Loading ...

Play interactive tourEdit tour

Windows Analysis Report Statement of Acct..exe

Overview

General Information

Sample Name:Statement of Acct..exe
Analysis ID:483652
MD5:850ef5cb4d3e3023ab26072a4cc6a25f
SHA1:0947a5b62ad244324971c7863977befaae3d71fd
SHA256:bb7d986712c63235f866f11ebc85ac60c360676e0576a075f16c16f679c31c7b
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Antivirus / Scanner detection for submitted sample
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Sigma detected: CMSTP Execution Process Creation
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Uses a Windows Living Off The Land Binaries (LOL bins)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Statement of Acct..exe (PID: 6308 cmdline: 'C:\Users\user\Desktop\Statement of Acct..exe' MD5: 850EF5CB4D3E3023AB26072A4CC6A25F)
    • RegSvcs.exe (PID: 6716 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3292 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmstp.exe (PID: 5548 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
          • cmd.exe (PID: 6152 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • explorer.exe (PID: 6364 cmdline: 'C:\Windows\explorer.exe' /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fhuosa.com/tgnd/"], "decoy": ["forever1887.com", "zkz889.icu", "futuresmanagers.com", "salondebelle.biz", "ziwomou.site", "mobilestoreok.com", "codexiveserver.xyz", "cloudrail.net", "pancakeandwaffle.net", "ckbtmg.com", "ralphboyer.net", "carpenterglobal.solutions", "mercoso.com", "restoreyourpavers.com", "tianyunpd.com", "lan-sinoh.xyz", "networlink.com", "kazisworkshop.com", "hempandcan.com", "wd255.com", "spectedsinues.com", "winbigcompetitions.com", "careconnectorsfl.com", "customia.xyz", "aestheticsbychill.com", "sydneymortgagebroker.sydney", "legallawgroup.com", "posafrica.biz", "rrstables.net", "opexma.com", "xxertyg.xyz", "centermen.com", "2272772.com", "badplants.com", "scrappyjonez.com", "habesha-dream.com", "doradoeventos.com", "truegifty.website", "markoonline.com", "rockpresident.com", "datasydney2022.com", "tubbsbaitco.com", "shopavix.com", "ol9qz8i2sj3ic2f8.cfd", "67161.xyz", "tallulah.top", "24-7homebiz.info", "thesugarbuddy.com", "instantcancelorder.xyz", "bpost-international.com", "infracreation.com", "otomakyaj35.xyz", "aboutforeverness.com", "racheleaton.info", "16ty6.com", "davideli.com", "financertr.xyz", "matteogonfiantini.com", "loudandclearcaraudio.com", "spalp.xyz", "apkversion.site", "littlehappy.world", "georgecuthbert.com", "au-easyprofit-way.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ab9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bcc:$sqlite3step: 68 34 1C 7B E1
    • 0x16ae8:$sqlite3text: 68 38 2A 90 C5
    • 0x16c0d:$sqlite3text: 68 38 2A 90 C5
    • 0x16afb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c23:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 24 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18d87:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19e2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15cb9:$sqlite3step: 68 34 1C 7B E1
        • 0x15dcc:$sqlite3step: 68 34 1C 7B E1
        • 0x15ce8:$sqlite3text: 68 38 2A 90 C5
        • 0x15e0d:$sqlite3text: 68 38 2A 90 C5
        • 0x15cfb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15e23:$sqlite3blob: 68 53 D8 7F 8C
        6.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19b87:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ac2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper ArgumentsShow sources
          Source: Process startedAuthor: Oleg Kolesnikov @securonix invrep_de, oscd.community, Florian Roth, Christian Burkard: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Statement of Acct..exe' , ParentImage: C:\Users\user\Desktop\Statement of Acct..exe, ParentProcessId: 6308, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6716
          Sigma detected: CMSTP Execution Process CreationShow sources
          Source: Process startedAuthor: Nik Seetharaman: Data: Command: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmstp.exe, ParentImage: C:\Windows\SysWOW64\cmstp.exe, ParentProcessId: 5548, ProcessCommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', ProcessId: 6152
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, CommandLine|base64offset|contains: , Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ParentCommandLine: 'C:\Users\user\Desktop\Statement of Acct..exe' , ParentImage: C:\Users\user\Desktop\Statement of Acct..exe, ParentProcessId: 6308, ProcessCommandLine: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6716

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fhuosa.com/tgnd/"], "decoy": ["forever1887.com", "zkz889.icu", "futuresmanagers.com", "salondebelle.biz", "ziwomou.site", "mobilestoreok.com", "codexiveserver.xyz", "cloudrail.net", "pancakeandwaffle.net", "ckbtmg.com", "ralphboyer.net", "carpenterglobal.solutions", "mercoso.com", "restoreyourpavers.com", "tianyunpd.com", "lan-sinoh.xyz", "networlink.com", "kazisworkshop.com", "hempandcan.com", "wd255.com", "spectedsinues.com", "winbigcompetitions.com", "careconnectorsfl.com", "customia.xyz", "aestheticsbychill.com", "sydneymortgagebroker.sydney", "legallawgroup.com", "posafrica.biz", "rrstables.net", "opexma.com", "xxertyg.xyz", "centermen.com", "2272772.com", "badplants.com", "scrappyjonez.com", "habesha-dream.com", "doradoeventos.com", "truegifty.website", "markoonline.com", "rockpresident.com", "datasydney2022.com", "tubbsbaitco.com", "shopavix.com", "ol9qz8i2sj3ic2f8.cfd", "67161.xyz", "tallulah.top", "24-7homebiz.info", "thesugarbuddy.com", "instantcancelorder.xyz", "bpost-international.com", "infracreation.com", "otomakyaj35.xyz", "aboutforeverness.com", "racheleaton.info", "16ty6.com", "davideli.com", "financertr.xyz", "matteogonfiantini.com", "loudandclearcaraudio.com", "spalp.xyz", "apkversion.site", "littlehappy.world", "georgecuthbert.com", "au-easyprofit-way.xyz"]}
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: Statement of Acct..exeAvira: detected
          Machine Learning detection for sampleShow sources
          Source: Statement of Acct..exeJoe Sandbox ML: detected
          Source: 6.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: Statement of Acct..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: Statement of Acct..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp
          Source: Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 00000006.00000002.352653457.0000000001020000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb, source: cmstp.exe, 00000012.00000002.570765603.00000000005EC000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000003.281526807.0000000000EB0000.00000004.00000001.sdmp, cmstp.exe, 00000012.00000002.572364026.00000000047BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: RegSvcs.exe, 00000006.00000002.352653457.0000000001020000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb source: cmstp.exe, 00000012.00000002.570765603.00000000005EC000.00000004.00000020.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi6_2_00415687
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 4x nop then pop edi18_2_02C25687

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.fhuosa.com/tgnd/
          Source: explorer.exe, 0000001F.00000002.558114958.00007FFF97D29000.00000002.00020000.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
          Source: explorer.exe, 0000001F.00000002.558114958.00007FFF97D29000.00000002.00020000.sdmpString found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
          Source: explorer.exe, 0000001F.00000002.546262433.0000000008352000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Statement of Acct..exe, 00000001.00000003.259045485.00000000059BB000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Statement of Acct..exe, 00000001.00000003.259045485.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comoT
          Source: Statement of Acct..exe, 00000001.00000003.259045485.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.comp
          Source: explorer.exe, 00000009.00000000.337658583.000000000ECC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.co
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Statement of Acct..exe, 00000001.00000003.264462671.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
          Source: Statement of Acct..exe, 00000001.00000003.264462671.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.htmlZ
