Windows Analysis Report NvkGETsSDb.exe

Overview

General Information

Sample Name: NvkGETsSDb.exe
Analysis ID: 510425
MD5: e17b528f9c192653dc9777bd46e48d82
SHA1: f4dfc93942ed0c091340057f1164b1e1e6f4a148
SHA256: 83708560ecc442b5b6dadbdf5af39ae4f1e843664c932a9de3eff1e38bf6d4a5
Tags: exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.agentpathleurre.space/s18y/"], "decoy": ["jokes-online.com", "dzzdjn.com", "lizzieerhardtebnaryepptts.com", "interfacehand.xyz", "sale-m.site", "block-facebook.com", "dicasdamadrinha.com", "maythewind.com", "hasari.net", "omnists.com", "thevalley-eg.com", "rdfj.xyz", "szhfcy.com", "alkalineage.club", "fdf.xyz", "absorplus.com", "poldolongo.com", "badassshirts.club", "ferienwohnungenmv.com", "bilboondokoak.com", "ambrosiaaudio.com", "lifeneurologyclub.com", "femboys.world", "blehmails.com", "gametimebg.com", "duytienauto.net", "owerful.com", "amedicalsupplyco.com", "americonnlogistics.com", "ateamautoglassga.com", "clickstool.com", "fzdzcnj.com", "txtgo.xyz", "izassist.com", "3bangzhu.com", "myesstyle.com", "aek181129aek.xyz", "daoxinghumaotest.com", "jxdg.xyz", "restorationculturecon.com", "thenaturalnutrient.com", "sportsandgames.info", "spiderwebinar.net", "erqgseidx.com", "donutmastermind.com", "aidatislemleri-govtr.com", "weetsist.com", "sunsetschoolportaits.com", "exodusguarant.tech", "gsnbls.top", "huangdashi33.xyz", "amazonretoure.net", "greathomeinlakewood.com", "lenovoidc.com", "qiuhenglawfirm.com", "surveyorslimited.com", "carterscts.com", "helmosy.online", "bakersfieldlaughingstock.com", "as-payjrku.icu", "mr-exclusive.com", "givepy.info", "ifvita.com", "obesocarpinteria.online"]}
Multi AV Scanner detection for submitted file
Source: NvkGETsSDb.exe Virustotal: Detection: 15% Perma Link
Yara detected FormBook
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.NvkGETsSDb.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.NvkGETsSDb.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.NvkGETsSDb.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.NvkGETsSDb.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen

Compliance:

barindex
Uses 32bit PE files
Source: NvkGETsSDb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: NvkGETsSDb.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ipconfig.pdb source: NvkGETsSDb.exe, 00000002.00000002.315857212.000000000103A000.00000004.00000020.sdmp
Source: Binary string: ipconfig.pdbGCTL source: NvkGETsSDb.exe, 00000002.00000002.315857212.000000000103A000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: NvkGETsSDb.exe, 00000002.00000002.315947777.0000000001470000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.517885571.0000000002C8F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: NvkGETsSDb.exe, 00000002.00000002.315947777.0000000001470000.00000040.00000001.sdmp, ipconfig.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 4x nop then pop esi 2_2_00417326
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 4x nop then pop edi 2_2_00417DA8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop esi 16_2_00167326
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 16_2_00167DA8

