Windows Analysis Report 9JzK89dRiaBYTuN.exe

Overview

General Information

Sample Name: 9JzK89dRiaBYTuN.exe
Analysis ID: 458757
MD5: d726ec6e056461dd7d3ce8890c3c9a4e
SHA1: 4f6b524ab5fa51d9c5465572de8075c857afb686
SHA256: 77d33d0e8b91781213a971ebc2e6abe4191bf2c28ff0ede19b07db092f590dff
Tags: exenull
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Process Start Without DLL
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection:

barindex
Antivirus / Scanner detection for submitted sample
Source: 9JzK89dRiaBYTuN.exe Avira: detected
Antivirus detection for URL or domain
Source: www.panyu-qqbaby.com/weni/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.panyu-qqbaby.com/weni/"], "decoy": ["sdmdwang.com", "konversationswithkoshie.net", "carap.club", "eagldeream.com", "856380585.xyz", "elgallocoffee.com", "magetu.info", "lovertons.com", "theichallenge.com", "advancedautorepairsonline.com", "wingsstyling.info", "tapdaugusta.com", "wiloasbanhsgtarewdasc.solutions", "donjrisdumb.com", "experienceddoctor.com", "cloverhillconsultants.com", "underwear.show", "karensgonewild2020.com", "arodsr.com", "thefucktardmanual.com", "712kenwood.info", "telecompink.com", "ebizkendra.com", "kitkatmp3.com", "utformehagen.com", "profitsnavigator.com", "kathyharvey.com", "tongaoffshore.com", "vrpreservation.com", "hy7128.com", "nicolettejohnsonphotography.com", "rating.travel", "visualartcr.com", "nationalbarista.com", "lovecartoonforever.com", "koimkt.com", "directpractice.pro", "blockchaincloud360.com", "queverenbuenosaires.com", "coachmyragolden.com", "awree.com", "facebookipl.com", "rcheapwdbuy.com", "trinspinsgreen.com", "voxaide.com", "ecorner.online", "mattvickery.com", "regarta.com", "fknprfct.com", "theessentialstore.net", "sunilpsingh.com", "ovtnywveba.club", "optimalgafa.com", "awdjob.info", "humachem.com", "southeasternsteakcompany.com", "centerevents.net", "warrenswindowcleans.co.uk", "lebullterrier.com", "thecxchecker.com", "formerknown.com", "pupbutler.com", "tincanphones.com", "tgeuuy.cool"]}
Multi AV Scanner detection for submitted file
Source: 9JzK89dRiaBYTuN.exe Virustotal: Detection: 57% Perma Link
Source: 9JzK89dRiaBYTuN.exe ReversingLabs: Detection: 75%
Yara detected FormBook
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY
Machine Learning detection for sample
Source: 9JzK89dRiaBYTuN.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: 9JzK89dRiaBYTuN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Source: 9JzK89dRiaBYTuN.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, cmmon32.exe, 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmmon32.exe
Source: Binary string: RegSvcs.pdb source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop esi 1_2_00415836
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop ebx 1_2_00406A67
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 1_2_0040C2BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 1_2_0040C3AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop esi 5_2_00785836
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop ebx 5_2_00776A67
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 5_2_0077C2BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 5_2_0077C3AF

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49731 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49731 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49731 -> 34.102.136.180:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.panyu-qqbaby.com/weni/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.regarta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.tapdaugusta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.profitsnavigator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.konversationswithkoshie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.advancedautorepairsonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.lovertons.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.utformehagen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: EGIHOSTINGUS EGIHOSTINGUS
Source: Joe Sandbox View ASN Name: WEBAIR-INTERNETUS WEBAIR-INTERNETUS
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.regarta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.tapdaugusta.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.profitsnavigator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.konversationswithkoshie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.advancedautorepairsonline.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.lovertons.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj HTTP/1.1Host: www.utformehagen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown DNS traffic detected: queries for: www.regarta.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.346086899.000000000095C000.00000004.00000020.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: cmmon32.exe, 00000005.00000002.604875216.0000000002E3A000.00000004.00000020.sdmp String found in binary or memory: http://www.sdmdwang.com/weni/?Fzr4otMh=M4L27nnvKueB/wH9
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.367412042.000000000B1A6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341446378.0000000000988000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004181C0 NtCreateFile, 1_2_004181C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00418270 NtReadFile, 1_2_00418270
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004182F0 NtClose, 1_2_004182F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004183A0 NtAllocateVirtualMemory, 1_2_004183A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041839A NtAllocateVirtualMemory, 1_2_0041839A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A299A0 NtCreateSection,LdrInitializeThunk, 1_2_01A299A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29910 NtAdjustPrivilegesToken,LdrInitializeThunk, 1_2_01A29910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A298F0 NtReadVirtualMemory,LdrInitializeThunk, 1_2_01A298F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29860 NtQuerySystemInformation,LdrInitializeThunk, 1_2_01A29860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29840 NtDelayExecution,LdrInitializeThunk, 1_2_01A29840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29A20 NtResumeThread,LdrInitializeThunk, 1_2_01A29A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29A00 NtProtectVirtualMemory,LdrInitializeThunk, 1_2_01A29A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29A50 NtCreateFile,LdrInitializeThunk, 1_2_01A29A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A295D0 NtClose,LdrInitializeThunk, 1_2_01A295D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29540 NtReadFile,LdrInitializeThunk, 1_2_01A29540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A297A0 NtUnmapViewOfSection,LdrInitializeThunk, 1_2_01A297A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29780 NtMapViewOfSection,LdrInitializeThunk, 1_2_01A29780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29FE0 NtCreateMutant,LdrInitializeThunk, 1_2_01A29FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29710 NtQueryInformationToken,LdrInitializeThunk, 1_2_01A29710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A296E0 NtFreeVirtualMemory,LdrInitializeThunk, 1_2_01A296E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29660 NtAllocateVirtualMemory,LdrInitializeThunk, 1_2_01A29660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A299D0 NtCreateProcessEx, 1_2_01A299D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29950 NtQueueApcThread, 1_2_01A29950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A298A0 NtWriteVirtualMemory, 1_2_01A298A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29820 NtEnumerateKey, 1_2_01A29820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A2B040 NtSuspendThread, 1_2_01A2B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A2A3B0 NtGetContextThread, 1_2_01A2A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29B00 NtSetValueKey, 1_2_01A29B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29A80 NtOpenDirectoryObject, 1_2_01A29A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29A10 NtQuerySection, 1_2_01A29A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A295F0 NtQueryInformationFile, 1_2_01A295F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29520 NtWaitForSingleObject, 1_2_01A29520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A2AD30 NtSetContextThread, 