AB mov eax, dword ptr fs:[00000030h]	6_2_012964AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C44B0 mov ecx, dword ptr fs:[00000030h]	6_2_012C44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0134A49A mov eax, dword ptr fs:[00000030h]	6_2_0134A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012904E5 mov ecx, dword ptr fs:[00000030h]	6_2_012904E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130C730 mov eax, dword ptr fs:[00000030h]	6_2_0130C730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC720 mov eax, dword ptr fs:[00000030h]	6_2_012CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC720 mov eax, dword ptr fs:[00000030h]	6_2_012CC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C273C mov eax, dword ptr fs:[00000030h]	6_2_012C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C273C mov ecx, dword ptr fs:[00000030h]	6_2_012C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C273C mov eax, dword ptr fs:[00000030h]	6_2_012C273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC700 mov eax, dword ptr fs:[00000030h]	6_2_012CC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290710 mov eax, dword ptr fs:[00000030h]	6_2_01290710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C0710 mov eax, dword ptr fs:[00000030h]	6_2_012C0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298770 mov eax, dword ptr fs:[00000030h]	6_2_01298770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0770 mov eax, dword ptr fs:[00000030h]	6_2_012A0770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C674D mov esi, dword ptr fs:[00000030h]	6_2_012C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C674D mov eax, dword ptr fs:[00000030h]	6_2_012C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C674D mov eax, dword ptr fs:[00000030h]	6_2_012C674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01314755 mov eax, dword ptr fs:[00000030h]	6_2_01314755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131E75D mov eax, dword ptr fs:[00000030h]	6_2_0131E75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290750 mov eax, dword ptr fs:[00000030h]	6_2_01290750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2750 mov eax, dword ptr fs:[00000030h]	6_2_012D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2750 mov eax, dword ptr fs:[00000030h]	6_2_012D2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012907AF mov eax, dword ptr fs:[00000030h]	6_2_012907AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013447A0 mov eax, dword ptr fs:[00000030h]	6_2_013447A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133678E mov eax, dword ptr fs:[00000030h]	6_2_0133678E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B27ED mov eax, dword ptr fs:[00000030h]	6_2_012B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B27ED mov eax, dword ptr fs:[00000030h]	6_2_012B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B27ED mov eax, dword ptr fs:[00000030h]	6_2_012B27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131E7E1 mov eax, dword ptr fs:[00000030h]	6_2_0131E7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012947FB mov eax, dword ptr fs:[00000030h]	6_2_012947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012947FB mov eax, dword ptr fs:[00000030h]	6_2_012947FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129C7C0 mov eax, dword ptr fs:[00000030h]	6_2_0129C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013107C3 mov eax, dword ptr fs:[00000030h]	6_2_013107C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129262C mov eax, dword ptr fs:[00000030h]	6_2_0129262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C6620 mov eax, dword ptr fs:[00000030h]	6_2_012C6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C8620 mov eax, dword ptr fs:[00000030h]	6_2_012C8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AE627 mov eax, dword ptr fs:[00000030h]	6_2_012AE627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A260B mov eax, dword ptr fs:[00000030h]	6_2_012A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A260B mov eax, dword ptr fs:[00000030h]	6_2_012A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A260B mov eax, dword ptr fs:[00000030h]	6_2_012A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A260B mov eax, dword ptr fs:[00000030h]	6_2_012A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A260B mov eax, dword ptr fs:[00000030h]	6_2_012A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A260B mov eax, dword ptr fs:[00000030h]	6_2_012A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A260B mov eax, dword ptr fs:[00000030h]	6_2_012A260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D2619 mov eax, dword ptr fs:[00000030h]	6_2_012D2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E609 mov eax, dword ptr fs:[00000030h]	6_2_0130E609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA660 mov eax, dword ptr fs:[00000030h]	6_2_012CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA660 mov eax, dword ptr fs:[00000030h]	6_2_012CA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C2674 mov eax, dword ptr fs:[00000030h]	6_2_012C2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135866E mov eax, dword ptr fs:[00000030h]	6_2_0135866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135866E mov eax, dword ptr fs:[00000030h]	6_2_0135866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012AC640 mov eax, dword ptr fs:[00000030h]	6_2_012AC640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC6A6 mov eax, dword ptr fs:[00000030h]	6_2_012CC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C66B0 mov eax, dword ptr fs:[00000030h]	6_2_012C66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01294690 mov eax, dword ptr fs:[00000030h]	6_2_01294690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01294690 mov eax, dword ptr fs:[00000030h]	6_2_01294690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013106F1 mov eax, dword ptr fs:[00000030h]	6_2_013106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013106F1 mov eax, dword ptr fs:[00000030h]	6_2_013106F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0130E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0130E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0130E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E6F2 mov eax, dword ptr fs:[00000030h]	6_2_0130E6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA6C7 mov ebx, dword ptr fs:[00000030h]	6_2_012CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA6C7 