          Source: explorer.exe, 00000009.00000000.310033076.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comEacf
          Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
          Source: Statement of Acct..exe, 00000001.00000003.262963855.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comacd
          Source: Statement of Acct..exe, 00000001.00000003.262646868.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comae
          Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comdd
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
          Source: Statement of Acct..exe, 00000001.00000003.263643018.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comes
          Source: Statement of Acct..exe, 00000001.00000003.263643018.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comhlyY
          Source: Statement of Acct..exe, 00000001.00000003.263320335.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comic
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comig
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comm
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: Statement of Acct..exe, 00000001.00000003.262771270.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comoa
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: Statement of Acct..exe, 00000001.00000003.268396294.00000000059C1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Statement of Acct..exe, 00000001.00000003.267751284.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Statement of Acct..exe, 00000001.00000003.270048479.00000000059DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html.
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Statement of Acct..exe, 00000001.00000003.270048479.00000000059DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmle
          Source: Statement of Acct..exe, 00000001.00000003.269718934.00000000059BB000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Statement of Acct..exe, 00000001.00000003.269628851.00000000059DE000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmli
          Source: Statement of Acct..exe, 00000001.00000003.267813196.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers2
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000003.269171308.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Statement of Acct..exe, 00000001.00000003.267988132.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersJ
          Source: Statement of Acct..exe, 00000001.00000003.268298607.00000000059C1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
          Source: Statement of Acct..exe, 00000001.00000003.275141930.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersa
          Source: Statement of Acct..exe, 00000001.00000003.270346557.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersf
          Source: Statement of Acct..exe, 00000001.00000002.281801359.0000000001117000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: Statement of Acct..exe, 00000001.00000002.281801359.0000000001117000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Statement of Acct..exe, 00000001.00000003.261800977.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/tr
          Source: Statement of Acct..exe, 00000001.00000003.261918947.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/u
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnadeG
          Source: Statement of Acct..exe, 00000001.00000003.262915588.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cniesI
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Statement of Acct..exe, 00000001.00000003.272140319.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmes-es_tradnl
          Source: Statement of Acct..exe, 00000001.00000003.272196518.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmf
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Statement of Acct..exe, 00000001.00000003.257739241.00000000059A2000.00000004.00000001.sdmp, Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Statement of Acct..exe, 00000001.00000003.257739241.00000000059A2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma
          Source: Statement of Acct..exe, 00000001.00000003.264462671.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Statement of Acct..exe, 00000001.00000003.260949530.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: Statement of Acct..exe, 00000001.00000003.261090323.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krde
          Source: Statement of Acct..exe, 00000001.00000003.260949530.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krle
          Source: Statement of Acct..exe, 00000001.00000003.261090323.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Statement of Acct..exe, 00000001.00000003.262118335.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Statement of Acct..exe, 00000001.00000003.270596707.00000000059C8000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Statement of Acct..exe, 00000001.00000003.267250978.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deO
          Source: Statement of Acct..exe, 00000001.00000003.267250978.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deo
          Source: Statement of Acct..exe, 00000001.00000003.267250978.00000000059C3000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deoi
          Source: Statement of Acct..exe, 00000001.00000002.291144088.0000000006BB2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Statement of Acct..exe, 00000001.00000003.262505353.00000000059BB000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cncj

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: Statement of Acct..exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.352548910.0000000000FB0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.351561948.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.570633609.00000000004E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.334707595.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.571687076.0000000002C10000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000000.313551615.0000000007D6B000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.352452527.0000000000F80000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.571420301.0000000002910000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\Statement of Acct..exeCode function: 1_2_0068EB731_2_0068EB73
          Source: C:\Users\user\Desktop\Statement of Acct..exeCode function: 1_2_0068EA841_2_0068EA84
          Source: C:\Users\user\Desktop\Statement of Acct..exeCode function: 1_2_0068E30D1_2_0068E30D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B8FA6_2_0041B8FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C9746_2_0041C974
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D2916_2_0041D291
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041CB5C6_2_0041CB5C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408C5B6_2_00408C5B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408C606_2_00408C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C68E6_2_0041C68E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107F9006_2_0107F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010941206_2_01094120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_011310026_2_01131002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108B0906_2_0108B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AEBB06_2_010AEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01070D206_2_01070D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01141D556_2_01141D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108841F6_2_0108841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01096E306_2_01096E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478D46618_2_0478D466
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D841F18_2_046D841F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04791D5518_2_04791D55
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C0D2018_2_046C0D20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04792D0718_2_04792D07
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DD5E018_2_046DD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047925DD18_2_047925DD
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F258118_2_046F2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046E6E3018_2_046E6E30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478D61618_2_0478D616