1_2_01A2AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29560 NtWriteFile, 1_2_01A29560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29730 NtQueryVirtualMemory, 1_2_01A29730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A2A710 NtOpenProcessToken, 1_2_01A2A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29760 NtOpenProcess, 1_2_01A29760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29770 NtSetInformationFile, 1_2_01A29770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A2A770 NtOpenThread, 1_2_01A2A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A296D0 NtCreateKey, 1_2_01A296D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29610 NtEnumerateValueKey, 1_2_01A29610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29670 NtQueryInformationProcess, 1_2_01A29670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A29650 NtQueryValueKey, 1_2_01A29650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_04A19860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19840 NtDelayExecution,LdrInitializeThunk, 5_2_04A19840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A199A0 NtCreateSection,LdrInitializeThunk, 5_2_04A199A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A195D0 NtClose,LdrInitializeThunk, 5_2_04A195D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_04A19910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19540 NtReadFile,LdrInitializeThunk, 5_2_04A19540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A196E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_04A196E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A196D0 NtCreateKey,LdrInitializeThunk, 5_2_04A196D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_04A19660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19650 NtQueryValueKey,LdrInitializeThunk, 5_2_04A19650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19A50 NtCreateFile,LdrInitializeThunk, 5_2_04A19A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19780 NtMapViewOfSection,LdrInitializeThunk, 5_2_04A19780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19FE0 NtCreateMutant,LdrInitializeThunk, 5_2_04A19FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19710 NtQueryInformationToken,LdrInitializeThunk, 5_2_04A19710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A198A0 NtWriteVirtualMemory, 5_2_04A198A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A198F0 NtReadVirtualMemory, 5_2_04A198F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19820 NtEnumerateKey, 5_2_04A19820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A1B040 NtSuspendThread, 5_2_04A1B040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A195F0 NtQueryInformationFile, 5_2_04A195F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A199D0 NtCreateProcessEx, 5_2_04A199D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19520 NtWaitForSingleObject, 5_2_04A19520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A1AD30 NtSetContextThread, 5_2_04A1AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19560 NtWriteFile, 5_2_04A19560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19950 NtQueueApcThread, 5_2_04A19950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19A80 NtOpenDirectoryObject, 5_2_04A19A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19A20 NtResumeThread, 5_2_04A19A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19A00 NtProtectVirtualMemory, 5_2_04A19A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19610 NtEnumerateValueKey, 5_2_04A19610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19A10 NtQuerySection, 5_2_04A19A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19670 NtQueryInformationProcess, 5_2_04A19670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A197A0 NtUnmapViewOfSection, 5_2_04A197A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A1A3B0 NtGetContextThread, 5_2_04A1A3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19730 NtQueryVirtualMemory, 5_2_04A19730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19B00 NtSetValueKey, 5_2_04A19B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A1A710 NtOpenProcessToken, 5_2_04A1A710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19760 NtOpenProcess, 5_2_04A19760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A19770 NtSetInformationFile, 5_2_04A19770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A1A770 NtOpenThread, 5_2_04A1A770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_007881C0 NtCreateFile, 5_2_007881C0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_00788270 NtReadFile, 5_2_00788270
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_007882F0 NtClose, 5_2_007882F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_007883A0 NtAllocateVirtualMemory, 5_2_007883A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078839A NtAllocateVirtualMemory, 5_2_0078839A
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00401030 1_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00401174 1_2_00401174
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041C124 1_2_0041C124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00408C60 1_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041B5D3 1_2_0041B5D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00402D90 1_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041C781 1_2_0041C781
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00402FB0 1_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A04120 1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EF900 1_2_019EF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A120A0 1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FB090 1_2_019FB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1002 1_2_01AA1002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1EBB0 1_2_01A1EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12581 1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FD5E0 1_2_019FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E0D20 1_2_019E0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB1D55 1_2_01AB1D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F841F 1_2_019F841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A06E30 1_2_01A06E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EB090 5_2_049EB090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E841F 5_2_049E841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91002 5_2_04A91002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02581 5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049ED5E0 5_2_049ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DF900 5_2_049DF900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D0D20 5_2_049D0D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F4120 5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA1D55 5_2_04AA1D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F6E30 5_2_049F6E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0EBB0 5_2_04A0EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_00778C60 5_2_00778C60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_00772D90 5_2_00772D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_00772FB0 5_2_00772FB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078C781 5_2_0078C781
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 019EB150 appears 32 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 049DB150 appears 32 times
PE file contains strange resources
Source: 9JzK89dRiaBYTuN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9JzK89dRiaBYTuN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 9JzK89dRiaBYTuN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.348423668.0000000005910000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameStoreElement.dllB vs 9JzK89dRiaBYTuN.exe
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameConfigNodeType.dll> vs 9JzK89dRiaBYTuN.exe
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341147466.00000000002EC000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameObjectEqualityCompar.exe< vs 9JzK89dRiaBYTuN.exe
Source: 9JzK89dRiaBYTuN.exe Binary or memory string: OriginalFilenameObjectEqualityCompar.exe< vs 9JzK89dRiaBYTuN.exe
Uses 32bit PE files
Source: 9JzK89dRiaBYTuN.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
Yara signature match
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 9JzK89dRiaBYTuN.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@14/7