mov eax, dword ptr fs:[00000030h]	6_2_012CA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0132892B mov eax, dword ptr fs:[00000030h]	6_2_0132892B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131892A mov eax, dword ptr fs:[00000030h]	6_2_0131892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131C912 mov eax, dword ptr fs:[00000030h]	6_2_0131C912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01288918 mov eax, dword ptr fs:[00000030h]	6_2_01288918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01288918 mov eax, dword ptr fs:[00000030h]	6_2_01288918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E908 mov eax, dword ptr fs:[00000030h]	6_2_0130E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130E908 mov eax, dword ptr fs:[00000030h]	6_2_0130E908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D096E mov eax, dword ptr fs:[00000030h]	6_2_012D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D096E mov edx, dword ptr fs:[00000030h]	6_2_012D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012D096E mov eax, dword ptr fs:[00000030h]	6_2_012D096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B6962 mov eax, dword ptr fs:[00000030h]	6_2_012B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B6962 mov eax, dword ptr fs:[00000030h]	6_2_012B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B6962 mov eax, dword ptr fs:[00000030h]	6_2_012B6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01334978 mov eax, dword ptr fs:[00000030h]	6_2_01334978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01334978 mov eax, dword ptr fs:[00000030h]	6_2_01334978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131C97C mov eax, dword ptr fs:[00000030h]	6_2_0131C97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364940 mov eax, dword ptr fs:[00000030h]	6_2_01364940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01310946 mov eax, dword ptr fs:[00000030h]	6_2_01310946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013189B3 mov esi, dword ptr fs:[00000030h]	6_2_013189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013189B3 mov eax, dword ptr fs:[00000030h]	6_2_013189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013189B3 mov eax, dword ptr fs:[00000030h]	6_2_013189B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012909AD mov eax, dword ptr fs:[00000030h]	6_2_012909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012909AD mov eax, dword ptr fs:[00000030h]	6_2_012909AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A29A0 mov eax, dword ptr fs:[00000030h]	6_2_012A29A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131E9E0 mov eax, dword ptr fs:[00000030h]	6_2_0131E9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C29F9 mov eax, dword ptr fs:[00000030h]	6_2_012C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C29F9 mov eax, dword ptr fs:[00000030h]	6_2_012C29F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135A9D3 mov eax, dword ptr fs:[00000030h]	6_2_0135A9D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013269C0 mov eax, dword ptr fs:[00000030h]	6_2_013269C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0129A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0129A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0129A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0129A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0129A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129A9D0 mov eax, dword ptr fs:[00000030h]	6_2_0129A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C49D0 mov eax, dword ptr fs:[00000030h]	6_2_012C49D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133483A mov eax, dword ptr fs:[00000030h]	6_2_0133483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133483A mov eax, dword ptr fs:[00000030h]	6_2_0133483A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CA830 mov eax, dword ptr fs:[00000030h]	6_2_012CA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B2835 mov eax, dword ptr fs:[00000030h]	6_2_012B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B2835 mov eax, dword ptr fs:[00000030h]	6_2_012B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B2835 mov eax, dword ptr fs:[00000030h]	6_2_012B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B2835 mov ecx, dword ptr fs:[00000030h]	6_2_012B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B2835 mov eax, dword ptr fs:[00000030h]	6_2_012B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B2835 mov eax, dword ptr fs:[00000030h]	6_2_012B2835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131C810 mov eax, dword ptr fs:[00000030h]	6_2_0131C810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01326870 mov eax, dword ptr fs:[00000030h]	6_2_01326870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01326870 mov eax, dword ptr fs:[00000030h]	6_2_01326870
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131E872 mov eax, dword ptr fs:[00000030h]	6_2_0131E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131E872 mov eax, dword ptr fs:[00000030h]	6_2_0131E872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A2840 mov ecx, dword ptr fs:[00000030h]	6_2_012A2840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01294859 mov eax, dword ptr fs:[00000030h]	6_2_01294859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01294859 mov eax, dword ptr fs:[00000030h]	6_2_01294859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C0854 mov eax, dword ptr fs:[00000030h]	6_2_012C0854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131C89D mov eax, dword ptr fs:[00000030h]	6_2_0131C89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290887 mov eax, dword ptr fs:[00000030h]	6_2_01290887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135A8E4 mov eax, dword ptr fs:[00000030h]	6_2_0135A8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC8F9 mov eax, dword ptr fs:[00000030h]	6_2_012CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CC8F9 mov eax, dword ptr fs:[00000030h]	6_2_012CC8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BE8C0 mov eax, dword ptr fs:[00000030h]	6_2_012BE8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_013608C0 mov eax, dword ptr fs:[00000030h]	6_2_013608C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BEB20 mov eax, dword ptr fs:[00000030h]	6_2_012BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BEB20 mov eax, dword ptr fs:[00000030h]	6_2_012BEB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01358B28 mov eax, dword ptr fs:[00000030h]	6_2_01358B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01358B28 mov eax, dword ptr fs:[00000030h]	6_2_01358B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130EB1D mov eax, dword ptr fs:[00000030h]	6_2_0130EB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364B00 mov eax, dword ptr fs:[00000030h]	6_2_01364B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0128CB7E mov eax, dword ptr fs:[00000030h]	6_2_0128CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01362B57 mov eax, dword ptr fs:[00000030h]	6_2_01362B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01362B57 mov eax, dword ptr fs:[00000030h]	6_2_01362B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01362B57 mov eax, dword ptr fs:[00000030h]	6_2_01362B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01362B57 mov eax, dword ptr fs:[00000030h]	6_2_01362B57
