Loading ...

Play interactive tourEdit tour

Analysis Report vOKMFxiCYt.exe

Overview

General Information

Sample Name:vOKMFxiCYt.exe
Analysis ID:321296
MD5:bb30a5dd4130b071fb4ca5f005371c63
SHA1:52c3ca02828a4ad8e8dbf790a61b3d77379ad391
SHA256:4c73fd4286e76a094eefafe5369f3a184ca4a38d567ae6dfad61645bf968a83f
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • vOKMFxiCYt.exe (PID: 2764 cmdline: 'C:\Users\user\Desktop\vOKMFxiCYt.exe' MD5: BB30A5DD4130B071FB4CA5F005371C63)
    • RegSvcs.exe (PID: 5984 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 5028 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6040 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          1.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for submitted fileShow sources
            Source: vOKMFxiCYt.exeReversingLabs: Detection: 35%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: vOKMFxiCYt.exeJoe Sandbox ML: detected
            Source: 1.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49737
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=RXCBf+kTtqMKofvvq54zDDgrcqehmcxCBUCamp/3E7fzZOB7U/XBgSeZZ5TRQ//94zw4 HTTP/1.1Host: www.tessuto.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=MLpAZ0AK/spUlt1gTLvrDwTqfxMoBLVQzrzuTOkSqlsdFHJLAwBY2ZzU1xSBGMRzyeG8&SP=cnxhAdAh HTTP/1.1Host: www.reem.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP HTTP/1.1Host: www.themaskedstitcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=hWCSv9Zrwql4NKRqpOYz8tuCeFQ4j+1tRbbWxD4HfruMRkMSYBHm3MJuhB2jB30ChDel&SP=cnxhAdAh HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 198.49.23.141 198.49.23.141
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=RXCBf+kTtqMKofvvq54zDDgrcqehmcxCBUCamp/3E7fzZOB7U/XBgSeZZ5TRQ//94zw4 HTTP/1.1Host: www.tessuto.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=MLpAZ0AK/spUlt1gTLvrDwTqfxMoBLVQzrzuTOkSqlsdFHJLAwBY2ZzU1xSBGMRzyeG8&SP=cnxhAdAh HTTP/1.1Host: www.reem.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?SP=cnxhAdAh&V4=oeIisVoovR5GVMPXvvkWG2hSa0zFuUbByopAkVC9hBB+Ndji49czoVDBLaeM7MDZ9TnP HTTP/1.1Host: www.themaskedstitcher.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /glt/?V4=hWCSv9Zrwql4NKRqpOYz8tuCeFQ4j+1tRbbWxD4HfruMRkMSYBHm3MJuhB2jB30ChDel&SP=cnxhAdAh HTTP/1.1Host: www.auctionpros.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.tessuto.net
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 19:05:26 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
            Source: raserver.exe, 00000004.00000002.506812727.000000000574F000.00000004.00000001.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=
            Source: explorer.exe, 00000002.00000000.257287184.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: vOKMFxiCYt.exe, 00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000002.00000000.257451779.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: vOKMFxiCYt.exe, 00000000.00000002.241448279.0000000000D2A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01699910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016999A0 NtCreateSection,LdrInitializeThunk,1_2_016999A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01699860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699840 NtDelayExecution,LdrInitializeThunk,1_2_01699840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016998F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_016998F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A50 NtCreateFile,LdrInitializeThunk,1_2_01699A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A20 NtResumeThread,LdrInitializeThunk,1_2_01699A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01699A00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699540 NtReadFile,LdrInitializeThunk,1_2_01699540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016995D0 NtClose,LdrInitializeThunk,1_2_016995D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699710 NtQueryInformationToken,LdrInitializeThunk,1_2_01699710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016997A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_016997A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699780 NtMapViewOfSection,LdrInitializeThunk,1_2_01699780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01699660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016996E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_016996E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699950 NtQueueApcThread,1_2_01699950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016999D0 NtCreateProcessEx,1_2_016999D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169B040 NtSuspendThread,1_2_0169B040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699820 NtEnumerateKey,1_2_01699820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016998A0 NtWriteVirtualMemory,1_2_016998A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699B00 NtSetValueKey,1_2_01699B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169A3B0 NtGetContextThread,1_2_0169A3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A10 NtQuerySection,1_2_01699A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699A80 NtOpenDirectoryObject,1_2_01699A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699560 NtWriteFile,1_2_01699560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699520 NtWaitForSingleObject,1_2_01699520
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169AD30 NtSetContextThread,1_2_0169AD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016995F0 NtQueryInformationFile,1_2_016995F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699760 NtOpenProcess,1_2_01699760
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699770 NtSetInformationFile,1_2_01699770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169A770 NtOpenThread,1_2_0169A770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699730 NtQueryVirtualMemory,1_2_01699730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169A710 NtOpenProcessToken,1_2_0169A710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699FE0 NtCreateMutant,1_2_01699FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699670 NtQueryInformationProcess,1_2_01699670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699650 NtQueryValueKey,1_2_01699650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01699610 NtEnumerateValueKey,1_2_01699610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016996D0 NtCreateKey,1_2_016996D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99840 NtDelayExecution,LdrInitializeThunk,4_2_04D99840