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9JzK89dRiaBYTuN.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2924:120:WilError_01
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Mutant created: \Sessions\1\BaseNamedObjects\pyRNWsNXUbLJCwrhNfoT
Source: 9JzK89dRiaBYTuN.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: 9JzK89dRiaBYTuN.exe Virustotal: Detection: 57%
Source: 9JzK89dRiaBYTuN.exe ReversingLabs: Detection: 75%
Source: unknown Process created: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe 'C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe'
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: 9JzK89dRiaBYTuN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: 9JzK89dRiaBYTuN.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: 9JzK89dRiaBYTuN.exe Static file information: File size 1263616 > 1048576
Source: 9JzK89dRiaBYTuN.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x126c00
Source: 9JzK89dRiaBYTuN.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000001.00000002.396904315.0000000001D00000.00000040.00000001.sdmp
Source: Binary string: RegSvcs.pdb, source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000001.00000002.396482282.00000000019C0000.00000040.00000001.sdmp, cmmon32.exe, 00000005.00000002.608906653.0000000004ACF000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmmon32.exe
Source: Binary string: RegSvcs.pdb source: cmmon32.exe, 00000005.00000002.604383897.0000000002DF4000.00000004.00000020.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.368212816.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Code function: 0_2_0241E8E0 push eax; ret 0_2_0241E8F9
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Code function: 0_2_0241D374 pushfd ; ret 0_2_0241E9D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041B3B5 push eax; ret 1_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041B46C push eax; ret 1_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041B402 push eax; ret 1_2_0041B408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041B40B push eax; ret 1_2_0041B472
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_0041CE07 pushfd ; ret 1_2_0041CE08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A3D0D1 push ecx; ret 1_2_01A3D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A2D0D1 push ecx; ret 5_2_04A2D0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078BBDB push edi; retf 5_2_0078BBDC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078B3B5 push eax; ret 5_2_0078B408
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078B46C push eax; ret 5_2_0078B472
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078B40B push eax; ret 5_2_0078B472
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078B402 push eax; ret 5_2_0078B408
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_0078CE07 pushfd ; ret 5_2_0078CE08
Source: initial sample Static PE information: section name: .text entropy: 7.81629816462
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.258d828.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 9JzK89dRiaBYTuN.exe PID: 6048, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 00000000007785E4 second address: 00000000007785EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 000000000077897E second address: 0000000000778984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004088B0 rdtsc 1_2_004088B0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe TID: 6040 Thread sleep time: -39792s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe TID: 2916 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 4968 Thread sleep time: -35000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe TID: 2200 Thread sleep time: -44000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Thread delayed: delay time: 39792 Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000002.00000000.363289775.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000002.00000000.363174585.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: cmmon32.exe, 00000005.00000002.605137350.0000000002E50000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW##
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000002.00000000.356977430.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000002.00000000.363174585.00000000083E9000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000002.00000000.356977430.00000000062E0000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: cmmon32.exe, 00000005.00000002.605137350.0000000002E50000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: explorer.exe, 00000002.00000000.361509902.00000000082E2000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: VMware SVGA II
Source: 9JzK89dRiaBYTuN.exe, 00000000.00000002.341797161.0000000002541000.00000004.00000001.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000002.00000000.361509902.00000000082E2000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000002.00000000.363289775.0000000008430000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000002.00000000.355412077.0000000005D50000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: explorer.exe, 00000002.00000000.346086899.000000000095C000.00000004.00000020.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_004088B0 rdtsc 1_2_004088B0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_00409B20 LdrLoadDll, 1_2_00409B20
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A669A6 mov eax, dword ptr fs:[00000030h] 1_2_01A669A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A161A0 mov eax, dword ptr fs:[00000030h] 1_2_01A161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A161A0 mov eax, dword ptr fs:[00000030h] 1_2_01A161A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h] 1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h] 1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h] 1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A651BE mov eax, dword ptr fs:[00000030h] 1_2_01A651BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0C182 mov eax, dword ptr fs:[00000030h] 1_2_01A0C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1A185 mov eax, dword ptr fs:[00000030h] 1_2_01A1A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12990 mov eax, dword ptr fs:[00000030h] 1_2_01A12990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A741E8 mov eax, dword ptr fs:[00000030h] 1_2_01A741E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EB1E1 mov eax, dword ptr fs:[00000030h] 1_2_019EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EB1E1 mov eax, dword ptr fs:[00000030h] 1_2_019EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EB1E1 mov eax, dword ptr fs:[00000030h] 1_2_019EB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h] 1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h] 1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h] 1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A04120 mov eax, dword ptr fs:[00000030h] 1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A04120 mov ecx, dword ptr fs:[00000030h] 1_2_01A04120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1513A mov eax, dword ptr fs:[00000030h] 1_2_01A1513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1513A mov eax, dword ptr fs:[00000030h] 1_2_01A1513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9100 mov eax, dword ptr fs:[00000030h] 1_2_019E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9100 mov eax, dword ptr fs:[00000030h] 1_2_019E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9100 mov eax, dword ptr fs:[00000030h] 1_2_019E9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0B944 mov eax, dword ptr fs:[00000030h] 1_2_01A0B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0B944 mov eax, dword ptr fs:[00000030h] 1_2_01A0B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EB171 mov eax, dword ptr fs:[00000030h] 1_2_019EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EB171 mov eax, dword ptr fs:[00000030h] 1_2_019EB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EC962 mov eax, dword ptr fs:[00000030h] 1_2_019EC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h] 1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h] 1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h] 1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h] 1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h] 1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A120A0 mov eax, dword ptr fs:[00000030h] 1_2_01A120A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A290AF mov eax, dword ptr