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133EB50 mov eax, dword ptr fs:[00000030h]	6_2_0133EB50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01338B42 mov eax, dword ptr fs:[00000030h]	6_2_01338B42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01326B40 mov eax, dword ptr fs:[00000030h]	6_2_01326B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01326B40 mov eax, dword ptr fs:[00000030h]	6_2_01326B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0135AB40 mov eax, dword ptr fs:[00000030h]	6_2_0135AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01288B50 mov eax, dword ptr fs:[00000030h]	6_2_01288B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01344B4B mov eax, dword ptr fs:[00000030h]	6_2_01344B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01344B4B mov eax, dword ptr fs:[00000030h]	6_2_01344B4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01344BB0 mov eax, dword ptr fs:[00000030h]	6_2_01344BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01344BB0 mov eax, dword ptr fs:[00000030h]	6_2_01344BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0BBE mov eax, dword ptr fs:[00000030h]	6_2_012A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0BBE mov eax, dword ptr fs:[00000030h]	6_2_012A0BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131CBF0 mov eax, dword ptr fs:[00000030h]	6_2_0131CBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BEBFC mov eax, dword ptr fs:[00000030h]	6_2_012BEBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298BF0 mov eax, dword ptr fs:[00000030h]	6_2_01298BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298BF0 mov eax, dword ptr fs:[00000030h]	6_2_01298BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298BF0 mov eax, dword ptr fs:[00000030h]	6_2_01298BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B0BCB mov eax, dword ptr fs:[00000030h]	6_2_012B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B0BCB mov eax, dword ptr fs:[00000030h]	6_2_012B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B0BCB mov eax, dword ptr fs:[00000030h]	6_2_012B0BCB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133EBD0 mov eax, dword ptr fs:[00000030h]	6_2_0133EBD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290BCD mov eax, dword ptr fs:[00000030h]	6_2_01290BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290BCD mov eax, dword ptr fs:[00000030h]	6_2_01290BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01290BCD mov eax, dword ptr fs:[00000030h]	6_2_01290BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012BEA2E mov eax, dword ptr fs:[00000030h]	6_2_012BEA2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CCA24 mov eax, dword ptr fs:[00000030h]	6_2_012CCA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CCA38 mov eax, dword ptr fs:[00000030h]	6_2_012CCA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B4A35 mov eax, dword ptr fs:[00000030h]	6_2_012B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012B4A35 mov eax, dword ptr fs:[00000030h]	6_2_012B4A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0131CA11 mov eax, dword ptr fs:[00000030h]	6_2_0131CA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130CA72 mov eax, dword ptr fs:[00000030h]	6_2_0130CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0130CA72 mov eax, dword ptr fs:[00000030h]	6_2_0130CA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CCA6F mov eax, dword ptr fs:[00000030h]	6_2_012CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CCA6F mov eax, dword ptr fs:[00000030h]	6_2_012CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CCA6F mov eax, dword ptr fs:[00000030h]	6_2_012CCA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0133EA60 mov eax, dword ptr fs:[00000030h]	6_2_0133EA60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0A5B mov eax, dword ptr fs:[00000030h]	6_2_012A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012A0A5B mov eax, dword ptr fs:[00000030h]	6_2_012A0A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296A50 mov eax, dword ptr fs:[00000030h]	6_2_01296A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296A50 mov eax, dword ptr fs:[00000030h]	6_2_01296A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296A50 mov eax, dword ptr fs:[00000030h]	6_2_01296A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296A50 mov eax, dword ptr fs:[00000030h]	6_2_01296A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296A50 mov eax, dword ptr fs:[00000030h]	6_2_01296A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296A50 mov eax, dword ptr fs:[00000030h]	6_2_01296A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01296A50 mov eax, dword ptr fs:[00000030h]	6_2_01296A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298AA0 mov eax, dword ptr fs:[00000030h]	6_2_01298AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01298AA0 mov eax, dword ptr fs:[00000030h]	6_2_01298AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012E6AA4 mov eax, dword ptr fs:[00000030h]	6_2_012E6AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_0129EA80 mov eax, dword ptr fs:[00000030h]	6_2_0129EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_01364A80 mov eax, dword ptr fs:[00000030h]	6_2_01364A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012C8A90 mov edx, dword ptr fs:[00000030h]	6_2_012C8A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CAAEE mov eax, dword ptr fs:[00000030h]	6_2_012CAAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_012CAAEE mov eax, dword ptr fs:[00000030h]	6_2_012CAAEE