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04792EF718_2_04792EF7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04791FF118_2_04791FF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478100218_2_04781002
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047928EC18_2_047928EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F20A018_2_046F20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047920A818_2_047920A8
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DB09018_2_046DB090
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046E412018_2_046E4120
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046CF90018_2_046CF900
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047922AE18_2_047922AE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04792B2818_2_04792B28
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478DBD218_2_0478DBD2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FEBB018_2_046FEBB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2D29118_2_02C2D291
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2CB5C18_2_02C2CB5C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2B8FA18_2_02C2B8FA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2C97418_2_02C2C974
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C12FB018_2_02C12FB0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C18C5B18_2_02C18C5B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C18C6018_2_02C18C60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C12D9018_2_02C12D90
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: String function: 046CB150 appears 35 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004185C0 NtCreateFile,6_2_004185C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00418670 NtReadFile,6_2_00418670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004186F0 NtClose,6_2_004186F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004187A0 NtAllocateVirtualMemory,6_2_004187A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004185BA NtCreateFile,6_2_004185BA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041866A NtReadFile,6_2_0041866A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004186EA NtClose,6_2_004186EA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041879A NtAllocateVirtualMemory,6_2_0041879A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_010B9910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B99A0 NtCreateSection,LdrInitializeThunk,6_2_010B99A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9840 NtDelayExecution,LdrInitializeThunk,6_2_010B9840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9860 NtQuerySystemInformation,LdrInitializeThunk,6_2_010B9860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B98F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_010B98F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_010B9A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9A20 NtResumeThread,LdrInitializeThunk,6_2_010B9A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9A50 NtCreateFile,LdrInitializeThunk,6_2_010B9A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9540 NtReadFile,LdrInitializeThunk,6_2_010B9540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B95D0 NtClose,LdrInitializeThunk,6_2_010B95D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9710 NtQueryInformationToken,LdrInitializeThunk,6_2_010B9710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9780 NtMapViewOfSection,LdrInitializeThunk,6_2_010B9780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B97A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_010B97A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9FE0 NtCreateMutant,LdrInitializeThunk,6_2_010B9FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_010B9660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B96E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_010B96E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9950 NtQueueApcThread,6_2_010B9950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B99D0 NtCreateProcessEx,6_2_010B99D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9820 NtEnumerateKey,6_2_010B9820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010BB040 NtSuspendThread,6_2_010BB040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B98A0 NtWriteVirtualMemory,6_2_010B98A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9B00 NtSetValueKey,6_2_010B9B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010BA3B0 NtGetContextThread,6_2_010BA3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9A10 NtQuerySection,6_2_010B9A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9A80 NtOpenDirectoryObject,6_2_010B9A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9520 NtWaitForSingleObject,6_2_010B9520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010BAD30 NtSetContextThread,6_2_010BAD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9560 NtWriteFile,6_2_010B9560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B95F0 NtQueryInformationFile,6_2_010B95F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010BA710 NtOpenProcessToken,6_2_010BA710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9730 NtQueryVirtualMemory,6_2_010B9730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9760 NtOpenProcess,6_2_010B9760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9770 NtSetInformationFile,6_2_010B9770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010BA770 NtOpenThread,6_2_010BA770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9610 NtEnumerateValueKey,6_2_010B9610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9650 NtQueryValueKey,6_2_010B9650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B9670 NtQueryInformationProcess,6_2_010B9670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B96D0 NtCreateKey,6_2_010B96D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709540 NtReadFile,LdrInitializeThunk,18_2_04709540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047095D0 NtClose,LdrInitializeThunk,18_2_047095D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_04709660
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709650 NtQueryValueKey,LdrInitializeThunk,18_2_04709650
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047096E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_047096E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047096D0 NtCreateKey,LdrInitializeThunk,18_2_047096D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709710 NtQueryInformationToken,LdrInitializeThunk,18_2_04709710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709FE0 NtCreateMutant,LdrInitializeThunk,18_2_04709FE0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709780 NtMapViewOfSection,LdrInitializeThunk,18_2_04709780
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709860 NtQuerySystemInformation,LdrInitializeThunk,18_2_04709860
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709840 NtDelayExecution,LdrInitializeThunk,18_2_04709840
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_04709910
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047099A0 NtCreateSection,LdrInitializeThunk,18_2_047099A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709A50 NtCreateFile,LdrInitializeThunk,18_2_04709A50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709560 NtWriteFile,18_2_04709560
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0470AD30 NtSetContextThread,18_2_0470AD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709520 NtWaitForSingleObject,18_2_04709520
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047095F0 NtQueryInformationFile,18_2_047095F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709670 NtQueryInformationProcess,18_2_04709670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709610 NtEnumerateValueKey,18_2_04709610
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0470A770 NtOpenThread,18_2_0470A770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709770 NtSetInformationFile,18_2_04709770
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709760 NtOpenProcess,18_2_04709760
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709730 NtQueryVirtualMemory,18_2_04709730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0470A710 NtOpenProcessToken,18_2_0470A710