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04D99860
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D995D0 NtClose,LdrInitializeThunk,4_2_04D995D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D999A0 NtCreateSection,LdrInitializeThunk,4_2_04D999A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99540 NtReadFile,LdrInitializeThunk,4_2_04D99540
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04D99910
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D996D0 NtCreateKey,LdrInitializeThunk,4_2_04D996D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D996E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04D996E0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A50 NtCreateFile,LdrInitializeThunk,4_2_04D99A50
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99650 NtQueryValueKey,LdrInitializeThunk,4_2_04D99650
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04D99660
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99FE0 NtCreateMutant,LdrInitializeThunk,4_2_04D99FE0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99780 NtMapViewOfSection,LdrInitializeThunk,4_2_04D99780
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99710 NtQueryInformationToken,LdrInitializeThunk,4_2_04D99710
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D998F0 NtReadVirtualMemory,4_2_04D998F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D998A0 NtWriteVirtualMemory,4_2_04D998A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9B040 NtSuspendThread,4_2_04D9B040
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99820 NtEnumerateKey,4_2_04D99820
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D999D0 NtCreateProcessEx,4_2_04D999D0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D995F0 NtQueryInformationFile,4_2_04D995F0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99950 NtQueueApcThread,4_2_04D99950
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99560 NtWriteFile,4_2_04D99560
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9AD30 NtSetContextThread,4_2_04D9AD30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99520 NtWaitForSingleObject,4_2_04D99520
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A80 NtOpenDirectoryObject,4_2_04D99A80
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99670 NtQueryInformationProcess,4_2_04D99670
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99610 NtEnumerateValueKey,4_2_04D99610
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A10 NtQuerySection,4_2_04D99A10
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A00 NtProtectVirtualMemory,4_2_04D99A00
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99A20 NtResumeThread,4_2_04D99A20
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9A3B0 NtGetContextThread,4_2_04D9A3B0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D997A0 NtUnmapViewOfSection,4_2_04D997A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99770 NtSetInformationFile,4_2_04D99770
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9A770 NtOpenThread,4_2_04D9A770
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99760 NtOpenProcess,4_2_04D99760
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D9A710 NtOpenProcessToken,4_2_04D9A710
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99B00 NtSetValueKey,4_2_04D99B00
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D99730 NtQueryVirtualMemory,4_2_04D99730
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19D60 NtCreateFile,4_2_00E19D60
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19E90 NtClose,4_2_00E19E90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19E10 NtReadFile,4_2_00E19E10
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19F40 NtAllocateVirtualMemory,4_2_00E19F40
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E19E8A NtClose,4_2_00E19E8A
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_0112E2660_2_0112E266
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_011265780_2_01126578
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_011265690_2_01126569
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_0112C7A80_2_0112C7A8
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_011297480_2_01129748
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05004CC00_2_05004CC0
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05007E280_2_05007E28
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05008E280_2_05008E28
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_05009B800_2_05009B80
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_0500DAE80_2_0500DAE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_004010301_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D1601_2_0041D160
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DAD41_2_0041DAD4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402D901_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409E401_2_00409E40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409E3C1_2_00409E3C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041D6861_2_0041D686