fs:[00000030h] 1_2_01A290AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9080 mov eax, dword ptr fs:[00000030h] 1_2_019E9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1F0BF mov ecx, dword ptr fs:[00000030h] 1_2_01A1F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1F0BF mov eax, dword ptr fs:[00000030h] 1_2_01A1F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1F0BF mov eax, dword ptr fs:[00000030h] 1_2_01A1F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A63884 mov eax, dword ptr fs:[00000030h] 1_2_01A63884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A63884 mov eax, dword ptr fs:[00000030h] 1_2_01A63884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E58EC mov eax, dword ptr fs:[00000030h] 1_2_019E58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h] 1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7B8D0 mov ecx, dword ptr fs:[00000030h] 1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h] 1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h] 1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h] 1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7B8D0 mov eax, dword ptr fs:[00000030h] 1_2_01A7B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h] 1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h] 1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h] 1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h] 1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1002D mov eax, dword ptr fs:[00000030h] 1_2_01A1002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A67016 mov eax, dword ptr fs:[00000030h] 1_2_01A67016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A67016 mov eax, dword ptr fs:[00000030h] 1_2_01A67016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A67016 mov eax, dword ptr fs:[00000030h] 1_2_01A67016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h] 1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h] 1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h] 1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FB02A mov eax, dword ptr fs:[00000030h] 1_2_019FB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB4015 mov eax, dword ptr fs:[00000030h] 1_2_01AB4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB4015 mov eax, dword ptr fs:[00000030h] 1_2_01AB4015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA2073 mov eax, dword ptr fs:[00000030h] 1_2_01AA2073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB1074 mov eax, dword ptr fs:[00000030h] 1_2_01AB1074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A00050 mov eax, dword ptr fs:[00000030h] 1_2_01A00050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A00050 mov eax, dword ptr fs:[00000030h] 1_2_01A00050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A14BAD mov eax, dword ptr fs:[00000030h] 1_2_01A14BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A14BAD mov eax, dword ptr fs:[00000030h] 1_2_01A14BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A14BAD mov eax, dword ptr fs:[00000030h] 1_2_01A14BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB5BA5 mov eax, dword ptr fs:[00000030h] 1_2_01AB5BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F1B8F mov eax, dword ptr fs:[00000030h] 1_2_019F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F1B8F mov eax, dword ptr fs:[00000030h] 1_2_019F1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA138A mov eax, dword ptr fs:[00000030h] 1_2_01AA138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A9D380 mov ecx, dword ptr fs:[00000030h] 1_2_01A9D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1B390 mov eax, dword ptr fs:[00000030h] 1_2_01A1B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12397 mov eax, dword ptr fs:[00000030h] 1_2_01A12397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h] 1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h] 1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h] 1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h] 1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h] 1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A103E2 mov eax, dword ptr fs:[00000030h] 1_2_01A103E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A653CA mov eax, dword ptr fs:[00000030h] 1_2_01A653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A653CA mov eax, dword ptr fs:[00000030h] 1_2_01A653CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA131B mov eax, dword ptr fs:[00000030h] 1_2_01AA131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EF358 mov eax, dword ptr fs:[00000030h] 1_2_019EF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A13B7A mov eax, dword ptr fs:[00000030h] 1_2_01A13B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A13B7A mov eax, dword ptr fs:[00000030h] 1_2_01A13B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EDB40 mov eax, dword ptr fs:[00000030h] 1_2_019EDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB8B58 mov eax, dword ptr fs:[00000030h] 1_2_01AB8B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EDB60 mov ecx, dword ptr fs:[00000030h] 1_2_019EDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1FAB0 mov eax, dword ptr fs:[00000030h] 1_2_01A1FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FAAB0 mov eax, dword ptr fs:[00000030h] 1_2_019FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FAAB0 mov eax, dword ptr fs:[00000030h] 1_2_019FAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1D294 mov eax, dword ptr fs:[00000030h] 1_2_01A1D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1D294 mov eax, dword ptr fs:[00000030h] 1_2_01A1D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h] 1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h] 1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h] 1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h] 1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E52A5 mov eax, dword ptr fs:[00000030h] 1_2_019E52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12AE4 mov eax, dword ptr fs:[00000030h] 1_2_01A12AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12ACB mov eax, dword ptr fs:[00000030h] 1_2_01A12ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EAA16 mov eax, dword ptr fs:[00000030h] 1_2_019EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EAA16 mov eax, dword ptr fs:[00000030h] 1_2_019EAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A24A2C mov eax, dword ptr fs:[00000030h] 1_2_01A24A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A24A2C mov eax, dword ptr fs:[00000030h] 1_2_01A24A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F8A0A mov eax, dword ptr fs:[00000030h] 1_2_019F8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A03A1C mov eax, dword ptr fs:[00000030h] 1_2_01A03A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A9B260 mov eax, dword ptr fs:[00000030h] 1_2_01A9B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A9B260 mov eax, dword ptr fs:[00000030h] 1_2_01A9B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB8A62 mov eax, dword ptr fs:[00000030h] 1_2_01AB8A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A2927A mov eax, dword ptr fs:[00000030h] 1_2_01A2927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h] 1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h] 1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h] 1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E9240 mov eax, dword ptr fs:[00000030h] 1_2_019E9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A74257 mov eax, dword ptr fs:[00000030h] 1_2_01A74257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A135A1 mov eax, dword ptr fs:[00000030h] 1_2_01A135A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h] 1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h] 1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h] 1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h] 1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E2D8A mov eax, dword ptr fs:[00000030h] 1_2_019E2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A11DB5 mov eax, dword ptr fs:[00000030h] 1_2_01A11DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A11DB5 mov eax, dword ptr fs:[00000030h] 1_2_01A11DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A11DB5 mov eax, dword ptr fs:[00000030h] 1_2_01A11DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h] 1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h] 1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h] 1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A12581 