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047097A0 NtUnmapViewOfSection,18_2_047097A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0470B040 NtSuspendThread,18_2_0470B040
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709820 NtEnumerateKey,18_2_04709820
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047098F0 NtReadVirtualMemory,18_2_047098F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047098A0 NtWriteVirtualMemory,18_2_047098A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709950 NtQueueApcThread,18_2_04709950
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047099D0 NtCreateProcessEx,18_2_047099D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709A20 NtResumeThread,18_2_04709A20
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709A10 NtQuerySection,18_2_04709A10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709A00 NtProtectVirtualMemory,18_2_04709A00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709A80 NtOpenDirectoryObject,18_2_04709A80
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04709B00 NtSetValueKey,18_2_04709B00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0470A3B0 NtGetContextThread,18_2_0470A3B0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C286F0 NtClose,18_2_02C286F0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C28670 NtReadFile,18_2_02C28670
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C287A0 NtAllocateVirtualMemory,18_2_02C287A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C285C0 NtCreateFile,18_2_02C285C0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C286EA NtClose,18_2_02C286EA
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2866A NtReadFile,18_2_02C2866A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2879A NtAllocateVirtualMemory,18_2_02C2879A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C285BA NtCreateFile,18_2_02C285BA
          Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
          Source: Statement of Acct..exe, 00000001.00000002.280674453.0000000000696000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDefaultDllImportSearchPathsAttribu.exe< vs Statement of Acct..exe
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEnvoySinks.dll6 vs Statement of Acct..exe
          Source: Statement of Acct..exe, 00000001.00000002.283227986.0000000003A39000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameCF_Secretaria.dll< vs Statement of Acct..exe
          Source: Statement of Acct..exeBinary or memory string: OriginalFilenameDefaultDllImportSearchPathsAttribu.exe< vs Statement of Acct..exe
          Source: Statement of Acct..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: Statement of Acct..exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Statement of Acct..exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\Statement of Acct..exe 'C:\Users\user\Desktop\Statement of Acct..exe'
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\explorer.exe 'C:\Windows\explorer.exe' /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Statement of Acct..exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@0/0
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_01
          Source: unknownProcess created: C:\Windows\explorer.exe
          Source: Statement of Acct..exe, u0008u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.Statement of Acct..exe.610000.0.unpack, u0008u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.Statement of Acct..exe.610000.0.unpack, u0008u2000.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Statement of Acct..exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: Statement of Acct..exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Statement of Acct..exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp
          Source: Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp
          Source: Binary string: cmstp.pdbGCTL source: RegSvcs.exe, 00000006.00000002.352653457.0000000001020000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb, source: cmstp.exe, 00000012.00000002.570765603.00000000005EC000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000006.00000003.281526807.0000000000EB0000.00000004.00000001.sdmp, cmstp.exe, 00000012.00000002.572364026.00000000047BF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, cmstp.exe
          Source: Binary string: cmstp.pdb source: RegSvcs.exe, 00000006.00000002.352653457.0000000001020000.00000040.00020000.sdmp
          Source: Binary string: RegSvcs.pdb source: cmstp.exe, 00000012.00000002.570765603.00000000005EC000.00000004.00000020.sdmp
          Source: Binary string: eex.pdb source: explorer.exe, 0000001F.00000002.557832791.00007FFF97C41000.00000020.00020000.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: Statement of Acct..exe, u0008u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.Statement of Acct..exe.610000.0.unpack, u0008u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.Statement of Acct..exe.610000.0.unpack, u0008u2000.cs.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B86C push eax; ret 6_2_0041B872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B802 push eax; ret 6_2_0041B808
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B80B push eax; ret 6_2_0041B872
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D0E1 push esp; ret 6_2_0041D0DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D17C push esp; ret 6_2_0041D0DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00416219 push es; ret 6_2_0041621A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041D291 push esp; ret 6_2_0041D0DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041CF30 push esp; ret 6_2_0041D0DE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041B7B5 push eax; ret 6_2_0041B808
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010CD0D1 push ecx; ret 6_2_010CD0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0471D0D1 push ecx; ret 18_2_0471D0E4
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2D291 push esp; ret 18_2_02C2D0DE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C26219 push es; ret 18_2_02C2621A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2D0E1 push esp; ret 18_2_02C2D0DE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2B86C push eax; ret 18_2_02C2B872
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2B802 push eax; ret 18_2_02C2B808
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2B80B push eax; ret 18_2_02C2B872
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2D17C push esp; ret 18_2_02C2D0DE
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2B7B5 push eax; ret 18_2_02C2B808
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_02C2CF30 push esp; ret 18_2_02C2D0DE
          Source: initial sampleStatic PE information: section name: .text entropy: 7.9513688182
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM3Show sources
          Source: Yara matchFile source: 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: Statement of Acct..exe PID: 6308, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004085F4 second address: 00000000004085FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002C185F4 second address: 0000000002C185FA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\cmstp.exeRDTSC instruction interceptor: First address: 0000000002C1897E second address: 0000000002C18984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\Statement of Acct..exe TID: 6312Thread sleep time: -43483s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exe TID: 6384Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004088B0 rdtsc 6_2_004088B0
          Source: C:\Users\user\Desktop\Statement of Acct..exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\cmstp.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeThread delayed: delay time: 43483Jump to behavior
          Source: C:\Users\user\Desktop\Statement of Acct..exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: explorer.exe, 00000009.00000000.314009591.0000000008A32000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 0000001F.00000002.532910815.0000000004505000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000001F.00000002.535667052.000000000680D000.00000004.00000001.sdmpBinary or memory string: Prod_VMware_SATA
          Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00WB
          Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmpBinary or memory string: NECVMWarVMware SATA CD001.00
          Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
