Analysis Report J0OmHIagw8.exe

Overview

General Information

Sample Name: J0OmHIagw8.exe
Analysis ID: 339323
MD5: 92ff500a693078263908c83b4b290481
SHA1: fa5dcc6012c71490efdf320791a90c7a18958a95
SHA256: 767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
Tags: exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to download HTTP data from a sinkholed server
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT Avira URL Cloud: Label: phishing
Source: http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT Avira URL Cloud: Label: malware
Found malware configuration
Source: 5.2.vbc.exe.400000.0.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
Multi AV Scanner detection for submitted file
Source: J0OmHIagw8.exe Virustotal: Detection: 31% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: J0OmHIagw8.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.2.vbc.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: J0OmHIagw8.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: J0OmHIagw8.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
Source: Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
Source: Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4x nop then pop ebx 5_2_00406A94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4x nop then pop edi 5_2_0040C3D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 4x nop then pop edi 5_2_0040C3AE
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 8_2_030FC3AE
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 8_2_030FC3D7
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop ebx 8_2_030F6A96

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
Source: Traffic Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49755
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
Source: Traffic Snort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49771
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
Tries to download HTTP data from a sinkholed server
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:17:53 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 45.77.226.209 45.77.226.209
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View ASN Name: OVHFR OVHFR
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.herbmedia.net
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
Source: explorer.exe, 00000006.00000003.291409665.00000000089DC000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000000.264819810.000000000F440000.00000004.00000001.sdmp String found in binary or memory: http://logo.verisign
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004181C0 NtCreateFile, 5_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00418270 NtReadFile, 5_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004182F0 NtClose, 5_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004183A0 NtAllocateVirtualMemory, 5_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004181BA NtCreateFile, 5_2_004181BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041826A NtReadFile, 5_2_0041826A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409540 NtReadFile,LdrInitializeThunk, 5_2_05409540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054095D0 NtClose,LdrInitializeThunk, 5_2_054095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409710 NtQueryInformationToken,LdrInitializeThunk, 5_2_05409710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409FE0 NtCreateMutant,LdrInitializeThunk, 5_2_05409FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409780 NtMapViewOfSection,LdrInitializeThunk, 5_2_05409780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054097A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_054097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_05409660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054096E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_054096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_05409910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054099A0 NtCreateSection,LdrInitializeThunk, 5_2_054099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409840 NtDelayExecution,LdrInitializeThunk, 5_2_05409840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_05409860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054098F0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_054098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409A50 NtCreateFile,LdrInitializeThunk, 5_2_05409A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409A00 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_05409A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409A20 NtResumeThread,LdrInitializeThunk, 5_2_05409A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409560 NtWriteFile, 5_2_05409560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409520 NtWaitForSingleObject, 5_2_05409520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0540AD30 NtSetContextThread, 5_2_0540AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054095F0 NtQueryInformationFile, 5_2_054095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409760 NtOpenProcess, 5_2_05409760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409770 NtSetInformationFile, 5_2_05409770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0540A770 NtOpenThread, 5_2_0540A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0540A710 NtOpenProcessToken, 5_2_0540A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409730 NtQueryVirtualMemory, 5_2_05409730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409650 NtQueryValueKey, 5_2_05409650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409670 NtQueryInformationProcess, 5_2_05409670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409610 NtEnumerateValueKey, 5_2_05409610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054096D0 NtCreateKey, 5_2_054096D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409950 NtQueueApcThread, 5_2_05409950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054099D0 NtCreateProcessEx, 5_2_054099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0540B040 NtSuspendThread, 5_2_0540B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409820 NtEnumerateKey, 5_2_05409820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054098A0 NtWriteVirtualMemory, 5_2_054098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409B00 NtSetValueKey, 5_2_05409B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0540A3B0 NtGetContextThread, 5_2_0540A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409A10 NtQuerySection, 5_2_05409A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05409A80 NtOpenDirectoryObject, 5_2_05409A80
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E595D0 NtClose,LdrInitializeThunk, 8_2_04E595D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59540 NtReadFile,LdrInitializeThunk, 8_2_04E59540
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E596E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_04E596E0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E596D0 NtCreateKey,LdrInitializeThunk, 8_2_04E596D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_04E59660
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59650 NtQueryValueKey,LdrInitializeThunk, 8_2_04E59650
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59FE0 NtCreateMutant,LdrInitializeThunk, 8_2_04E59FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59780 NtMapViewOfSection,LdrInitializeThunk, 8_2_04E59780
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59710 NtQueryInformationToken,LdrInitializeThunk, 8_2_04E59710
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_04E59860
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59840 NtDelayExecution,LdrInitializeThunk, 8_2_04E59840
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E599A0 NtCreateSection,LdrInitializeThunk, 8_2_04E599A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_04E59910
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59A50 NtCreateFile,LdrInitializeThunk, 8_2_04E59A50
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E595F0 NtQueryInformationFile, 8_2_04E595F0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59560 NtWriteFile, 8_2_04E59560
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59520 NtWaitForSingleObject, 8_2_04E59520
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E5AD30 NtSetContextThread, 8_2_04E5AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59670 NtQueryInformationProcess, 8_2_04E59670