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 184.168.131.241:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49808 -> 184.168.131.241:80
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.carterscts.com
Source: C:\Windows\explorer.exe Domain query: www.lenovoidc.com
Source: C:\Windows\explorer.exe Domain query: www.mr-exclusive.com
Source: C:\Windows\explorer.exe Network Connect: 198.46.90.29 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.agentpathleurre.space/s18y/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
Source: Joe Sandbox View ASN Name: INMOTI-1US INMOTI-1US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /s18y/?eXwdIN10=4Ci6vsYQWs8id7GhdYTjZRJculBFGSFOZGvHXdH6NGfnjVfmX1rRX92W0hUQgL+8jwmH&3fU4r=D2MpiZv HTTP/1.1Host: www.carterscts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s18y/?eXwdIN10=Pa4nojFHNdgR9BnFd7o8aKQocYkXN/E4z79GVA9AtWALsHU61u0W5ib2TTz7NOJsFj7K&3fU4r=D2MpiZv HTTP/1.1Host: www.mr-exclusive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 184.168.131.241 184.168.131.241
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.21.3Date: Wed, 27 Oct 2021 17:37:28 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 236Connection: closeVary: Accept-EncodingData Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 79 6f 75 20 61 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 20 6d 61 79 20 68 61 76 65 20 62 65 65 6e 20 72 65 6d 6f 76 65 64 20 6f 72 20 72 65 2d 6e 61 6d 65 64 2e 20 50 6c 65 61 73 65 20 63 6f 6e 74 61 63 74 20 74 68 65 20 77 65 62 20 73 69 74 65 20 6f 77 6e 65 72 20 66 6f 72 20 66 75 72 74 68 65 72 20 61 73 73 69 73 74 61 6e 63 65 2e 3c 2f 70 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>Error 404 - Not Found</title><head><body><h1>Error 404 - Not Found</h1><p>The document you are looking for may have been removed or re-named. Please contact the web site owner for further assistance.</p></body></html>
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp String found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
Source: ipconfig.exe, 00000010.00000002.519067627.000000000358F000.00000004.00020000.sdmp String found in binary or memory: https://www.afternic.com/forsale/mr-exclusive.com?utm_source=TDFS&utm_medium=sn_affiliate_click&utm_
Source: unknown DNS traffic detected: queries for: www.carterscts.com
Source: global traffic HTTP traffic detected: GET /s18y/?eXwdIN10=4Ci6vsYQWs8id7GhdYTjZRJculBFGSFOZGvHXdH6NGfnjVfmX1rRX92W0hUQgL+8jwmH&3fU4r=D2MpiZv HTTP/1.1Host: www.carterscts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /s18y/?eXwdIN10=Pa4nojFHNdgR9BnFd7o8aKQocYkXN/E4z79GVA9AtWALsHU61u0W5ib2TTz7NOJsFj7K&3fU4r=D2MpiZv HTTP/1.1Host: www.mr-exclusive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: NvkGETsSDb.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_00185375 0_2_00185375
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC97C0 0_2_04DC97C0
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC6A58 0_2_04DC6A58
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC0C57 0_2_04DC0C57
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC0C68 0_2_04DC0C68
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC5E66 0_2_04DC5E66
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC0A18 0_2_04DC0A18
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC0A17 0_2_04DC0A17
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_00182050 0_2_00182050
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041E423 2_2_0041E423
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041E507 2_2_0041E507
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041D5A6 2_2_0041D5A6
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041E5B3 2_2_0041E5B3
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041DE46 2_2_0041DE46
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_00409E60 2_2_00409E60
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041DFA2 2_2_0041DFA2
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_009E5375 2_2_009E5375
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_009E2050 2_2_009E2050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C622AE 16_2_02C622AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C4FA2B 16_2_02C4FA2B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCEBB0 16_2_02BCEBB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5DBD2 16_2_02C5DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C503DA 16_2_02C503DA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C62B28 16_2_02C62B28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBAB40 16_2_02BBAB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC20A0 16_2_02BC20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAB090 16_2_02BAB090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C628EC 16_2_02C628EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C620A8 16_2_02C620A8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51002 16_2_02C51002
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C6E824 16_2_02C6E824
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB4120 16_2_02BB4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9F900 16_2_02B9F900
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C62EF7 16_2_02C62EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB6E30 16_2_02BB6E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5D616 16_2_02C5D616
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C6DFCE 16_2_02C6DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C61FF1 16_2_02C61FF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5D466 16_2_02C5D466
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA841F 16_2_02BA841F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C625DD 16_2_02C625DD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2581 16_2_02BC2581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAD5E0 16_2_02BAD5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C61D55 16_2_02C61D55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B90D20 16_2_02B90D20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C62D07 16_2_02C62D07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_00152D90 16_2_00152D90
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016E5B3 16_2_0016E5B3
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016D5A6 16_2_0016D5A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016DE46 16_2_0016DE46
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_00159E60 16_2_00159E60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_00152FB0 16_2_00152FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016DFA2 16_2_0016DFA2
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 02B9B150 appears 48 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041A360 NtCreateFile, 2_2_0041A360
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041A410 NtReadFile, 2_2_0041A410
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041A490 NtClose, 2_2_0041A490
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041A540 NtAllocateVirtualMemory, 2_2_0041A540
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041A35A NtCreateFile, 2_2_0041A35A
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041A40A NtReadFile, 2_2_0041A40A
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041A48A NtClose, 2_2_0041A48A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9A50 NtCreateFile,LdrInitializeThunk, 16_2_02BD9A50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9860 NtQuerySystemInformation,LdrInitializeThunk, 16_2_02BD9860
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9840 NtDelayExecution,LdrInitializeThunk, 16_2_02BD9840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD99A0 NtCreateSection,LdrInitializeThunk, 16_2_02BD99A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 16_2_02BD9910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD96E0 NtFreeVirtualMemory,LdrInitializeThunk, 16_2_02BD96E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD96D0 NtCreateKey,LdrInitializeThunk, 16_2_02BD96D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9780 NtMapViewOfSection,LdrInitializeThunk, 16_2_02BD9780
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9FE0 NtCreateMutant,LdrInitializeThunk, 16_2_02BD9FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9710 NtQueryInformationToken,LdrInitializeThunk, 16_2_02BD9710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD95D0 NtClose,LdrInitializeThunk, 16_2_02BD95D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9540 NtReadFile,LdrInitializeThunk, 16_2_02BD9540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9A80 NtOpenDirectoryObject, 16_2_02BD9A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9A20 NtResumeThread, 16_2_02BD9A20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9A10 NtQuerySection, 16_2_02BD9A10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9A00 NtProtectVirtualMemory, 16_2_02BD9A00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BDA3B0 NtGetContextThread, 16_2_02BDA3B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9B00 NtSetValueKey, 16_2_02BD9B00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD98A0 NtWriteVirtualMemory, 16_2_02BD98A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD98F0 NtReadVirtualMemory, 16_2_02BD98F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9820 NtEnumerateKey, 16_2_02BD9820
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BDB040 NtSuspendThread, 16_2_02BDB040
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD99D0 NtCreateProcessEx, 16_2_02BD99D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9950 NtQueueApcThread, 16_2_02BD9950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9610 NtEnumerateValueKey, 16_2_02BD9610
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9670 NtQueryInformationProcess, 16_2_02BD9670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9660 NtAllocateVirtualMemory, 16_2_02BD9660
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9650 NtQueryValueKey, 16_2_02BD9650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD97A0 NtUnmapViewOfSection, 16_2_02BD97A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9730 NtQueryVirtualMemory, 16_2_02BD9730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BDA710 NtOpenProcessToken, 16_2_02BDA710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BDA770 NtOpenThread, 16_2_02BDA770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9770 NtSetInformationFile, 16_2_02BD9770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9760 NtOpenProcess, 16_2_02BD9760
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD95F0 NtQueryInformationFile, 16_2_02BD95F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BDAD30 NtSetContextThread, 16_2_02BDAD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9520 NtWaitForSingleObject, 16_2_02BD9520
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD9560 NtWriteFile, 16_2_02BD9560
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016A360 NtCreateFile, 16_2_0016A360
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016A410 NtReadFile, 16_2_0016A410
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016A490 NtClose, 16_2_0016A490
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016A35A NtCreateFile, 16_2_0016A35A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016A40A NtReadFile, 16_2_0016A40A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016A48A NtClose, 16_2_0016A48A
Sample file is different than original file name gathered from version info
Source: NvkGETsSDb.exe Binary or memory string: OriginalFilename vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameTaskNode.dll4 vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe, 00000000.00000000.246291055.000000000019A000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameComMemberTy.exe< vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe Binary or memory string: OriginalFilename vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe, 00000002.00000002.315857212.000000000103A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameipconfig.exej% vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe, 00000002.00000000.251515898.00000000009FA000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameComMemberTy.exe< vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe, 00000002.00000002.316178527.000000000158F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe Binary or memory string: OriginalFilenameComMemberTy.exe< vs NvkGETsSDb.exe
Source: NvkGETsSDb.exe Virustotal: Detection: 15%
Source: NvkGETsSDb.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\NvkGETsSDb.exe 'C:\Users\user\Desktop\NvkGETsSDb.exe'
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process created: C:\Users\user\Desktop\NvkGETsSDb.exe C:\Users\user\Desktop\NvkGETsSDb.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NvkGETsSDb.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process created: C:\Users\user\Desktop\NvkGETsSDb.exe C:\Users\user\Desktop\NvkGETsSDb.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NvkGETsSDb.exe' Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NvkGETsSDb.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@3/3
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: NvkGETsSDb.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6344:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: NvkGETsSDb.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: NvkGETsSDb.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: ipconfig.pdb source: NvkGETsSDb.exe, 00000002.00000002.315857212.000000000103A000.00000004.00000020.sdmp
Source: Binary string: ipconfig.pdbGCTL source: NvkGETsSDb.exe, 00000002.00000002.315857212.000000000103A000.00000004.00000020.sdmp
Source: Binary string: wntdll.pdbUGP source: NvkGETsSDb.exe, 00000002.00000002.315947777.0000000001470000.00000040.00000001.sdmp, ipconfig.exe, 00000010.00000002.517885571.0000000002C8F000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: NvkGETsSDb.exe, 00000002.00000002.315947777.0000000001470000.00000040.00000001.sdmp, ipconfig.exe