          Source: explorer.exe, 0000001F.00000002.547896887.000000000844A000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00.nJ
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 0000001F.00000002.547541515.00000000083CE000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 0000001F.00000002.535667052.000000000680D000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}Q8
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 0000001F.00000002.547896887.000000000844A000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00~o
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
          Source: Statement of Acct..exe, 00000001.00000002.281560751.0000000000D2E000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: explorer.exe, 00000009.00000000.298200387.0000000008C73000.00000004.00000001.sdmpBinary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: explorer.exe, 0000001F.00000002.546340892.0000000008362000.00000004.00000001.sdmpBinary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmpBinary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: Statement of Acct..exe, 00000001.00000002.282193017.0000000002A86000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 0000001F.00000002.522216604.0000000000A68000.00000004.00000020.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001F.00000002.535667052.000000000680D000.00000004.00000001.sdmpBinary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}es
          Source: explorer.exe, 00000009.00000000.314387168.0000000008ACF000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
          Source: explorer.exe, 00000009.00000000.297782820.0000000008B88000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
          Source: explorer.exe, 00000009.00000000.310642515.00000000069DA000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD002
          Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmpBinary or memory string: War&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000001F.00000002.535847908.00000000068B4000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
          Source: explorer.exe, 0000001F.00000002.545899264.000000000824F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004088B0 rdtsc 6_2_004088B0
          Source: C:\Windows\SysWOW64\cmstp.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079100 mov eax, dword ptr fs:[00000030h]6_2_01079100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079100 mov eax, dword ptr fs:[00000030h]6_2_01079100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079100 mov eax, dword ptr fs:[00000030h]6_2_01079100
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01094120 mov eax, dword ptr fs:[00000030h]6_2_01094120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01094120 mov eax, dword ptr fs:[00000030h]6_2_01094120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01094120 mov eax, dword ptr fs:[00000030h]6_2_01094120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01094120 mov eax, dword ptr fs:[00000030h]6_2_01094120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01094120 mov ecx, dword ptr fs:[00000030h]6_2_01094120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A513A mov eax, dword ptr fs:[00000030h]6_2_010A513A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A513A mov eax, dword ptr fs:[00000030h]6_2_010A513A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109B944 mov eax, dword ptr fs:[00000030h]6_2_0109B944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109B944 mov eax, dword ptr fs:[00000030h]6_2_0109B944
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107B171 mov eax, dword ptr fs:[00000030h]6_2_0107B171
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107B171 mov eax, dword ptr fs:[00000030h]6_2_0107B171
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109C182 mov eax, dword ptr fs:[00000030h]6_2_0109C182
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AA185 mov eax, dword ptr fs:[00000030h]6_2_010AA185
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107B1E1 mov eax, dword ptr fs:[00000030h]6_2_0107B1E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107B1E1 mov eax, dword ptr fs:[00000030h]6_2_0107B1E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107B1E1 mov eax, dword ptr fs:[00000030h]6_2_0107B1E1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01144015 mov eax, dword ptr fs:[00000030h]6_2_01144015
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01144015 mov eax, dword ptr fs:[00000030h]6_2_01144015
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F7016 mov eax, dword ptr fs:[00000030h]6_2_010F7016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F7016 mov eax, dword ptr fs:[00000030h]6_2_010F7016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F7016 mov eax, dword ptr fs:[00000030h]6_2_010F7016
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108B02A mov eax, dword ptr fs:[00000030h]6_2_0108B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108B02A mov eax, dword ptr fs:[00000030h]6_2_0108B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108B02A mov eax, dword ptr fs:[00000030h]6_2_0108B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108B02A mov eax, dword ptr fs:[00000030h]6_2_0108B02A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01090050 mov eax, dword ptr fs:[00000030h]6_2_01090050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01090050 mov eax, dword ptr fs:[00000030h]6_2_01090050
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01132073 mov eax, dword ptr fs:[00000030h]6_2_01132073
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01141074 mov eax, dword ptr fs:[00000030h]6_2_01141074
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079080 mov eax, dword ptr fs:[00000030h]6_2_01079080
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F3884 mov eax, dword ptr fs:[00000030h]6_2_010F3884
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F3884 mov eax, dword ptr fs:[00000030h]6_2_010F3884
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B90AF mov eax, dword ptr fs:[00000030h]6_2_010B90AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AF0BF mov ecx, dword ptr fs:[00000030h]6_2_010AF0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AF0BF mov eax, dword ptr fs:[00000030h]6_2_010AF0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AF0BF mov eax, dword ptr fs:[00000030h]6_2_010AF0BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110B8D0 mov eax, dword ptr fs:[00000030h]6_2_0110B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110B8D0 mov ecx, dword ptr fs:[00000030h]6_2_0110B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110B8D0 mov eax, dword ptr fs:[00000030h]6_2_0110B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110B8D0 mov eax, dword ptr fs:[00000030h]6_2_0110B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110B8D0 mov eax, dword ptr fs:[00000030h]6_2_0110B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110B8D0 mov eax, dword ptr fs:[00000030h]6_2_0110B8D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0113131B mov eax, dword ptr fs:[00000030h]6_2_0113131B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107DB40 mov eax, dword ptr fs:[00000030h]6_2_0107DB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01148B58 mov eax, dword ptr fs:[00000030h]6_2_01148B58
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107F358 mov eax, dword ptr fs:[00000030h]6_2_0107F358
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107DB60 mov ecx, dword ptr fs:[00000030h]6_2_0107DB60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A3B7A mov eax, dword ptr fs:[00000030h]6_2_010A3B7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A3B7A mov eax, dword ptr fs:[00000030h]6_2_010A3B7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01081B8F mov eax, dword ptr fs:[00000030h]6_2_01081B8F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01081B8F mov eax, dword ptr fs:[00000030h]6_2_01081B8F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0112D380 mov ecx, dword ptr fs:[00000030h]6_2_0112D380