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041DF721_2_0041DF72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041E7CC1_2_0041E7CC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00402FB01_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016741201_2_01674120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165F9001_2_0165F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017110021_2_01711002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017228EC1_2_017228EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A01_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017220A81_2_017220A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B0901_2_0166B090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01722B281_2_01722B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171DBD21_2_0171DBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168EBB01_2_0168EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017222AE1_2_017222AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01721D551_2_01721D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01650D201_2_01650D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01722D071_2_01722D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166D5E01_2_0166D5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_017225DD1_2_017225DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016825811_2_01682581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171D4661_2_0171D466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166841F1_2_0166841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01721FF11_2_01721FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01676E301_2_01676E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171D6161_2_0171D616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01722EF71_2_01722EF7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E228EC4_2_04E228EC
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6B0904_2_04D6B090
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E220A84_2_04E220A8
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D820A04_2_04D820A0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1D4664_2_04E1D466
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6841F4_2_04D6841F
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E110024_2_04E11002
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D6D5E04_2_04D6D5E0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E225DD4_2_04E225DD
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D825814_2_04D82581
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E21D554_2_04E21D55
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D5F9004_2_04D5F900
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E22D074_2_04E22D07
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D50D204_2_04D50D20
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D741204_2_04D74120
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E22EF74_2_04E22EF7
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E222AE4_2_04E222AE
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D76E304_2_04D76E30
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E21FF14_2_04E21FF1
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E1DBD24_2_04E1DBD2
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04D8EBB04_2_04D8EBB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04E22B284_2_04E22B28
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1D1604_2_00E1D160
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E02D904_2_00E02D90
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E09E404_2_00E09E40
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E09E3C4_2_00E09E3C
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E02FB04_2_00E02FB0
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1DF724_2_00E1DF72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0165B150 appears 35 times
            Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 04D5B150 appears 35 times
            Source: vOKMFxiCYt.exeBinary or memory string: OriginalFilename vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exe, 00000000.00000002.240626128.0000000000622000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameLqei.exe4 vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exe, 00000000.00000002.245690399.0000000005C00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exe, 00000000.00000002.241448279.0000000000D2A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs vOKMFxiCYt.exe
            Source: vOKMFxiCYt.exeBinary or memory string: OriginalFilenameLqei.exe4 vs vOKMFxiCYt.exe
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.272036979.00000000015B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.271729564.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.242174585.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.504019492.0000000001140000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.272011723.0000000001580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.503167127.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.505106609.0000000004AF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: vOKMFxiCYt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/4
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vOKMFxiCYt.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4104:120:WilError_01
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeMutant created: \Sessions\1\BaseNamedObjects\DGxsVlh
            Source: vOKMFxiCYt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: vOKMFxiCYt.exeReversingLabs: Detection: 35%
            Source: unknownProcess created: C:\Users\user\Desktop\vOKMFxiCYt.exe 'C:\Users\user\Desktop\vOKMFxiCYt.exe'
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: vOKMFxiCYt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: vOKMFxiCYt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: RegSvcs.pdb, source: raserver.exe, 00000004.00000002.506744729.000000000525F000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.272089721.0000000001630000.00000040.00000001.sdmp, raserver.exe, 00000004.00000002.505341361.0000000004D30000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, raserver.exe
            Source: Binary string: RAServer.pdb source: RegSvcs.exe, 00000001.00000002.272464370.0000000001B70000.00000040.00000001.sdmp
            Source: Binary string: RegSvcs.pdb source: raserver.exe, 00000004.00000002.506744729.000000000525F000.00000004.00000001.sdmp
            Source: Binary string: RAServer.pdbGCTL source: RegSvcs.exe, 00000001.00000002.272464370.0000000001B70000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeCode function: 0_2_006248FC push edx; retf 0_2_006248FD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00417A32 push es; iretd 1_2_00417A3B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016AD0D1 push ecx; ret 1_2_016AD0E4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_04DAD0D1 push ecx; ret 4_2_04DAD0E4
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E17A32 push es; iretd 4_2_00E17A3B