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: NvkGETsSDb.exe, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.NvkGETsSDb.exe.180000.0.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.2.NvkGETsSDb.exe.180000.0.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.NvkGETsSDb.exe.9e0000.2.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.NvkGETsSDb.exe.9e0000.3.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.NvkGETsSDb.exe.9e0000.1.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.NvkGETsSDb.exe.9e0000.7.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.NvkGETsSDb.exe.9e0000.0.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.2.NvkGETsSDb.exe.9e0000.1.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.NvkGETsSDb.exe.9e0000.5.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 2.0.NvkGETsSDb.exe.9e0000.9.unpack, Platformer_AI/GameDisplay.cs .Net Code: TypeNameBuilder System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DC5155 pushad ; iretd 0_2_04DC515B
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 0_2_04DCCB65 push FFFFFF8Bh; iretd 0_2_04DCCB67
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_00417162 push ebp; ret 2_2_00417163
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041D4B5 push eax; ret 2_2_0041D508
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041D56C push eax; ret 2_2_0041D572
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041D502 push eax; ret 2_2_0041D508
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041D50B push eax; ret 2_2_0041D572
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_004165E8 push es; retf 2_2_004165E9
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041CE35 push edi; ret 2_2_0041CE36
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_004176DE push ebp; iretd 2_2_004176A6
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0041768B push ebp; iretd 2_2_004176A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BED0D1 push ecx; ret 16_2_02BED0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0015011E push esp; iretd 16_2_00150120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_00167162 push ebp; ret 16_2_00167163
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016E3EF push esp; ret 16_2_0016E3F1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016D4B5 push eax; ret 16_2_0016D508
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016D502 push eax; ret 16_2_0016D508
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016D50B push eax; ret 16_2_0016D572
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016D56C push eax; ret 16_2_0016D572
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_001665E8 push es; retf 16_2_001665E9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016CE35 push edi; ret 16_2_0016CE36
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_0016768B push ebp; iretd 16_2_001676A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_001676DE push ebp; iretd 16_2_001676A6