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0113138A mov eax, dword ptr fs:[00000030h]6_2_0113138A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01145BA5 mov eax, dword ptr fs:[00000030h]6_2_01145BA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01093A1C mov eax, dword ptr fs:[00000030h]6_2_01093A1C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079240 mov eax, dword ptr fs:[00000030h]6_2_01079240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079240 mov eax, dword ptr fs:[00000030h]6_2_01079240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079240 mov eax, dword ptr fs:[00000030h]6_2_01079240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01079240 mov eax, dword ptr fs:[00000030h]6_2_01079240
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B927A mov eax, dword ptr fs:[00000030h]6_2_010B927A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0112B260 mov eax, dword ptr fs:[00000030h]6_2_0112B260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0112B260 mov eax, dword ptr fs:[00000030h]6_2_0112B260
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01148A62 mov eax, dword ptr fs:[00000030h]6_2_01148A62
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AD294 mov eax, dword ptr fs:[00000030h]6_2_010AD294
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AD294 mov eax, dword ptr fs:[00000030h]6_2_010AD294
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010752A5 mov eax, dword ptr fs:[00000030h]6_2_010752A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010752A5 mov eax, dword ptr fs:[00000030h]6_2_010752A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010752A5 mov eax, dword ptr fs:[00000030h]6_2_010752A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010752A5 mov eax, dword ptr fs:[00000030h]6_2_010752A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010752A5 mov eax, dword ptr fs:[00000030h]6_2_010752A5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AFAB0 mov eax, dword ptr fs:[00000030h]6_2_010AFAB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01148D34 mov eax, dword ptr fs:[00000030h]6_2_01148D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A4D3B mov eax, dword ptr fs:[00000030h]6_2_010A4D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A4D3B mov eax, dword ptr fs:[00000030h]6_2_010A4D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A4D3B mov eax, dword ptr fs:[00000030h]6_2_010A4D3B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107AD30 mov eax, dword ptr fs:[00000030h]6_2_0107AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01083D34 mov eax, dword ptr fs:[00000030h]6_2_01083D34
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B3D43 mov eax, dword ptr fs:[00000030h]6_2_010B3D43
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F3540 mov eax, dword ptr fs:[00000030h]6_2_010F3540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01097D50 mov eax, dword ptr fs:[00000030h]6_2_01097D50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109C577 mov eax, dword ptr fs:[00000030h]6_2_0109C577
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109C577 mov eax, dword ptr fs:[00000030h]6_2_0109C577
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01072D8A mov eax, dword ptr fs:[00000030h]6_2_01072D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01072D8A mov eax, dword ptr fs:[00000030h]6_2_01072D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01072D8A mov eax, dword ptr fs:[00000030h]6_2_01072D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01072D8A mov eax, dword ptr fs:[00000030h]6_2_01072D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01072D8A mov eax, dword ptr fs:[00000030h]6_2_01072D8A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AFD9B mov eax, dword ptr fs:[00000030h]6_2_010AFD9B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AFD9B mov eax, dword ptr fs:[00000030h]6_2_010AFD9B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A35A1 mov eax, dword ptr fs:[00000030h]6_2_010A35A1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01128DF1 mov eax, dword ptr fs:[00000030h]6_2_01128DF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F6C0A mov eax, dword ptr fs:[00000030h]6_2_010F6C0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F6C0A mov eax, dword ptr fs:[00000030h]6_2_010F6C0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F6C0A mov eax, dword ptr fs:[00000030h]6_2_010F6C0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F6C0A mov eax, dword ptr fs:[00000030h]6_2_010F6C0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01131C06 mov eax, dword ptr fs:[00000030h]6_2_01131C06
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0114740D mov eax, dword ptr fs:[00000030h]6_2_0114740D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0114740D mov eax, dword ptr fs:[00000030h]6_2_0114740D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0114740D mov eax, dword ptr fs:[00000030h]6_2_0114740D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010ABC2C mov eax, dword ptr fs:[00000030h]6_2_010ABC2C
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110C450 mov eax, dword ptr fs:[00000030h]6_2_0110C450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110C450 mov eax, dword ptr fs:[00000030h]6_2_0110C450
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109746D mov eax, dword ptr fs:[00000030h]6_2_0109746D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01148CD6 mov eax, dword ptr fs:[00000030h]6_2_01148CD6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_011314FB mov eax, dword ptr fs:[00000030h]6_2_011314FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110FF10 mov eax, dword ptr fs:[00000030h]6_2_0110FF10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110FF10 mov eax, dword ptr fs:[00000030h]6_2_0110FF10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0114070D mov eax, dword ptr fs:[00000030h]6_2_0114070D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0114070D mov eax, dword ptr fs:[00000030h]6_2_0114070D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01074F2E mov eax, dword ptr fs:[00000030h]6_2_01074F2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01074F2E mov eax, dword ptr fs:[00000030h]6_2_01074F2E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010AE730 mov eax, dword ptr fs:[00000030h]6_2_010AE730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108EF40 mov eax, dword ptr fs:[00000030h]6_2_0108EF40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108FF60 mov eax, dword ptr fs:[00000030h]6_2_0108FF60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01148F6A mov eax, dword ptr fs:[00000030h]6_2_01148F6A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F7794 mov eax, dword ptr fs:[00000030h]6_2_010F7794
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F7794 mov eax, dword ptr fs:[00000030h]6_2_010F7794
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F7794 mov eax, dword ptr fs:[00000030h]6_2_010F7794
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107C600 mov eax, dword ptr fs:[00000030h]6_2_0107C600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107C600 mov eax, dword ptr fs:[00000030h]6_2_0107C600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107C600 mov eax, dword ptr fs:[00000030h]6_2_0107C600
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0107E620 mov eax, dword ptr fs:[00000030h]6_2_0107E620
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0112FE3F mov eax, dword ptr fs:[00000030h]6_2_0112FE3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01087E41 mov eax, dword ptr fs:[00000030h]6_2_01087E41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01087E41 mov eax, dword ptr fs:[00000030h]6_2_01087E41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01087E41 mov eax, dword ptr fs:[00000030h]6_2_01087E41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01087E41 mov eax, dword ptr fs:[00000030h]6_2_01087E41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01087E41 mov eax, dword ptr fs:[00000030h]6_2_01087E41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01087E41 mov eax, dword ptr fs:[00000030h]6_2_01087E41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0108766D mov eax, dword ptr fs:[00000030h]6_2_0108766D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109AE73 mov eax, dword ptr fs:[00000030h]6_2_0109AE73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109AE73 mov eax, dword ptr fs:[00000030h]6_2_0109AE73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109AE73 mov eax, dword ptr fs:[00000030h]6_2_0109AE73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109AE73 mov eax, dword ptr fs:[00000030h]6_2_0109AE73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0109AE73 mov eax, dword ptr fs:[00000030h]6_2_0109AE73