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 12_2_00DD949C GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,

12_2_00DD949C

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DE2000 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		12_2_00DE2000
Source: C:\Windows\SysWOW64\raserver.exe	Code function: 12_2_00DE26B0 SetUnhandledExceptionFilter,		12_2_00DE26B0

Source: C:\Users\user\Desktop\J8bamK92a3.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe

Network Connect: 104.21.16.1 80

Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe"
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xF3A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xF3A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xC4A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xC4A4F2	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\raserver.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmstp.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4088	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Thread register set: target process: 4088	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4088	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\raserver.exe base address: DD0000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\cmstp.exe base address: EB0000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 911008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9EA008	Jump to behavior

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe"	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp58A8.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JnKLdAUJztP" /XML "C:\Users\user\AppData\Local\Temp\tmp672E.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\raserver.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 12_2_00DDC9F6 AllocateAndInitializeSid,GetLastError,AllocateAndInitializeSid,GetLastError,GetLengthSid,GetProcessHeap,HeapAlloc,InitializeAcl,GetLastError,AddAccessAllowedAce,GetLastError,AddAccessAllowedAce,GetLastError,InitializeSecurityDescriptor,GetLastError,SetSecurityDescriptorDacl,GetLastError,AllocateAndInitializeSid,GetLastError,SetSecurityDescriptorOwner,GetLastError,SetSecurityDescriptorGroup,GetLastError,IsValidSecurityDescriptor,GetLastError,GetProcessHeap,HeapFree,FreeSid,FreeSid,FreeSid,

12_2_00DDC9F6

Source: C:\Windows\SysWOW64\raserver.exe

12_2_00DDC9F6

Source: explorer.exe, 00000008.00000000.879201370.0000000000560000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2114284186.0000000000560000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1ProgmanV
Source: explorer.exe, 00000008.00000000.879566563.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.2115504057.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.879566563.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.881419889.0000000003F00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2115504057.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.879566563.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.2115504057.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.879566563.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000002.2115504057.0000000000BC0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000002.2122145010.00000000084DE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.885759071.00000000084DE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd*

Source: C:\Users\user\Desktop\J8bamK92a3.exe	Queries volume information: C:\Users\user\Desktop\J8bamK92a3.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\J8bamK92a3.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Queries volume information: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\JnKLdAUJztP.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\raserver.exe

Code function: 12_2_00DE28C5 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

12_2_00DE28C5

Source: C:\Users\user\Desktop\J8bamK92a3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.941970942.0000000003220000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114763278.0000000000D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2113807501.00000000007C0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003666000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.896953871.0000000003EBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2114901865.0000000000D80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.929277267.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.930499796.0000000003C47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	11 Disable or Modify Tools	1 Credential API Hooking	1 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 Data Encrypted for Impact
Credentials	Domains	Default Accounts	1 Shared Modules	1 Scheduled Task/Job	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	22 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	812 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	223 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Scheduled Task/Job	Login Hook	1 Scheduled Task/Job	4 Obfuscated Files or Information	NTDS	341 Security Software Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	12 Software Packing	LSA Secrets	2 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Timestomp	Cached Domain Credentials	51 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Rootkit	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	111 Masquerading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	51 Virtualization/Sandbox Evasion	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	812 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report J8bamK92a3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Persistence and Installation Behavior

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
J8bamK92a3.exe