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59610 NtEnumerateValueKey, 8_2_04E59610
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E597A0 NtUnmapViewOfSection, 8_2_04E597A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59760 NtOpenProcess, 8_2_04E59760
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E5A770 NtOpenThread, 8_2_04E5A770
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59770 NtSetInformationFile, 8_2_04E59770
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59730 NtQueryVirtualMemory, 8_2_04E59730
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E5A710 NtOpenProcessToken, 8_2_04E5A710
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E598F0 NtReadVirtualMemory, 8_2_04E598F0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E598A0 NtWriteVirtualMemory, 8_2_04E598A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E5B040 NtSuspendThread, 8_2_04E5B040
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59820 NtEnumerateKey, 8_2_04E59820
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E599D0 NtCreateProcessEx, 8_2_04E599D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59950 NtQueueApcThread, 8_2_04E59950
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59A80 NtOpenDirectoryObject, 8_2_04E59A80
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59A20 NtResumeThread, 8_2_04E59A20
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59A00 NtProtectVirtualMemory, 8_2_04E59A00
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59A10 NtQuerySection, 8_2_04E59A10
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E5A3B0 NtGetContextThread, 8_2_04E5A3B0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E59B00 NtSetValueKey, 8_2_04E59B00
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_031083A0 NtAllocateVirtualMemory, 8_2_031083A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_03108270 NtReadFile, 8_2_03108270
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_031082F0 NtClose, 8_2_031082F0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_031081C0 NtCreateFile, 8_2_031081C0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310826A NtReadFile, 8_2_0310826A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_031081BA NtCreateFile, 8_2_031081BA
Detected potential crypto function
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Code function: 0_2_00E58D5D 0_2_00E58D5D
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Code function: 0_2_0303CAE4 0_2_0303CAE4
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Code function: 0_2_0303EEA2 0_2_0303EEA2
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Code function: 0_2_0303EEB0 0_2_0303EEB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041B8A3 5_2_0041B8A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041C23F 5_2_0041C23F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041C2AF 5_2_0041C2AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041C3DF 5_2_0041C3DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00408C60 5_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041CC13 5_2_0041CC13
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041B4A3 5_2_0041B4A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041BD9B 5_2_0041BD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041BE60 5_2_0041BE60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041C603 5_2_0041C603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C0D20 5_2_053C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05491D55 5_2_05491D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05492D07 5_2_05492D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054925DD 5_2_054925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2581 5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DD5E0 5_2_053DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D841F 5_2_053D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548D466 5_2_0548D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0549DFCE 5_2_0549DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05491FF1 5_2_05491FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E6E30 5_2_053E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548D616 5_2_0548D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05492EF7 5_2_05492EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E4120 5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CF900 5_2_053CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481002 5_2_05481002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0549E824 5_2_0549E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F20A0 5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054928EC 5_2_054928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DB090 5_2_053DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054920A8 5_2_054920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05492B28 5_2_05492B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FEBB0 5_2_053FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054803DA 5_2_054803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548DBD2 5_2_0548DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054922AE 5_2_054922AE
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDD466 8_2_04EDD466
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2841F 8_2_04E2841F
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2D5E0 8_2_04E2D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE25DD 8_2_04EE25DD
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42581 8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE1D55 8_2_04EE1D55
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E10D20 8_2_04E10D20
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE2D07 8_2_04EE2D07
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE2EF7 8_2_04EE2EF7
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E36E30 8_2_04E36E30
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDD616 8_2_04EDD616
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE1FF1 8_2_04EE1FF1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EEDFCE 8_2_04EEDFCE
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE28EC 8_2_04EE28EC
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E420A0 8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE20A8 8_2_04EE20A8
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2B090 8_2_04E2B090
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EEE824 8_2_04EEE824
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1002 8_2_04ED1002
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E34120 8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1F900 8_2_04E1F900
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE22AE 8_2_04EE22AE
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED03DA 8_2_04ED03DA
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDDBD2 8_2_04EDDBD2
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4EBB0 8_2_04E4EBB0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE2B28 8_2_04EE2B28
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_030F2FB0 8_2_030F2FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310C603 8_2_0310C603
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_030F2D90 8_2_030F2D90
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310CC13 8_2_0310CC13
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_030F8C60 8_2_030F8C60
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe 767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\control.exe Code function: String function: 04E1B150 appears 45 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 053CB150 appears 45 times
Sample file is different than original file name gathered from version info
Source: J0OmHIagw8.exe Binary or memory string: OriginalFilename vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.241605025.000000000442C000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.242728474.0000000006AF0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs J0OmHIagw8.exe
Source: J0OmHIagw8.exe Binary or memory string: OriginalFilename2 vs J0OmHIagw8.exe
Uses 32bit PE files
Source: J0OmHIagw8.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: J0OmHIagw8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: JcEEHoQdnETCO.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: classification engine Classification label: mal100.troj.evad.winEXE@12/3@20/11