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0110FE87 mov eax, dword ptr fs:[00000030h]6_2_0110FE87
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010F46A7 mov eax, dword ptr fs:[00000030h]6_2_010F46A7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01140EA5 mov eax, dword ptr fs:[00000030h]6_2_01140EA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01140EA5 mov eax, dword ptr fs:[00000030h]6_2_01140EA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01140EA5 mov eax, dword ptr fs:[00000030h]6_2_01140EA5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_01148ED6 mov eax, dword ptr fs:[00000030h]6_2_01148ED6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A36CC mov eax, dword ptr fs:[00000030h]6_2_010A36CC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010B8EC7 mov eax, dword ptr fs:[00000030h]6_2_010B8EC7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0112FEC0 mov eax, dword ptr fs:[00000030h]6_2_0112FEC0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010A16E0 mov ecx, dword ptr fs:[00000030h]6_2_010A16E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_010876E2 mov eax, dword ptr fs:[00000030h]6_2_010876E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046E746D mov eax, dword ptr fs:[00000030h]18_2_046E746D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FA44B mov eax, dword ptr fs:[00000030h]18_2_046FA44B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475C450 mov eax, dword ptr fs:[00000030h]18_2_0475C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475C450 mov eax, dword ptr fs:[00000030h]18_2_0475C450
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FBC2C mov eax, dword ptr fs:[00000030h]18_2_046FBC2C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0479740D mov eax, dword ptr fs:[00000030h]18_2_0479740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0479740D mov eax, dword ptr fs:[00000030h]18_2_0479740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0479740D mov eax, dword ptr fs:[00000030h]18_2_0479740D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781C06 mov eax, dword ptr fs:[00000030h]18_2_04781C06
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746C0A mov eax, dword ptr fs:[00000030h]18_2_04746C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746C0A mov eax, dword ptr fs:[00000030h]18_2_04746C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746C0A mov eax, dword ptr fs:[00000030h]18_2_04746C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746C0A mov eax, dword ptr fs:[00000030h]18_2_04746C0A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047814FB mov eax, dword ptr fs:[00000030h]18_2_047814FB
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746CF0 mov eax, dword ptr fs:[00000030h]18_2_04746CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746CF0 mov eax, dword ptr fs:[00000030h]18_2_04746CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746CF0 mov eax, dword ptr fs:[00000030h]18_2_04746CF0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04798CD6 mov eax, dword ptr fs:[00000030h]18_2_04798CD6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D849B mov eax, dword ptr fs:[00000030h]18_2_046D849B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EC577 mov eax, dword ptr fs:[00000030h]18_2_046EC577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EC577 mov eax, dword ptr fs:[00000030h]18_2_046EC577
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04703D43 mov eax, dword ptr fs:[00000030h]18_2_04703D43
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04743540 mov eax, dword ptr fs:[00000030h]18_2_04743540
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046E7D50 mov eax, dword ptr fs:[00000030h]18_2_046E7D50
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478E539 mov eax, dword ptr fs:[00000030h]18_2_0478E539
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0474A537 mov eax, dword ptr fs:[00000030h]18_2_0474A537
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04798D34 mov eax, dword ptr fs:[00000030h]18_2_04798D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F4D3B mov eax, dword ptr fs:[00000030h]18_2_046F4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F4D3B mov eax, dword ptr fs:[00000030h]18_2_046F4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F4D3B mov eax, dword ptr fs:[00000030h]18_2_046F4D3B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D3D34 mov eax, dword ptr fs:[00000030h]18_2_046D3D34
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046CAD30 mov eax, dword ptr fs:[00000030h]18_2_046CAD30
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04778DF1 mov eax, dword ptr fs:[00000030h]18_2_04778DF1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DD5E0 mov eax, dword ptr fs:[00000030h]18_2_046DD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DD5E0 mov eax, dword ptr fs:[00000030h]18_2_046DD5E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478FDE2 mov eax, dword ptr fs:[00000030h]18_2_0478FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478FDE2 mov eax, dword ptr fs:[00000030h]18_2_0478FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478FDE2 mov eax, dword ptr fs:[00000030h]18_2_0478FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478FDE2 mov eax, dword ptr fs:[00000030h]18_2_0478FDE2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746DC9 mov eax, dword ptr fs:[00000030h]18_2_04746DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746DC9 mov eax, dword ptr fs:[00000030h]18_2_04746DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746DC9 mov eax, dword ptr fs:[00000030h]18_2_04746DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746DC9 mov ecx, dword ptr fs:[00000030h]18_2_04746DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746DC9 mov eax, dword ptr fs:[00000030h]18_2_04746DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04746DC9 mov eax, dword ptr fs:[00000030h]18_2_04746DC9
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F35A1 mov eax, dword ptr fs:[00000030h]18_2_046F35A1
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047905AC mov eax, dword ptr fs:[00000030h]18_2_047905AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047905AC mov eax, dword ptr fs:[00000030h]18_2_047905AC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F1DB5 mov eax, dword ptr fs:[00000030h]18_2_046F1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F1DB5 mov eax, dword ptr fs:[00000030h]18_2_046F1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F1DB5 mov eax, dword ptr fs:[00000030h]18_2_046F1DB5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C2D8A mov eax, dword ptr fs:[00000030h]18_2_046C2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C2D8A mov eax, dword ptr fs:[00000030h]18_2_046C2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C2D8A mov eax, dword ptr fs:[00000030h]18_2_046C2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C2D8A mov eax, dword ptr fs:[00000030h]18_2_046C2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C2D8A mov eax, dword ptr fs:[00000030h]18_2_046C2D8A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F2581 mov eax, dword ptr fs:[00000030h]18_2_046F2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F2581 mov eax, dword ptr fs:[00000030h]18_2_046F2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F2581 mov eax, dword ptr fs:[00000030h]18_2_046F2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F2581 mov eax, dword ptr fs:[00000030h]18_2_046F2581
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FFD9B mov eax, dword ptr fs:[00000030h]18_2_046FFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FFD9B mov eax, dword ptr fs:[00000030h]18_2_046FFD9B
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D766D mov eax, dword ptr fs:[00000030h]18_2_046D766D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EAE73 mov eax, dword ptr fs:[00000030h]18_2_046EAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EAE73 mov eax, dword ptr fs:[00000030h]18_2_046EAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EAE73 mov eax, dword ptr fs:[00000030h]18_2_046EAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EAE73 mov eax, dword ptr fs:[00000030h]18_2_046EAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EAE73 mov eax, dword ptr fs:[00000030h]18_2_046EAE73