mov eax, dword ptr fs:[00000030h] 1_2_01A12581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1FD9B mov eax, dword ptr fs:[00000030h] 1_2_01A1FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1FD9B mov eax, dword ptr fs:[00000030h] 1_2_01A1FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A98DF1 mov eax, dword ptr fs:[00000030h] 1_2_01A98DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FD5E0 mov eax, dword ptr fs:[00000030h] 1_2_019FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FD5E0 mov eax, dword ptr fs:[00000030h] 1_2_019FD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A6A537 mov eax, dword ptr fs:[00000030h] 1_2_01A6A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A14D3B mov eax, dword ptr fs:[00000030h] 1_2_01A14D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A14D3B mov eax, dword ptr fs:[00000030h] 1_2_01A14D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A14D3B mov eax, dword ptr fs:[00000030h] 1_2_01A14D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB8D34 mov eax, dword ptr fs:[00000030h] 1_2_01AB8D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F3D34 mov eax, dword ptr fs:[00000030h] 1_2_019F3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EAD30 mov eax, dword ptr fs:[00000030h] 1_2_019EAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0C577 mov eax, dword ptr fs:[00000030h] 1_2_01A0C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0C577 mov eax, dword ptr fs:[00000030h] 1_2_01A0C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A23D43 mov eax, dword ptr fs:[00000030h] 1_2_01A23D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A63540 mov eax, dword ptr fs:[00000030h] 1_2_01A63540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A07D50 mov eax, dword ptr fs:[00000030h] 1_2_01A07D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F849B mov eax, dword ptr fs:[00000030h] 1_2_019F849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA14FB mov eax, dword ptr fs:[00000030h] 1_2_01AA14FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A66CF0 mov eax, dword ptr fs:[00000030h] 1_2_01A66CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A66CF0 mov eax, dword ptr fs:[00000030h] 1_2_01A66CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A66CF0 mov eax, dword ptr fs:[00000030h] 1_2_01A66CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB8CD6 mov eax, dword ptr fs:[00000030h] 1_2_01AB8CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1BC2C mov eax, dword ptr fs:[00000030h] 1_2_01A1BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB740D mov eax, dword ptr fs:[00000030h] 1_2_01AB740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB740D mov eax, dword ptr fs:[00000030h] 1_2_01AB740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB740D mov eax, dword ptr fs:[00000030h] 1_2_01AB740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AA1C06 mov eax, dword ptr fs:[00000030h] 1_2_01AA1C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h] 1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h] 1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h] 1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A66C0A mov eax, dword ptr fs:[00000030h] 1_2_01A66C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0746D mov eax, dword ptr fs:[00000030h] 1_2_01A0746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1A44B mov eax, dword ptr fs:[00000030h] 1_2_01A1A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7C450 mov eax, dword ptr fs:[00000030h] 1_2_01A7C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7C450 mov eax, dword ptr fs:[00000030h] 1_2_01A7C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F8794 mov eax, dword ptr fs:[00000030h] 1_2_019F8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A67794 mov eax, dword ptr fs:[00000030h] 1_2_01A67794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A67794 mov eax, dword ptr fs:[00000030h] 1_2_01A67794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A67794 mov eax, dword ptr fs:[00000030h] 1_2_01A67794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A237F5 mov eax, dword ptr fs:[00000030h] 1_2_01A237F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1E730 mov eax, dword ptr fs:[00000030h] 1_2_01A1E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB070D mov eax, dword ptr fs:[00000030h] 1_2_01AB070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB070D mov eax, dword ptr fs:[00000030h] 1_2_01AB070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1A70E mov eax, dword ptr fs:[00000030h] 1_2_01A1A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1A70E mov eax, dword ptr fs:[00000030h] 1_2_01A1A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E4F2E mov eax, dword ptr fs:[00000030h] 1_2_019E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019E4F2E mov eax, dword ptr fs:[00000030h] 1_2_019E4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0F716 mov eax, dword ptr fs:[00000030h] 1_2_01A0F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7FF10 mov eax, dword ptr fs:[00000030h] 1_2_01A7FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7FF10 mov eax, dword ptr fs:[00000030h] 1_2_01A7FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB8F6A mov eax, dword ptr fs:[00000030h] 1_2_01AB8F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FEF40 mov eax, dword ptr fs:[00000030h] 1_2_019FEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019FFF60 mov eax, dword ptr fs:[00000030h] 1_2_019FFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A646A7 mov eax, dword ptr fs:[00000030h] 1_2_01A646A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB0EA5 mov eax, dword ptr fs:[00000030h] 1_2_01AB0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB0EA5 mov eax, dword ptr fs:[00000030h] 1_2_01AB0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB0EA5 mov eax, dword ptr fs:[00000030h] 1_2_01AB0EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A7FE87 mov eax, dword ptr fs:[00000030h] 1_2_01A7FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A116E0 mov ecx, dword ptr fs:[00000030h] 1_2_01A116E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A28EC7 mov eax, dword ptr fs:[00000030h] 1_2_01A28EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A9FEC0 mov eax, dword ptr fs:[00000030h] 1_2_01A9FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A136CC mov eax, dword ptr fs:[00000030h] 1_2_01A136CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01AB8ED6 mov eax, dword ptr fs:[00000030h] 1_2_01AB8ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F76E2 mov eax, dword ptr fs:[00000030h] 1_2_019F76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A9FE3F mov eax, dword ptr fs:[00000030h] 1_2_01A9FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EC600 mov eax, dword ptr fs:[00000030h] 1_2_019EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EC600 mov eax, dword ptr fs:[00000030h] 1_2_019EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EC600 mov eax, dword ptr fs:[00000030h] 1_2_019EC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A18E00 mov eax, dword ptr fs:[00000030h] 1_2_01A18E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1A61C mov eax, dword ptr fs:[00000030h] 1_2_01A1A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A1A61C mov eax, dword ptr fs:[00000030h] 1_2_01A1A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019EE620 mov eax, dword ptr fs:[00000030h] 1_2_019EE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h] 1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h] 1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h] 1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h] 1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_01A0AE73 mov eax, dword ptr fs:[00000030h] 1_2_01A0AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h] 1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h] 1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h] 1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h] 1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h] 1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F7E41 mov eax, dword ptr fs:[00000030h] 1_2_019F7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 1_2_019F766D mov eax, dword ptr fs:[00000030h] 1_2_019F766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E849B mov eax, dword ptr fs:[00000030h] 5_2_049E849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A190AF mov eax, dword ptr fs:[00000030h] 