Source: C:\Users\user\Desktop\J0OmHIagw8.exe File created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Mutant created: \Sessions\1\BaseNamedObjects\BrtavqaRGzDKtjCLSCLufFEEs
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01
Source: C:\Users\user\Desktop\J0OmHIagw8.exe File created: C:\Users\user\AppData\Local\Temp\tmpF65F.tmp Jump to behavior
Source: J0OmHIagw8.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: J0OmHIagw8.exe Virustotal: Detection: 31%
Source: C:\Users\user\Desktop\J0OmHIagw8.exe File read: C:\Users\user\Desktop\J0OmHIagw8.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\J0OmHIagw8.exe 'C:\Users\user\Desktop\J0OmHIagw8.exe'
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
Source: unknown Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp' Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: J0OmHIagw8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: J0OmHIagw8.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: J0OmHIagw8.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
Source: Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
Source: Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs .Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Binary contains a suspicious time stamp
Source: initial sample Static PE information: 0x8C6CE96A [Sat Aug 27 21:58:02 2044 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041508E push ebp; iretd 5_2_0041508F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041C9C8 push dword ptr [ECF9F4C6h]; ret 5_2_0041C9EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040C2CA push ds; retf 5_2_0040C2E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040C31A push ds; retf 5_2_0040C31E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004153DF pushad ; ret 5_2_004153E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041B3B5 push eax; ret 5_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041B46C push eax; ret 5_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041B402 push eax; ret 5_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0041B40B push eax; ret 5_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00414DDA pushfd ; retf 5_2_00414DDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0040EEAA push esp; retf 5_2_0040EEAF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0541D0D1 push ecx; ret 5_2_0541D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E6D0D1 push ecx; ret 8_2_04E6D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_030FC31A push ds; retf 8_2_030FC31E
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310B3B5 push eax; ret 8_2_0310B408
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_031053DF pushad ; ret 8_2_031053E0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_030FC2CA push ds; retf 8_2_030FC2E5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310C9C8 push dword ptr [ECF9F4C6h]; ret 8_2_0310C9EA
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310508E push ebp; iretd 8_2_0310508F
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_030FEEAA push esp; retf 8_2_030FEEAF
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_03104DDA pushfd ; retf 8_2_03104DDB
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310B402 push eax; ret 8_2_0310B408
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310B40B push eax; ret 8_2_0310B472
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_0310B46C push eax; ret 8_2_0310B472
Source: initial sample Static PE information: section name: .text entropy: 7.87325624696
Source: initial sample Static PE information: section name: .text entropy: 7.87325624696

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\J0OmHIagw8.exe File created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: J0OmHIagw8.exe PID: 5816, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000030F85E4 second address: 00000000030F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000030F897E second address: 00000000030F8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\J0OmHIagw8.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004088B0 rdtsc 5_2_004088B0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\J0OmHIagw8.exe TID: 5328 Thread sleep time: -31500s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe TID: 4112 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6624 Thread sleep time: -75000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6404 Thread sleep count: 33 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 6404 Thread sleep time: -66000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000006.00000000.258703934.0000000008640000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: control.exe, 00000008.00000002.570842629.0000000000D14000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp Binary or memory string: vmware
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp Binary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.251327827.00000000055D0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.259244656.00000000087D1000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00ices
Source: explorer.exe, 00000006.00000000.251346760.0000000005603000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp Binary or memory string: VMware
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: J0OmHIagw8.exe, 00000000.00000002.238812639.00000000032D5000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmp Binary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.258484663.0000000008220000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_004088B0 rdtsc 5_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_00409B20 LdrLoadDll, 5_2_00409B20
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05403D43 mov eax, dword ptr fs:[00000030h] 5_2_05403D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h] 5_2_053F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h] 5_2_053F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F4D3B mov eax, dword ptr fs:[00000030h] 5_2_053F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05443540 mov eax, dword ptr fs:[00000030h] 5_2_05443540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05473D40 mov eax, dword ptr fs:[00000030h] 5_2_05473D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D3D34 mov eax, dword ptr fs:[00000030h] 5_2_053D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CAD30 mov eax, dword ptr fs:[00000030h] 5_2_053CAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EC577 mov eax, dword ptr fs:[00000030h] 5_2_053EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EC577 mov eax, dword ptr fs:[00000030h] 5_2_053EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E7D50 mov eax, dword ptr fs:[00000030h] 5_2_053E7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548E539 mov eax, dword ptr fs:[00000030h] 5_2_0548E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0544A537 mov eax, dword ptr fs:[00000030h] 5_2_0544A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05498D34 mov eax, dword ptr fs:[00000030h] 5_2_05498D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h] 5_2_053F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h] 5_2_053F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F1DB5 mov eax, dword ptr fs:[00000030h] 5_2_053F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h] 5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h] 5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h] 5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446DC9 mov ecx, dword ptr fs:[00000030h] 5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h] 5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446DC9 mov eax, dword ptr fs:[00000030h] 5_2_05446DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F35A1 mov eax, dword ptr fs:[00000030h] 5_2_053F35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FFD9B mov eax, dword ptr fs:[00000030h] 5_2_053FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FFD9B mov eax, dword ptr fs:[00000030h] 5_2_053FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548FDE2 mov eax, dword ptr fs:[00000030h] 5_2_0548FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05478DF1 mov eax, dword ptr fs:[00000030h] 5_2_05478DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h] 5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h] 5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h] 5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h] 5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C2D8A