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D7E41 mov eax, dword ptr fs:[00000030h]18_2_046D7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D7E41 mov eax, dword ptr fs:[00000030h]18_2_046D7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D7E41 mov eax, dword ptr fs:[00000030h]18_2_046D7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D7E41 mov eax, dword ptr fs:[00000030h]18_2_046D7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D7E41 mov eax, dword ptr fs:[00000030h]18_2_046D7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D7E41 mov eax, dword ptr fs:[00000030h]18_2_046D7E41
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478AE44 mov eax, dword ptr fs:[00000030h]18_2_0478AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0478AE44 mov eax, dword ptr fs:[00000030h]18_2_0478AE44
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0477FE3F mov eax, dword ptr fs:[00000030h]18_2_0477FE3F
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046CE620 mov eax, dword ptr fs:[00000030h]18_2_046CE620
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046CC600 mov eax, dword ptr fs:[00000030h]18_2_046CC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046CC600 mov eax, dword ptr fs:[00000030h]18_2_046CC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046CC600 mov eax, dword ptr fs:[00000030h]18_2_046CC600
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F8E00 mov eax, dword ptr fs:[00000030h]18_2_046F8E00
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04781608 mov eax, dword ptr fs:[00000030h]18_2_04781608
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FA61C mov eax, dword ptr fs:[00000030h]18_2_046FA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FA61C mov eax, dword ptr fs:[00000030h]18_2_046FA61C
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F16E0 mov ecx, dword ptr fs:[00000030h]18_2_046F16E0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D76E2 mov eax, dword ptr fs:[00000030h]18_2_046D76E2
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F36CC mov eax, dword ptr fs:[00000030h]18_2_046F36CC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04798ED6 mov eax, dword ptr fs:[00000030h]18_2_04798ED6
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0477FEC0 mov eax, dword ptr fs:[00000030h]18_2_0477FEC0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04708EC7 mov eax, dword ptr fs:[00000030h]18_2_04708EC7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047446A7 mov eax, dword ptr fs:[00000030h]18_2_047446A7
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04790EA5 mov eax, dword ptr fs:[00000030h]18_2_04790EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04790EA5 mov eax, dword ptr fs:[00000030h]18_2_04790EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04790EA5 mov eax, dword ptr fs:[00000030h]18_2_04790EA5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475FE87 mov eax, dword ptr fs:[00000030h]18_2_0475FE87
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DFF60 mov eax, dword ptr fs:[00000030h]18_2_046DFF60
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04798F6A mov eax, dword ptr fs:[00000030h]18_2_04798F6A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DEF40 mov eax, dword ptr fs:[00000030h]18_2_046DEF40
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C4F2E mov eax, dword ptr fs:[00000030h]18_2_046C4F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C4F2E mov eax, dword ptr fs:[00000030h]18_2_046C4F2E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FE730 mov eax, dword ptr fs:[00000030h]18_2_046FE730
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FA70E mov eax, dword ptr fs:[00000030h]18_2_046FA70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FA70E mov eax, dword ptr fs:[00000030h]18_2_046FA70E
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475FF10 mov eax, dword ptr fs:[00000030h]18_2_0475FF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475FF10 mov eax, dword ptr fs:[00000030h]18_2_0475FF10
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0479070D mov eax, dword ptr fs:[00000030h]18_2_0479070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0479070D mov eax, dword ptr fs:[00000030h]18_2_0479070D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046EF716 mov eax, dword ptr fs:[00000030h]18_2_046EF716
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047037F5 mov eax, dword ptr fs:[00000030h]18_2_047037F5
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04747794 mov eax, dword ptr fs:[00000030h]18_2_04747794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04747794 mov eax, dword ptr fs:[00000030h]18_2_04747794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04747794 mov eax, dword ptr fs:[00000030h]18_2_04747794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046D8794 mov eax, dword ptr fs:[00000030h]18_2_046D8794
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04782073 mov eax, dword ptr fs:[00000030h]18_2_04782073
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04791074 mov eax, dword ptr fs:[00000030h]18_2_04791074
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046E0050 mov eax, dword ptr fs:[00000030h]18_2_046E0050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046E0050 mov eax, dword ptr fs:[00000030h]18_2_046E0050
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F002D mov eax, dword ptr fs:[00000030h]18_2_046F002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F002D mov eax, dword ptr fs:[00000030h]18_2_046F002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F002D mov eax, dword ptr fs:[00000030h]18_2_046F002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F002D mov eax, dword ptr fs:[00000030h]18_2_046F002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F002D mov eax, dword ptr fs:[00000030h]18_2_046F002D
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DB02A mov eax, dword ptr fs:[00000030h]18_2_046DB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DB02A mov eax, dword ptr fs:[00000030h]18_2_046DB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DB02A mov eax, dword ptr fs:[00000030h]18_2_046DB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046DB02A mov eax, dword ptr fs:[00000030h]18_2_046DB02A
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04747016 mov eax, dword ptr fs:[00000030h]18_2_04747016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04747016 mov eax, dword ptr fs:[00000030h]18_2_04747016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04747016 mov eax, dword ptr fs:[00000030h]18_2_04747016
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04794015 mov eax, dword ptr fs:[00000030h]18_2_04794015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_04794015 mov eax, dword ptr fs:[00000030h]18_2_04794015
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046C58EC mov eax, dword ptr fs:[00000030h]18_2_046C58EC
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475B8D0 mov eax, dword ptr fs:[00000030h]18_2_0475B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475B8D0 mov ecx, dword ptr fs:[00000030h]18_2_0475B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475B8D0 mov eax, dword ptr fs:[00000030h]18_2_0475B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475B8D0 mov eax, dword ptr fs:[00000030h]18_2_0475B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475B8D0 mov eax, dword ptr fs:[00000030h]18_2_0475B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_0475B8D0 mov eax, dword ptr fs:[00000030h]18_2_0475B8D0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F20A0 mov eax, dword ptr fs:[00000030h]18_2_046F20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F20A0 mov eax, dword ptr fs:[00000030h]18_2_046F20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F20A0 mov eax, dword ptr fs:[00000030h]18_2_046F20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F20A0 mov eax, dword ptr fs:[00000030h]18_2_046F20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F20A0 mov eax, dword ptr fs:[00000030h]18_2_046F20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046F20A0 mov eax, dword ptr fs:[00000030h]18_2_046F20A0
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FF0BF mov ecx, dword ptr fs:[00000030h]18_2_046FF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FF0BF mov eax, dword ptr fs:[00000030h]18_2_046FF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_046FF0BF mov eax, dword ptr fs:[00000030h]18_2_046FF0BF
          Source: C:\Windows\SysWOW64\cmstp.exeCode function: 18_2_047090AF mov eax, dword ptr fs:[00000030h]18_2_047090AF