5_2_04A190AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9080 mov eax, dword ptr fs:[00000030h] 5_2_049D9080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0F0BF mov ecx, dword ptr fs:[00000030h] 5_2_04A0F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0F0BF mov eax, dword ptr fs:[00000030h] 5_2_04A0F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0F0BF mov eax, dword ptr fs:[00000030h] 5_2_04A0F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A53884 mov eax, dword ptr fs:[00000030h] 5_2_04A53884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A53884 mov eax, dword ptr fs:[00000030h] 5_2_04A53884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A914FB mov eax, dword ptr fs:[00000030h] 5_2_04A914FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A56CF0 mov eax, dword ptr fs:[00000030h] 5_2_04A56CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A56CF0 mov eax, dword ptr fs:[00000030h] 5_2_04A56CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A56CF0 mov eax, dword ptr fs:[00000030h] 5_2_04A56CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6B8D0 mov ecx, dword ptr fs:[00000030h] 5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6B8D0 mov eax, dword ptr fs:[00000030h] 5_2_04A6B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA8CD6 mov eax, dword ptr fs:[00000030h] 5_2_04AA8CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0BC2C mov eax, dword ptr fs:[00000030h] 5_2_04A0BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h] 5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h] 5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h] 5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h] 5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0002D mov eax, dword ptr fs:[00000030h] 5_2_04A0002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA740D mov eax, dword ptr fs:[00000030h] 5_2_04AA740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA740D mov eax, dword ptr fs:[00000030h] 5_2_04AA740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA740D mov eax, dword ptr fs:[00000030h] 5_2_04AA740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A91C06 mov eax, dword ptr fs:[00000030h] 5_2_04A91C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h] 5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h] 5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h] 5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A56C0A mov eax, dword ptr fs:[00000030h] 5_2_04A56C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A57016 mov eax, dword ptr fs:[00000030h] 5_2_04A57016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A57016 mov eax, dword ptr fs:[00000030h] 5_2_04A57016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A57016 mov eax, dword ptr fs:[00000030h] 5_2_04A57016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h] 5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h] 5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h] 5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EB02A mov eax, dword ptr fs:[00000030h] 5_2_049EB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA4015 mov eax, dword ptr fs:[00000030h] 5_2_04AA4015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA4015 mov eax, dword ptr fs:[00000030h] 5_2_04AA4015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F0050 mov eax, dword ptr fs:[00000030h] 5_2_049F0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F0050 mov eax, dword ptr fs:[00000030h] 5_2_049F0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A92073 mov eax, dword ptr fs:[00000030h] 5_2_04A92073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA1074 mov eax, dword ptr fs:[00000030h] 5_2_04AA1074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0A44B mov eax, dword ptr fs:[00000030h] 5_2_04A0A44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F746D mov eax, dword ptr fs:[00000030h] 5_2_049F746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6C450 mov eax, dword ptr fs:[00000030h] 5_2_04A6C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6C450 mov eax, dword ptr fs:[00000030h] 5_2_04A6C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A061A0 mov eax, dword ptr fs:[00000030h] 5_2_04A061A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A061A0 mov eax, dword ptr fs:[00000030h] 5_2_04A061A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A035A1 mov eax, dword ptr fs:[00000030h] 5_2_04A035A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A569A6 mov eax, dword ptr fs:[00000030h] 5_2_04A569A6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A01DB5 mov eax, dword ptr fs:[00000030h] 5_2_04A01DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A01DB5 mov eax, dword ptr fs:[00000030h] 5_2_04A01DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A01DB5 mov eax, dword ptr fs:[00000030h] 5_2_04A01DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h] 5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h] 5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h] 5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h] 5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D2D8A mov eax, dword ptr fs:[00000030h] 5_2_049D2D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h] 5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h] 5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h] 5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A551BE mov eax, dword ptr fs:[00000030h] 5_2_04A551BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FC182 mov eax, dword ptr fs:[00000030h] 5_2_049FC182
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h] 5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h] 5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h] 5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02581 mov eax, dword ptr fs:[00000030h] 5_2_04A02581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0A185 mov eax, dword ptr fs:[00000030h] 5_2_04A0A185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02990 mov eax, dword ptr fs:[00000030h] 5_2_04A02990
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0FD9B mov eax, dword ptr fs:[00000030h] 5_2_04A0FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0FD9B mov eax, dword ptr fs:[00000030h] 5_2_04A0FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A641E8 mov eax, dword ptr fs:[00000030h] 5_2_04A641E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A88DF1 mov eax, dword ptr fs:[00000030h] 5_2_04A88DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DB1E1 mov eax, dword ptr fs:[00000030h] 5_2_049DB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DB1E1 mov eax, dword ptr fs:[00000030h] 5_2_049DB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DB1E1 mov eax, dword ptr fs:[00000030h] 5_2_049DB1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049ED5E0 mov eax, dword ptr fs:[00000030h] 5_2_049ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049ED5E0 mov eax, dword ptr fs:[00000030h] 5_2_049ED5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A5A537 mov eax, dword ptr fs:[00000030h] 5_2_04A5A537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0513A mov eax, dword ptr fs:[00000030h] 5_2_04A0513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0513A mov eax, dword ptr fs:[00000030h] 5_2_04A0513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A04D3B mov eax, dword ptr fs:[00000030h] 5_2_04A04D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A04D3B mov eax, dword ptr fs:[00000030h] 5_2_04A04D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A04D3B mov eax, dword ptr fs:[00000030h] 5_2_04A04D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9100 mov eax, dword ptr fs:[00000030h] 5_2_049D9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9100 mov eax, dword ptr fs:[00000030h] 5_2_049D9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9100 mov eax, dword ptr fs:[00000030h] 5_2_049D9100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA8D34 mov eax, dword ptr fs:[00000030h] 5_2_04AA8D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E3D34 mov eax, dword ptr fs:[00000030h] 5_2_049E3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DAD30 mov eax, dword ptr fs:[00000030h] 5_2_049DAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h] 5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h] 5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h] 5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F4120 mov eax, dword ptr fs:[00000030h] 5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F4120 mov ecx, dword ptr fs:[00000030h] 5_2_049F4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F7D50 mov eax, dword ptr fs:[00000030h] 5_2_049F7D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FB944 mov eax, dword ptr fs:[00000030h] 5_2_049FB944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FB944 mov eax, dword ptr fs:[00000030h] 5_2_049FB944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A13D43 mov eax, dword ptr fs:[00000030h] 5_2_04A13D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A53540 mov eax, dword ptr fs:[00000030h] 5_2_04A53540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FC577 mov eax, dword ptr fs:[00000030h] 5_2_049FC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FC577 mov eax, dword ptr fs:[00000030h] 5_2_049FC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DB171 mov eax, dword ptr fs:[00000030h] 5_2_049DB171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DB171 mov eax, dword ptr fs:[00000030h] 5_2_049DB171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DC962 mov eax, dword ptr fs:[00000030h] 5_2_049DC962