mov eax, dword ptr fs:[00000030h] 5_2_053C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h] 5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h] 5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h] 5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2581 mov eax, dword ptr fs:[00000030h] 5_2_053F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DD5E0 mov eax, dword ptr fs:[00000030h] 5_2_053DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DD5E0 mov eax, dword ptr fs:[00000030h] 5_2_053DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054905AC mov eax, dword ptr fs:[00000030h] 5_2_054905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054905AC mov eax, dword ptr fs:[00000030h] 5_2_054905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FBC2C mov eax, dword ptr fs:[00000030h] 5_2_053FBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545C450 mov eax, dword ptr fs:[00000030h] 5_2_0545C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545C450 mov eax, dword ptr fs:[00000030h] 5_2_0545C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0549740D mov eax, dword ptr fs:[00000030h] 5_2_0549740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0549740D mov eax, dword ptr fs:[00000030h] 5_2_0549740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0549740D mov eax, dword ptr fs:[00000030h] 5_2_0549740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481C06 mov eax, dword ptr fs:[00000030h] 5_2_05481C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h] 5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h] 5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h] 5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446C0A mov eax, dword ptr fs:[00000030h] 5_2_05446C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E746D mov eax, dword ptr fs:[00000030h] 5_2_053E746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FA44B mov eax, dword ptr fs:[00000030h] 5_2_053FA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05498CD6 mov eax, dword ptr fs:[00000030h] 5_2_05498CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D849B mov eax, dword ptr fs:[00000030h] 5_2_053D849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054814FB mov eax, dword ptr fs:[00000030h] 5_2_054814FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h] 5_2_05446CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h] 5_2_05446CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05446CF0 mov eax, dword ptr fs:[00000030h] 5_2_05446CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FE730 mov eax, dword ptr fs:[00000030h] 5_2_053FE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C4F2E mov eax, dword ptr fs:[00000030h] 5_2_053C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C4F2E mov eax, dword ptr fs:[00000030h] 5_2_053C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05498F6A mov eax, dword ptr fs:[00000030h] 5_2_05498F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EF716 mov eax, dword ptr fs:[00000030h] 5_2_053EF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FA70E mov eax, dword ptr fs:[00000030h] 5_2_053FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FA70E mov eax, dword ptr fs:[00000030h] 5_2_053FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0549070D mov eax, dword ptr fs:[00000030h] 5_2_0549070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0549070D mov eax, dword ptr fs:[00000030h] 5_2_0549070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545FF10 mov eax, dword ptr fs:[00000030h] 5_2_0545FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545FF10 mov eax, dword ptr fs:[00000030h] 5_2_0545FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DFF60 mov eax, dword ptr fs:[00000030h] 5_2_053DFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DEF40 mov eax, dword ptr fs:[00000030h] 5_2_053DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D8794 mov eax, dword ptr fs:[00000030h] 5_2_053D8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054037F5 mov eax, dword ptr fs:[00000030h] 5_2_054037F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05447794 mov eax, dword ptr fs:[00000030h] 5_2_05447794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05447794 mov eax, dword ptr fs:[00000030h] 5_2_05447794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05447794 mov eax, dword ptr fs:[00000030h] 5_2_05447794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548AE44 mov eax, dword ptr fs:[00000030h] 5_2_0548AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548AE44 mov eax, dword ptr fs:[00000030h] 5_2_0548AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CE620 mov eax, dword ptr fs:[00000030h] 5_2_053CE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FA61C mov eax, dword ptr fs:[00000030h] 5_2_053FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FA61C mov eax, dword ptr fs:[00000030h] 5_2_053FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h] 5_2_053CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h] 5_2_053CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CC600 mov eax, dword ptr fs:[00000030h] 5_2_053CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F8E00 mov eax, dword ptr fs:[00000030h] 5_2_053F8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05481608 mov eax, dword ptr fs:[00000030h] 5_2_05481608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h] 5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h] 5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h] 5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h] 5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EAE73 mov eax, dword ptr fs:[00000030h] 5_2_053EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D766D mov eax, dword ptr fs:[00000030h] 5_2_053D766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0547FE3F mov eax, dword ptr fs:[00000030h] 5_2_0547FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h] 5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h] 5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h] 5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h] 5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h] 5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D7E41 mov eax, dword ptr fs:[00000030h] 5_2_053D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0547FEC0 mov eax, dword ptr fs:[00000030h] 5_2_0547FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05408EC7 mov eax, dword ptr fs:[00000030h] 5_2_05408EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05498ED6 mov eax, dword ptr fs:[00000030h] 5_2_05498ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545FE87 mov eax, dword ptr fs:[00000030h] 5_2_0545FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F16E0 mov ecx, dword ptr fs:[00000030h] 5_2_053F16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D76E2 mov eax, dword ptr fs:[00000030h] 5_2_053D76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054446A7 mov eax, dword ptr fs:[00000030h] 5_2_054446A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h] 5_2_05490EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h] 5_2_05490EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05490EA5 mov eax, dword ptr fs:[00000030h] 5_2_05490EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F36CC mov eax, dword ptr fs:[00000030h] 5_2_053F36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F513A mov eax, dword ptr fs:[00000030h] 5_2_053F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F513A mov eax, dword ptr fs:[00000030h] 5_2_053F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h] 5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h] 5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h] 5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E4120 mov eax, dword ptr fs:[00000030h] 5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E4120 mov ecx, dword ptr fs:[00000030h] 5_2_053E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h] 5_2_053C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h] 5_2_053C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9100 mov eax, dword ptr fs:[00000030h] 5_2_053C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CB171 mov eax, dword ptr fs:[00000030h] 5_2_053CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CB171 mov eax, dword ptr fs:[00000030h] 5_2_053CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CC962 mov eax, dword ptr fs:[00000030h] 