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CEB5 push eax; ret 4_2_00E1CF08
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CF6C push eax; ret 4_2_00E1CF72
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CF02 push eax; ret 4_2_00E1CF08
            Source: C:\Windows\SysWOW64\raserver.exeCode function: 4_2_00E1CF0B push eax; ret 4_2_00E1CF72
            Source: initial sampleStatic PE information: section name: .text entropy: 7.62841280925

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x86 0x6E 0xE5
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.241858795.0000000002AC1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: vOKMFxiCYt.exe PID: 2764, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000E098E4 second address: 0000000000E098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\raserver.exeRDTSC instruction interceptor: First address: 0000000000E09B5E second address: 0000000000E09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exe TID: 4120Thread sleep time: -50971s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exe TID: 5968Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6520Thread sleep count: 40 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 6520Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exe TID: 2432Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: explorer.exe, 00000002.00000000.245822763.0000000001398000.00000004.00000020.sdmpBinary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000002.00000000.256631003.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: 26700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAK
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: explorer.exe, 00000002.00000000.256810528.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000002.00000002.516234509.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
            Source: explorer.exe, 00000002.00000002.504133649.0000000001398000.00000004.00000020.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&t
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: vOKMFxiCYt.exe, 00000000.00000002.241947943.0000000002B43000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000002.00000000.256227902.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\vOKMFxiCYt.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\raserver.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0040ACD0 LdrLoadDll,1_2_0040ACD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165C962 mov eax, dword ptr fs:[00000030h]1_2_0165C962
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B171 mov eax, dword ptr fs:[00000030h]1_2_0165B171
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B171 mov eax, dword ptr fs:[00000030h]1_2_0165B171
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167B944 mov eax, dword ptr fs:[00000030h]1_2_0167B944
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167B944 mov eax, dword ptr fs:[00000030h]1_2_0167B944
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]1_2_01674120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]1_2_01674120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]1_2_01674120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov eax, dword ptr fs:[00000030h]1_2_01674120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01674120 mov ecx, dword ptr fs:[00000030h]1_2_01674120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168513A mov eax, dword ptr fs:[00000030h]1_2_0168513A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168513A mov eax, dword ptr fs:[00000030h]1_2_0168513A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659100 mov eax, dword ptr fs:[00000030h]1_2_01659100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659100 mov eax, dword ptr fs:[00000030h]1_2_01659100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659100 mov eax, dword ptr fs:[00000030h]1_2_01659100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B1E1 mov eax, dword ptr fs:[00000030h]1_2_0165B1E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B1E1 mov eax, dword ptr fs:[00000030h]1_2_0165B1E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165B1E1 mov eax, dword ptr fs:[00000030h]1_2_0165B1E1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016E41E8 mov eax, dword ptr fs:[00000030h]1_2_016E41E8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016861A0 mov eax, dword ptr fs:[00000030h]1_2_016861A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016861A0 mov eax, dword ptr fs:[00000030h]1_2_016861A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D69A6 mov eax, dword ptr fs:[00000030h]1_2_016D69A6
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]1_2_016D51BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]1_2_016D51BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]1_2_016D51BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D51BE mov eax, dword ptr fs:[00000030h]1_2_016D51BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167C182 mov eax, dword ptr fs:[00000030h]1_2_0167C182
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168A185 mov eax, dword ptr fs:[00000030h]1_2_0168A185
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682990 mov eax, dword ptr fs:[00000030h]1_2_01682990
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01712073 mov eax, dword ptr fs:[00000030h]1_2_01712073
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01721074 mov eax, dword ptr fs:[00000030h]1_2_01721074
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01670050 mov eax, dword ptr fs:[00000030h]1_2_01670050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01670050 mov eax, dword ptr fs:[00000030h]1_2_01670050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]1_2_0168002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]1_2_0168002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]1_2_0168002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]1_2_0168002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168002D mov eax, dword ptr fs:[00000030h]1_2_0168002D
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]1_2_0166B02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]1_2_0166B02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]1_2_0166B02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0166B02A mov eax, dword ptr fs:[00000030h]1_2_0166B02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01724015 mov eax, dword ptr fs:[00000030h]1_2_01724015