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A546A7 mov eax, dword ptr fs:[00000030h] 5_2_04A546A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA0EA5 mov eax, dword ptr fs:[00000030h] 5_2_04AA0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA0EA5 mov eax, dword ptr fs:[00000030h] 5_2_04AA0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA0EA5 mov eax, dword ptr fs:[00000030h] 5_2_04AA0EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0FAB0 mov eax, dword ptr fs:[00000030h] 5_2_04A0FAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6FE87 mov eax, dword ptr fs:[00000030h] 5_2_04A6FE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EAAB0 mov eax, dword ptr fs:[00000030h] 5_2_049EAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EAAB0 mov eax, dword ptr fs:[00000030h] 5_2_049EAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0D294 mov eax, dword ptr fs:[00000030h] 5_2_04A0D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0D294 mov eax, dword ptr fs:[00000030h] 5_2_04A0D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h] 5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h] 5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h] 5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h] 5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D52A5 mov eax, dword ptr fs:[00000030h] 5_2_049D52A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A016E0 mov ecx, dword ptr fs:[00000030h] 5_2_04A016E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02AE4 mov eax, dword ptr fs:[00000030h] 5_2_04A02AE4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A18EC7 mov eax, dword ptr fs:[00000030h] 5_2_04A18EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A8FEC0 mov eax, dword ptr fs:[00000030h] 5_2_04A8FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02ACB mov eax, dword ptr fs:[00000030h] 5_2_04A02ACB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A036CC mov eax, dword ptr fs:[00000030h] 5_2_04A036CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA8ED6 mov eax, dword ptr fs:[00000030h] 5_2_04AA8ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E76E2 mov eax, dword ptr fs:[00000030h] 5_2_049E76E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049F3A1C mov eax, dword ptr fs:[00000030h] 5_2_049F3A1C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DAA16 mov eax, dword ptr fs:[00000030h] 5_2_049DAA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DAA16 mov eax, dword ptr fs:[00000030h] 5_2_049DAA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E8A0A mov eax, dword ptr fs:[00000030h] 5_2_049E8A0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A8FE3F mov eax, dword ptr fs:[00000030h] 5_2_04A8FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DC600 mov eax, dword ptr fs:[00000030h] 5_2_049DC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DC600 mov eax, dword ptr fs:[00000030h] 5_2_049DC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DC600 mov eax, dword ptr fs:[00000030h] 5_2_049DC600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A08E00 mov eax, dword ptr fs:[00000030h] 5_2_04A08E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0A61C mov eax, dword ptr fs:[00000030h] 5_2_04A0A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0A61C mov eax, dword ptr fs:[00000030h] 5_2_04A0A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DE620 mov eax, dword ptr fs:[00000030h] 5_2_049DE620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A8B260 mov eax, dword ptr fs:[00000030h] 5_2_04A8B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A8B260 mov eax, dword ptr fs:[00000030h] 5_2_04A8B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA8A62 mov eax, dword ptr fs:[00000030h] 5_2_04AA8A62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A1927A mov eax, dword ptr fs:[00000030h] 5_2_04A1927A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h] 5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h] 5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h] 5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D9240 mov eax, dword ptr fs:[00000030h] 5_2_049D9240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h] 5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h] 5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h] 5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h] 5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h] 5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E7E41 mov eax, dword ptr fs:[00000030h] 5_2_049E7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h] 5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h] 5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h] 5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h] 5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FAE73 mov eax, dword ptr fs:[00000030h] 5_2_049FAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A64257 mov eax, dword ptr fs:[00000030h] 5_2_04A64257
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E766D mov eax, dword ptr fs:[00000030h] 5_2_049E766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E8794 mov eax, dword ptr fs:[00000030h] 5_2_049E8794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA5BA5 mov eax, dword ptr fs:[00000030h] 5_2_04AA5BA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E1B8F mov eax, dword ptr fs:[00000030h] 5_2_049E1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049E1B8F mov eax, dword ptr fs:[00000030h] 5_2_049E1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A9138A mov eax, dword ptr fs:[00000030h] 5_2_04A9138A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A8D380 mov ecx, dword ptr fs:[00000030h] 5_2_04A8D380
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0B390 mov eax, dword ptr fs:[00000030h] 5_2_04A0B390
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A57794 mov eax, dword ptr fs:[00000030h] 5_2_04A57794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A57794 mov eax, dword ptr fs:[00000030h] 5_2_04A57794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A57794 mov eax, dword ptr fs:[00000030h] 5_2_04A57794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A02397 mov eax, dword ptr fs:[00000030h] 5_2_04A02397
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h] 5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h] 5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h] 5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h] 5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h] 5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A003E2 mov eax, dword ptr fs:[00000030h] 5_2_04A003E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A137F5 mov eax, dword ptr fs:[00000030h] 5_2_04A137F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A553CA mov eax, dword ptr fs:[00000030h] 5_2_04A553CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A553CA mov eax, dword ptr fs:[00000030h] 5_2_04A553CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049FF716 mov eax, dword ptr fs:[00000030h] 5_2_049FF716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0E730 mov eax, dword ptr fs:[00000030h] 5_2_04A0E730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA070D mov eax, dword ptr fs:[00000030h] 5_2_04AA070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA070D mov eax, dword ptr fs:[00000030h] 5_2_04AA070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0A70E mov eax, dword ptr fs:[00000030h] 5_2_04A0A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A0A70E mov eax, dword ptr fs:[00000030h] 5_2_04A0A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A9131B mov eax, dword ptr fs:[00000030h] 5_2_04A9131B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D4F2E mov eax, dword ptr fs:[00000030h] 5_2_049D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049D4F2E mov eax, dword ptr fs:[00000030h] 5_2_049D4F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6FF10 mov eax, dword ptr fs:[00000030h] 5_2_04A6FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A6FF10 mov eax, dword ptr fs:[00000030h] 5_2_04A6FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA8F6A mov eax, dword ptr fs:[00000030h] 5_2_04AA8F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DF358 mov eax, dword ptr fs:[00000030h] 5_2_049DF358