5_2_053CC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EB944 mov eax, dword ptr fs:[00000030h] 5_2_053EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EB944 mov eax, dword ptr fs:[00000030h] 5_2_053EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F61A0 mov eax, dword ptr fs:[00000030h] 5_2_053F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F61A0 mov eax, dword ptr fs:[00000030h] 5_2_053F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054541E8 mov eax, dword ptr fs:[00000030h] 5_2_054541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2990 mov eax, dword ptr fs:[00000030h] 5_2_053F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FA185 mov eax, dword ptr fs:[00000030h] 5_2_053FA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EC182 mov eax, dword ptr fs:[00000030h] 5_2_053EC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h] 5_2_053CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h] 5_2_053CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CB1E1 mov eax, dword ptr fs:[00000030h] 5_2_053CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054469A6 mov eax, dword ptr fs:[00000030h] 5_2_054469A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h] 5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h] 5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h] 5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054849A4 mov eax, dword ptr fs:[00000030h] 5_2_054849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h] 5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h] 5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h] 5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054451BE mov eax, dword ptr fs:[00000030h] 5_2_054451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h] 5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h] 5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h] 5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h] 5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F002D mov eax, dword ptr fs:[00000030h] 5_2_053F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h] 5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h] 5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h] 5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DB02A mov eax, dword ptr fs:[00000030h] 5_2_053DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05482073 mov eax, dword ptr fs:[00000030h] 5_2_05482073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05491074 mov eax, dword ptr fs:[00000030h] 5_2_05491074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05447016 mov eax, dword ptr fs:[00000030h] 5_2_05447016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05447016 mov eax, dword ptr fs:[00000030h] 5_2_05447016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05447016 mov eax, dword ptr fs:[00000030h] 5_2_05447016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05494015 mov eax, dword ptr fs:[00000030h] 5_2_05494015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05494015 mov eax, dword ptr fs:[00000030h] 5_2_05494015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E0050 mov eax, dword ptr fs:[00000030h] 5_2_053E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E0050 mov eax, dword ptr fs:[00000030h] 5_2_053E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FF0BF mov ecx, dword ptr fs:[00000030h] 5_2_053FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FF0BF mov eax, dword ptr fs:[00000030h] 5_2_053FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FF0BF mov eax, dword ptr fs:[00000030h] 5_2_053FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0545B8D0 mov eax, dword ptr fs:[00000030h] 5_2_0545B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h] 5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h] 5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h] 5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h] 5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h] 5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F20A0 mov eax, dword ptr fs:[00000030h] 5_2_053F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9080 mov eax, dword ptr fs:[00000030h] 5_2_053C9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05443884 mov eax, dword ptr fs:[00000030h] 5_2_05443884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05443884 mov eax, dword ptr fs:[00000030h] 5_2_05443884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C58EC mov eax, dword ptr fs:[00000030h] 5_2_053C58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h] 5_2_053C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h] 5_2_053C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C40E1 mov eax, dword ptr fs:[00000030h] 5_2_053C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054090AF mov eax, dword ptr fs:[00000030h] 5_2_054090AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05498B58 mov eax, dword ptr fs:[00000030h] 5_2_05498B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F3B7A mov eax, dword ptr fs:[00000030h] 5_2_053F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F3B7A mov eax, dword ptr fs:[00000030h] 5_2_053F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548131B mov eax, dword ptr fs:[00000030h] 5_2_0548131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CDB60 mov ecx, dword ptr fs:[00000030h] 5_2_053CDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CF358 mov eax, dword ptr fs:[00000030h] 5_2_053CF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CDB40 mov eax, dword ptr fs:[00000030h] 5_2_053CDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054453CA mov eax, dword ptr fs:[00000030h] 5_2_054453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_054453CA mov eax, dword ptr fs:[00000030h] 5_2_054453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h] 5_2_053F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h] 5_2_053F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F4BAD mov eax, dword ptr fs:[00000030h] 5_2_053F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2397 mov eax, dword ptr fs:[00000030h] 5_2_053F2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FB390 mov eax, dword ptr fs:[00000030h] 5_2_053FB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D1B8F mov eax, dword ptr fs:[00000030h] 5_2_053D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D1B8F mov eax, dword ptr fs:[00000030h] 5_2_053D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548138A mov eax, dword ptr fs:[00000030h] 5_2_0548138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0547D380 mov ecx, dword ptr fs:[00000030h] 5_2_0547D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053EDBE9 mov eax, dword ptr fs:[00000030h] 5_2_053EDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h] 5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h] 5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h] 5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h] 5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h] 5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F03E2 mov eax, dword ptr fs:[00000030h] 5_2_053F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05495BA5 mov eax, dword ptr fs:[00000030h] 5_2_05495BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05454257 mov eax, dword ptr fs:[00000030h] 5_2_05454257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548EA55 mov eax, dword ptr fs:[00000030h] 5_2_0548EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053E3A1C mov eax, dword ptr fs:[00000030h] 5_2_053E3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0547B260 mov eax, dword ptr fs:[00000030h] 5_2_0547B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0547B260 mov eax, dword ptr fs:[00000030h] 5_2_0547B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CAA16 mov eax, dword ptr fs:[00000030h] 5_2_053CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053CAA16 mov eax, dword ptr fs:[00000030h] 5_2_053CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05498A62 mov eax, dword ptr fs:[00000030h] 5_2_05498A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h] 5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C5210 mov ecx, dword ptr fs:[00000030h] 5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h] 5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C5210 mov eax, dword ptr fs:[00000030h] 5_2_053C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053D8A0A mov eax, dword ptr fs:[00000030h] 5_2_053D8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0540927A