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01724015 mov eax, dword ptr fs:[00000030h]1_2_01724015
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7016 mov eax, dword ptr fs:[00000030h]1_2_016D7016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7016 mov eax, dword ptr fs:[00000030h]1_2_016D7016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D7016 mov eax, dword ptr fs:[00000030h]1_2_016D7016
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016558EC mov eax, dword ptr fs:[00000030h]1_2_016558EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]1_2_016EB8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov ecx, dword ptr fs:[00000030h]1_2_016EB8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]1_2_016EB8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]1_2_016EB8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]1_2_016EB8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016EB8D0 mov eax, dword ptr fs:[00000030h]1_2_016EB8D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016990AF mov eax, dword ptr fs:[00000030h]1_2_016990AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]1_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]1_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]1_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]1_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]1_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016820A0 mov eax, dword ptr fs:[00000030h]1_2_016820A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168F0BF mov ecx, dword ptr fs:[00000030h]1_2_0168F0BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168F0BF mov eax, dword ptr fs:[00000030h]1_2_0168F0BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168F0BF mov eax, dword ptr fs:[00000030h]1_2_0168F0BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659080 mov eax, dword ptr fs:[00000030h]1_2_01659080
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D3884 mov eax, dword ptr fs:[00000030h]1_2_016D3884
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D3884 mov eax, dword ptr fs:[00000030h]1_2_016D3884
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165DB60 mov ecx, dword ptr fs:[00000030h]1_2_0165DB60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01683B7A mov eax, dword ptr fs:[00000030h]1_2_01683B7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01683B7A mov eax, dword ptr fs:[00000030h]1_2_01683B7A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165DB40 mov eax, dword ptr fs:[00000030h]1_2_0165DB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728B58 mov eax, dword ptr fs:[00000030h]1_2_01728B58
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0165F358 mov eax, dword ptr fs:[00000030h]1_2_0165F358
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171131B mov eax, dword ptr fs:[00000030h]1_2_0171131B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]1_2_016803E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]1_2_016803E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]1_2_016803E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]1_2_016803E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]1_2_016803E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016803E2 mov eax, dword ptr fs:[00000030h]1_2_016803E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0167DBE9 mov eax, dword ptr fs:[00000030h]1_2_0167DBE9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D53CA mov eax, dword ptr fs:[00000030h]1_2_016D53CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016D53CA mov eax, dword ptr fs:[00000030h]1_2_016D53CA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684BAD mov eax, dword ptr fs:[00000030h]1_2_01684BAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684BAD mov eax, dword ptr fs:[00000030h]1_2_01684BAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01684BAD mov eax, dword ptr fs:[00000030h]1_2_01684BAD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01725BA5 mov eax, dword ptr fs:[00000030h]1_2_01725BA5
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01661B8F mov eax, dword ptr fs:[00000030h]1_2_01661B8F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01661B8F mov eax, dword ptr fs:[00000030h]1_2_01661B8F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170D380 mov ecx, dword ptr fs:[00000030h]1_2_0170D380
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0168B390 mov eax, dword ptr fs:[00000030h]1_2_0168B390
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171138A mov eax, dword ptr fs:[00000030h]1_2_0171138A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01682397 mov eax, dword ptr fs:[00000030h]1_2_01682397
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170B260 mov eax, dword ptr fs:[00000030h]1_2_0170B260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0170B260 mov eax, dword ptr fs:[00000030h]1_2_0170B260
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01728A62 mov eax, dword ptr fs:[00000030h]1_2_01728A62
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0169927A mov eax, dword ptr fs:[00000030h]1_2_0169927A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171EA55 mov eax, dword ptr fs:[00000030h]1_2_0171EA55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]1_2_01659240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]1_2_01659240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]1_2_01659240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01659240 mov eax, dword ptr fs:[00000030h]1_2_01659240
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_016E4257 mov eax, dword ptr fs:[00000030h]1_2_016E4257
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01694A2C mov eax, dword ptr fs:[00000030h]1_2_01694A2C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_01694A2C mov eax, dword ptr fs:[00000030h]1_2_01694A2C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171AA16 mov eax, dword ptr fs:[00000030h]1_2_0171AA16
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 1_2_0171AA16 mov eax, dword ptr fs:[00000030h]1_2_0171AA16