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A03B7A mov eax, dword ptr fs:[00000030h] 5_2_04A03B7A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04A03B7A mov eax, dword ptr fs:[00000030h] 5_2_04A03B7A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DDB40 mov eax, dword ptr fs:[00000030h] 5_2_049DDB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EEF40 mov eax, dword ptr fs:[00000030h] 5_2_049EEF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_04AA8B58 mov eax, dword ptr fs:[00000030h] 5_2_04AA8B58
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049DDB60 mov ecx, dword ptr fs:[00000030h] 5_2_049DDB60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 5_2_049EFF60 mov eax, dword ptr fs:[00000030h] 5_2_049EFF60
Enables debug privileges
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.utformehagen.com
Source: C:\Windows\explorer.exe Domain query: www.sdmdwang.com
Source: C:\Windows\explorer.exe Network Connect: 104.168.135.142 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.sunilpsingh.com
Source: C:\Windows\explorer.exe Domain query: www.tapdaugusta.com
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 45.39.95.186 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 74.206.228.78 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 107.165.13.75 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.regarta.com
Source: C:\Windows\explorer.exe Domain query: www.advancedautorepairsonline.com
Source: C:\Windows\explorer.exe Domain query: www.profitsnavigator.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Network Connect: 112.213.96.11 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.konversationswithkoshie.net
Source: C:\Windows\explorer.exe Domain query: www.lovertons.com
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3440 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3440 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: 900000 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' Jump to behavior
Source: explorer.exe, 00000002.00000000.346354887.0000000000EE0000.00000002.00000001.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.345941626.00000000008B8000.00000004.00000020.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.346354887.0000000000EE0000.00000002.00000001.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: explorer.exe, 00000002.00000000.346354887.0000000000EE0000.00000002.00000001.sdmp, cmmon32.exe, 00000005.00000002.605414493.0000000003270000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Queries volume information: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\9JzK89dRiaBYTuN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.3754088.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.9JzK89dRiaBYTuN.exe.35b0360.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.598731483.00000000008D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.342547133.0000000003549000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396448884.0000000001990000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.396143865.0000000001470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.395997570.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.603676182.0000000002CC0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.598176527.0000000000770000.00000040.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 458757 Sample: 9JzK89dRiaBYTuN.exe Startdate: 03/08/2021 Architecture: WINDOWS Score: 100 39 www.panyu-qqbaby.com 2->39 41 panyu-qqbaby.com 2->41 43 2 other IPs or domains 2->43 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Malicious sample detected (through community Yara rule) 2->53 55 9 other signatures 2->55 11 9JzK89dRiaBYTuN.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\9JzK89dRiaBYTuN.exe.log, ASCII 11->31 dropped 14 RegSvcs.exe 11->14         started        process6 signatures7 63 Modifies the context of a thread in another process (thread injection) 14->63 65 Maps a DLL or memory area into another process 14->65 67 Sample uses process hollowing technique 14->67 69 2 other signatures 14->69 17 explorer.exe 14->17 injected process8 dnsIp9 33 www.regarta.com 74.206.228.78, 49730, 80 WEBAIR-INTERNETUS United States 17->33 35 www.sdmdwang.com 112.213.96.11, 49741, 49747, 80 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong Hong Kong 17->35 37 10 other IPs or domains 17->37 47 System process connects to network (likely due to code injection or exploit) 17->47 21 cmmon32.exe 12 17->21         started        25 autofmt.exe 17->25         started        signatures10 process11 dnsIp12 45 www.sdmdwang.com 21->45 57 Modifies the context of a thread in another process (thread injection) 21->57 59 Maps a DLL or memory area into another process 21->59 61 Tries to detect virtualization through RDTSC time measurements 21->61 27 cmd.exe 1 21->27         started        signatures13 process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.39.95.186
 www.utformehagen.com United States
18779 EGIHOSTINGUS true
74.206.228.78
 www.regarta.com United States
27257 WEBAIR-INTERNETUS true
107.165.13.75
 www.lovertons.com United States
18779 EGIHOSTINGUS true
34.102.136.180
 tapdaugusta.com United States
15169 GOOGLEUS false
104.168.135.142
 www.advancedautorepairsonline.com United States
54290 HOSTWINDSUS true
112.213.96.11
 www.sdmdwang.com Hong Kong
38197 SUNHK-DATA-AS-APSunNetworkHongKongLimited-HongKong true
184.168.131.241
 profitsnavigator.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true

Contacted Domains

Name IP Active
panyu-qqbaby.com 107.160.109.196 true
www.regarta.com 74.206.228.78 true
profitsnavigator.com 184.168.131.241 true
www.advancedautorepairsonline.com 104.168.135.142 true
www.utformehagen.com 45.39.95.186 true
tapdaugusta.com 34.102.136.180 true
www.sdmdwang.com 112.213.96.11 true
www.nicolettejohnsonphotography.com 185.53.177.11 true
www.kitkatmp3.com 156.224.60.3 true
konversationswithkoshie.net 34.102.136.180 true
www.lovertons.com 107.165.13.75 true
www.profitsnavigator.com unknown unknown
www.panyu-qqbaby.com unknown unknown
www.sunilpsingh.com unknown unknown
www.tapdaugusta.com unknown unknown
www.konversationswithkoshie.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.lovertons.com/weni/?Fzr4otMh=jQINVx1WLgI4Q78PxoFZgdCbTp62zPlUZKvRDpdtPyf3UmqyZOBTcqkgr6daQI/TgYuIT4+N1g==&aRbdj=q6AlsppXkR0txTj true
  • Avira URL Cloud: safe
 unknown
http://www.konversationswithkoshie.net/weni/?Fzr4otMh=ztAjwXyjR8Zhmz6qNG99UeVM/COU9vlr0gZS07ceR8+f8+nH1SwRALtGHqnV1JfTHENGVYv16A==&aRbdj=q6AlsppXkR0txTj false
  • Avira URL Cloud: safe
 unknown
http://www.utformehagen.com/weni/?Fzr4otMh=9kFoto4nIUhkgP3Es+H36/ZMz7ns/MT8S+V4osXmeDelDelWvdLQo7Pbd8Te03qiHXqAR+RcrA==&aRbdj=q6AlsppXkR0txTj true
  • Avira URL Cloud: safe
 unknown
http://www.advancedautorepairsonline.com/weni/?Fzr4otMh=+KyOLC6TyuKR3+iFgbwKS8GxhsjIjrhtsitDR0G1PeYPvoj9xIz7F4EITJbrl7lY/KKYumYMjw==&aRbdj=q6AlsppXkR0txTj true
  • Avira URL Cloud: safe
 unknown
www.panyu-qqbaby.com/weni/ true
  • Avira URL Cloud: malware
 low
http://www.profitsnavigator.com/weni/?Fzr4otMh=BkpYm0nbd5ib+/fSGFV7l4XaMZIYy+faJJ1LkwLIu9AW6SncOXGggY2R9QUt+6zEXxQtwdedUg==&aRbdj=q6AlsppXkR0txTj true
  • Avira URL Cloud: safe
 unknown
http://www.regarta.com/weni/?Fzr4otMh=vK5NYeOz5XkzOmNWKQvXOgoJo3oDs/IT/QpSrvoL9TxdOASFPAP+KPQhIJ5bhzx72Ujc1GJYaw==&aRbdj=q6AlsppXkR0txTj true
  • Avira URL Cloud: safe
 unknown
http://www.tapdaugusta.com/weni/?Fzr4otMh=5QGyFhC7d8SOfupCgf8D8L5Dw1IpKGdMSRgbjgwl2q0Kak4r1qcSYI6TGyMZI/ki/MDg/v9Fdw==&aRbdj=q6AlsppXkR0txTj false
  • Avira URL Cloud: safe
 unknown