mov eax, dword ptr fs:[00000030h] 5_2_0540927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548AA16 mov eax, dword ptr fs:[00000030h] 5_2_0548AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_0548AA16 mov eax, dword ptr fs:[00000030h] 5_2_0548AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05404A2C mov eax, dword ptr fs:[00000030h] 5_2_05404A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_05404A2C mov eax, dword ptr fs:[00000030h] 5_2_05404A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h] 5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h] 5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h] 5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C9240 mov eax, dword ptr fs:[00000030h] 5_2_053C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DAAB0 mov eax, dword ptr fs:[00000030h] 5_2_053DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053DAAB0 mov eax, dword ptr fs:[00000030h] 5_2_053DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FFAB0 mov eax, dword ptr fs:[00000030h] 5_2_053FFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h] 5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h] 5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h] 5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h] 5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053C52A5 mov eax, dword ptr fs:[00000030h] 5_2_053C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FD294 mov eax, dword ptr fs:[00000030h] 5_2_053FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053FD294 mov eax, dword ptr fs:[00000030h] 5_2_053FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2AE4 mov eax, dword ptr fs:[00000030h] 5_2_053F2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 5_2_053F2ACB mov eax, dword ptr fs:[00000030h] 5_2_053F2ACB
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED14FB mov eax, dword ptr fs:[00000030h] 8_2_04ED14FB
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h] 8_2_04E96CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h] 8_2_04E96CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96CF0 mov eax, dword ptr fs:[00000030h] 8_2_04E96CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE8CD6 mov eax, dword ptr fs:[00000030h] 8_2_04EE8CD6
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2849B mov eax, dword ptr fs:[00000030h] 8_2_04E2849B
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3746D mov eax, dword ptr fs:[00000030h] 8_2_04E3746D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4A44B mov eax, dword ptr fs:[00000030h] 8_2_04E4A44B
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAC450 mov eax, dword ptr fs:[00000030h] 8_2_04EAC450
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAC450 mov eax, dword ptr fs:[00000030h] 8_2_04EAC450
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4BC2C mov eax, dword ptr fs:[00000030h] 8_2_04E4BC2C
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h] 8_2_04EE740D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h] 8_2_04EE740D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE740D mov eax, dword ptr fs:[00000030h] 8_2_04EE740D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h] 8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h] 8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h] 8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96C0A mov eax, dword ptr fs:[00000030h] 8_2_04E96C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1C06 mov eax, dword ptr fs:[00000030h] 8_2_04ED1C06
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2D5E0 mov eax, dword ptr fs:[00000030h] 8_2_04E2D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2D5E0 mov eax, dword ptr fs:[00000030h] 8_2_04E2D5E0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h] 8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h] 8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h] 8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDFDE2 mov eax, dword ptr fs:[00000030h] 8_2_04EDFDE2
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EC8DF1 mov eax, dword ptr fs:[00000030h] 8_2_04EC8DF1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h] 8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h] 8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h] 8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96DC9 mov ecx, dword ptr fs:[00000030h] 8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h] 8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E96DC9 mov eax, dword ptr fs:[00000030h] 8_2_04E96DC9
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE05AC mov eax, dword ptr fs:[00000030h] 8_2_04EE05AC
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE05AC mov eax, dword ptr fs:[00000030h] 8_2_04EE05AC
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E435A1 mov eax, dword ptr fs:[00000030h] 8_2_04E435A1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h] 8_2_04E41DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h] 8_2_04E41DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E41DB5 mov eax, dword ptr fs:[00000030h] 8_2_04E41DB5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h] 8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h] 8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h] 8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42581 mov eax, dword ptr fs:[00000030h] 8_2_04E42581
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h] 8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h] 8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h] 8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h] 8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E12D8A mov eax, dword ptr fs:[00000030h] 8_2_04E12D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4FD9B mov eax, dword ptr fs:[00000030h] 8_2_04E4FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4FD9B mov eax, dword ptr fs:[00000030h] 8_2_04E4FD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3C577 mov eax, dword ptr fs:[00000030h] 8_2_04E3C577
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3C577 mov eax, dword ptr fs:[00000030h] 8_2_04E3C577
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E53D43 mov eax, dword ptr fs:[00000030h] 8_2_04E53D43
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E93540 mov eax, dword ptr fs:[00000030h] 8_2_04E93540
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EC3D40 mov eax, dword ptr fs:[00000030h] 8_2_04EC3D40
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E37D50 mov eax, dword ptr fs:[00000030h] 8_2_04E37D50
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1AD30 mov eax, dword ptr fs:[00000030h] 8_2_04E1AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDE539 mov eax, dword ptr fs:[00000030h] 8_2_04EDE539
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E23D34 mov eax, dword ptr fs:[00000030h] 8_2_04E23D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE8D34 mov eax, dword ptr fs:[00000030h] 8_2_04EE8D34
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E9A537 mov eax, dword ptr fs:[00000030h] 8_2_04E9A537
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h] 8_2_04E44D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h] 8_2_04E44D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E44D3B mov eax, dword ptr fs:[00000030h] 8_2_04E44D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E276E2 mov eax, dword ptr fs:[00000030h] 8_2_04E276E2
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E416E0 mov ecx, dword ptr fs:[00000030h] 8_2_04E416E0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E58EC7 mov eax, dword ptr fs:[00000030h] 8_2_04E58EC7
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E436CC mov eax, dword ptr fs:[00000030h] 8_2_04E436CC
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ECFEC0 mov eax, dword ptr fs:[00000030h] 8_2_04ECFEC0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE8ED6 mov eax, dword ptr fs:[00000030h] 8_2_04EE8ED6
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h] 8_2_04EE0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h] 8_2_04EE0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE0EA5 mov eax, dword ptr fs:[00000030h] 8_2_04EE0EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E946A7 mov eax, dword ptr fs:[00000030h] 8_2_04E946A7
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAFE87 mov eax, dword ptr fs:[00000030h] 8_2_04EAFE87
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2766D mov eax, dword ptr fs:[00000030h] 8_2_04E2766D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h] 8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h] 8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h] 8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h] 8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3AE73 mov eax, dword ptr fs:[00000030h] 8_2_04E3AE73
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h] 8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h] 8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h] 8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h] 8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h] 8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E27E41 mov eax, dword ptr fs:[00000030h] 8_2_04E27E41
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDAE44 mov eax, dword ptr fs:[00000030h] 8_2_04EDAE44
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EDAE44 mov eax, dword ptr fs:[00000030h] 8_2_04EDAE44
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1E620 mov eax, dword ptr fs:[00000030h] 8_2_04E1E620
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ECFE3F mov eax, dword ptr fs:[00000030h] 8_2_04ECFE3F
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h] 8_2_04E1C600
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h] 8_2_04E1C600
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1C600 mov eax, dword ptr fs:[00000030h] 8_2_04E1C600
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E48E00 mov eax, dword ptr fs:[00000030h] 8_2_04E48E00
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED1608 mov eax, dword ptr fs:[00000030h] 8_2_04ED1608
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4A61C mov eax, dword ptr fs:[00000030h] 8_2_04E4A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4A61C mov eax, dword ptr fs:[00000030h] 8_2_04E4A61C
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E537F5 mov eax, dword ptr fs:[00000030h] 8_2_04E537F5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E28794 mov eax, dword ptr fs:[00000030h] 8_2_04E28794
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h] 8_2_04E97794
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h] 8_2_04E97794
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E97794 mov eax, dword ptr fs:[00000030h] 8_2_04E97794
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2FF60 mov eax, dword ptr fs:[00000030h] 8_2_04E2FF60
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE8F6A mov eax, dword ptr fs:[00000030h] 8_2_04EE8F6A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2EF40 mov eax, dword ptr fs:[00000030h] 8_2_04E2EF40
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E14F2E mov eax, dword ptr fs:[00000030h] 8_2_04E14F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E14F2E mov eax, dword ptr fs:[00000030h] 8_2_04E14F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4E730 mov eax, dword ptr fs:[00000030h] 8_2_04E4E730
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE070D mov eax, dword ptr fs:[00000030h] 8_2_04EE070D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE070D mov eax, dword ptr fs:[00000030h] 8_2_04EE070D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4A70E mov eax, dword ptr fs:[00000030h] 8_2_04E4A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4A70E mov eax, dword ptr fs:[00000030h] 8_2_04E4A70E
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3F716 mov eax, dword ptr fs:[00000030h] 8_2_04E3F716
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAFF10 mov eax, dword ptr fs:[00000030h] 8_2_04EAFF10
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAFF10 mov eax, dword ptr fs:[00000030h] 8_2_04EAFF10
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h] 8_2_04E140E1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h] 8_2_04E140E1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E140E1 mov eax, dword ptr fs:[00000030h] 8_2_04E140E1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E158EC mov eax, dword ptr fs:[00000030h] 8_2_04E158EC
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h] 8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAB8D0 mov ecx, dword ptr fs:[00000030h] 8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h] 8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h] 8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h] 8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EAB8D0 mov eax, dword ptr fs:[00000030h] 8_2_04EAB8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h] 8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h] 8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h] 8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h] 8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h] 8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E420A0 mov eax, dword ptr fs:[00000030h] 8_2_04E420A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E590AF mov eax, dword ptr fs:[00000030h] 8_2_04E590AF
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4F0BF mov ecx, dword ptr fs:[00000030h] 8_2_04E4F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4F0BF mov eax, dword ptr fs:[00000030h] 8_2_04E4F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4F0BF mov eax, dword ptr fs:[00000030h] 8_2_04E4F0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E19080 mov eax, dword ptr fs:[00000030h] 8_2_04E19080
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E93884 mov eax, dword ptr fs:[00000030h] 8_2_04E93884
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E93884 mov eax, dword ptr fs:[00000030h] 8_2_04E93884
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE1074 mov eax, dword ptr fs:[00000030h] 8_2_04EE1074
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED2073 mov eax, dword ptr fs:[00000030h] 8_2_04ED2073
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E30050 mov eax, dword ptr fs:[00000030h] 8_2_04E30050
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E30050 mov eax, dword ptr fs:[00000030h] 8_2_04E30050
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h] 8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h] 8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h] 8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2B02A mov eax, dword ptr fs:[00000030h] 8_2_04E2B02A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h] 8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h] 8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h] 8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h] 8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4002D mov eax, dword ptr fs:[00000030h] 8_2_04E4002D
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE4015 mov eax, dword ptr fs:[00000030h] 8_2_04EE4015
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EE4015 mov eax, dword ptr fs:[00000030h] 8_2_04EE4015
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h] 8_2_04E97016
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h] 8_2_04E97016
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E97016 mov eax, dword ptr fs:[00000030h] 8_2_04E97016
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h] 8_2_04E1B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h] 8_2_04E1B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1B1E1 mov eax, dword ptr fs:[00000030h] 8_2_04E1B1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04EA41E8 mov eax, dword ptr fs:[00000030h] 8_2_04EA41E8
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E461A0 mov eax, dword ptr fs:[00000030h] 8_2_04E461A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E461A0 mov eax, dword ptr fs:[00000030h] 8_2_04E461A0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h] 8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h] 8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h] 8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04ED49A4 mov eax, dword ptr fs:[00000030h] 8_2_04ED49A4
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E969A6 mov eax, dword ptr fs:[00000030h] 8_2_04E969A6
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h] 8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h] 8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h] 8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E951BE mov eax, dword ptr fs:[00000030h] 8_2_04E951BE
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3C182 mov eax, dword ptr fs:[00000030h] 8_2_04E3C182
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4A185 mov eax, dword ptr fs:[00000030h] 8_2_04E4A185
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42990 mov eax, dword ptr fs:[00000030h] 8_2_04E42990
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1C962 mov eax, dword ptr fs:[00000030h] 8_2_04E1C962
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1B171 mov eax, dword ptr fs:[00000030h] 8_2_04E1B171
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E1B171 mov eax, dword ptr fs:[00000030h] 8_2_04E1B171
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3B944 mov eax, dword ptr fs:[00000030h] 8_2_04E3B944
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E3B944 mov eax, dword ptr fs:[00000030h] 8_2_04E3B944
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h] 8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h] 8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h] 8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E34120 mov eax, dword ptr fs:[00000030h] 8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E34120 mov ecx, dword ptr fs:[00000030h] 8_2_04E34120
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4513A mov eax, dword ptr fs:[00000030h] 8_2_04E4513A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4513A mov eax, dword ptr fs:[00000030h] 8_2_04E4513A
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h] 8_2_04E19100
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h] 8_2_04E19100
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E19100 mov eax, dword ptr fs:[00000030h] 8_2_04E19100
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42AE4 mov eax, dword ptr fs:[00000030h] 8_2_04E42AE4
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E42ACB mov eax, dword ptr fs:[00000030h] 8_2_04E42ACB
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h] 8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h] 8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h] 8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h] 8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E152A5 mov eax, dword ptr fs:[00000030h] 8_2_04E152A5
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2AAB0 mov eax, dword ptr fs:[00000030h] 8_2_04E2AAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E2AAB0 mov eax, dword ptr fs:[00000030h] 8_2_04E2AAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4FAB0 mov eax, dword ptr fs:[00000030h] 8_2_04E4FAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4D294 mov eax, dword ptr fs:[00000030h] 8_2_04E4D294
Source: C:\Windows\SysWOW64\control.exe Code function: 8_2_04E4D294 mov eax, dword ptr fs:[00000030h] 8_2_04E4D294
Enables debug privileges
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 192.0.78.208 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.77.226.209 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 142.44.212.169 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 146.148.193.212 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 192.155.166.181 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 23.105.124.225 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 198.49.23.144 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 173.234.175.134 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 205.134.254.189 80 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread register set: target process: 3388 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3388 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: B80000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp' Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' Jump to behavior
Source: explorer.exe, 00000006.00000000.242933358.0000000001398000.00000004.00000020.sdmp Binary or memory string: ProgmanamF
Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.259002702.000000000871F000.00000004.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.243440910.0000000001980000.00000002.00000001.sdmp, control.exe, 00000008.00000002.572507874.00000000036A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Queries volume information: C:\Users\user\Desktop\J0OmHIagw8.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\J0OmHIagw8.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339323 Sample: J0OmHIagw8.exe Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 48 Tries to download HTTP data from a sinkholed server 2->48 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 12 other signatures 2->54 10 J0OmHIagw8.exe 6 2->10         started        process3 dnsIp4 46 192.168.2.1 unknown unknown 10->46 34 C:\Users\user\AppData\...\JcEEHoQdnETCO.exe, PE32 10->34 dropped 36 C:\Users\user\AppData\Local\...\tmpF65F.tmp, XML 10->36 dropped 38 C:\Users\user\AppData\...\J0OmHIagw8.exe.log, ASCII 10->38 dropped 14 vbc.exe 10->14         started        17 vbc.exe 10->17         started        19 schtasks.exe 1 10->19         started        file5 process6 signatures7 64 Modifies the context of a thread in another process (thread injection) 14->64 66 Maps a DLL or memory area into another process 14->66 68 Sample uses process hollowing technique 14->68 70 Queues an APC in another process (thread injection) 14->70 21 explorer.exe 14->21 injected 72 Tries to detect virtualization through RDTSC time measurements 17->72 25 conhost.exe 19->25         started        process8 dnsIp9 40 www.exit-divorce.com 192.155.166.181, 49761, 80 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL United States 21->40 42 queensboutique1000.com 142.44.212.169, 49756, 49772, 80 OVHFR Canada 21->42 44 20 other IPs or domains 21->44 56 System process connects to network (likely due to code injection or exploit) 21->56 27 control.exe 21->27         started        signatures10 process11 signatures12 58 Modifies the context of a thread in another process (thread injection) 27->58 60 Maps a DLL or memory area into another process 27->60 62 Tries to detect virtualization through RDTSC time measurements 27->62 30 cmd.exe 1 27->30         started        process13 process14 32 conhost.exe 30->32         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.0.78.208
unknown United States
2635 AUTOMATTICUS true
45.77.226.209
unknown United States
20473 AS-CHOOPAUS true
142.44.212.169
unknown Canada
16276 OVHFR true
146.148.193.212
unknown United States
26658 HENGTONG-IDC-LLCUS true
192.155.166.181
unknown United States
132721 PING-GLOBAL-ASPingGlobalAmsterdamPOPASNNL true
23.105.124.225
unknown United States
7203 LEASEWEB-USA-SFO-12US true
198.49.23.144
unknown United States
53831 SQUARESPACEUS false
173.234.175.134
unknown United States
395954 LEASEWEB-USA-LAX-11US true
34.102.136.180
unknown United States
15169 GOOGLEUS true
205.134.254.189
unknown United States
22611 IMH-WESTUS true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
splendidhotelspa.com 205.134.254.189 true
queensboutique1000.com 142.44.212.169 true
studentdividers.com 34.102.136.180 true
www.travelnetafrica.com 173.234.175.134 true
www.fessusesefsee.com 45.77.226.209 true
epicmassiveconcepts.com 34.102.136.180 true
www.exit-divorce.com 192.155.166.181 true
www.alparmuhendislik.com 23.105.124.225 true
www.stnanguo.com 146.148.193.212 true
ext-cust.squarespace.com 198.49.23.144 true
logansshop.net 192.0.78.208 true
www.herbmedia.net unknown unknown
www.queensboutique1000.com unknown unknown
www.procreditexpert.com unknown unknown
www.studentdividers.com unknown unknown
www.logansshop.net unknown unknown
www.splendidhotelspa.com unknown unknown
www.thesouthbeachlife.com unknown unknown
www.soundon.events unknown unknown
www.latin-hotspot.com unknown unknown
www.epicmassiveconcepts.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.stnanguo.com/csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT true
  • Avira URL Cloud: phishing
unknown
http://www.alparmuhendislik.com/csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.exit-divorce.com/csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.queensboutique1000.com/csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT true
  • Avira URL Cloud: malware
unknown
http://www.travelnetafrica.com/csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.splendidhotelspa.com/csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.studentdividers.com/csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.epicmassiveconcepts.com/csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown
http://www.soundon.events/csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT true
  • Avira URL Cloud: safe
unknown