Persistence and Installation Behavior:

barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xE7
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: /c del 'C:\Users\user\Desktop\NvkGETsSDb.exe'
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: /c del 'C:\Users\user\Desktop\NvkGETsSDb.exe' Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: 0.2.NvkGETsSDb.exe.28ed0f8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: NvkGETsSDb.exe PID: 2500, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\NvkGETsSDb.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\NvkGETsSDb.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 0000000000159904 second address: 000000000015990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 0000000000159B7E second address: 0000000000159B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\NvkGETsSDb.exe TID: 1400 Thread sleep time: -43030s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe TID: 1140 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 6804 Thread sleep time: -42000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 6452 Thread sleep time: -40000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Thread delayed: delay time: 43030 Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp Binary or memory string: VMware SVGA IIBAdd-MpPreference -ExclusionPath "
Source: explorer.exe, 00000004.00000000.265903999.000000000891C000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: explorer.exe, 00000004.00000000.293819740.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.292595814.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: explorer.exe, 00000004.00000000.300532803.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 00000004.00000000.294597949.00000000053C4000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: explorer.exe, 00000004.00000000.300532803.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: NvkGETsSDb.exe, 00000000.00000002.256996800.00000000028A1000.00000004.00000001.sdmp Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_00409AB0 rdtsc 2_2_00409AB0
Enables debug privileges
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAAAB0 mov eax, dword ptr fs:[00000030h] 16_2_02BAAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAAAB0 mov eax, dword ptr fs:[00000030h] 16_2_02BAAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCFAB0 mov eax, dword ptr fs:[00000030h] 16_2_02BCFAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B952A5 mov eax, dword ptr fs:[00000030h] 16_2_02B952A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B952A5 mov eax, dword ptr fs:[00000030h] 16_2_02B952A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B952A5 mov eax, dword ptr fs:[00000030h] 16_2_02B952A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B952A5 mov eax, dword ptr fs:[00000030h] 16_2_02B952A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B952A5 mov eax, dword ptr fs:[00000030h] 16_2_02B952A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCD294 mov eax, dword ptr fs:[00000030h] 16_2_02BCD294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCD294 mov eax, dword ptr fs:[00000030h] 16_2_02BCD294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2AE4 mov eax, dword ptr fs:[00000030h] 16_2_02BC2AE4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2ACB mov eax, dword ptr fs:[00000030h] 16_2_02BC2ACB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5EA55 mov eax, dword ptr fs:[00000030h] 16_2_02C5EA55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD4A2C mov eax, dword ptr fs:[00000030h] 16_2_02BD4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD4A2C mov eax, dword ptr fs:[00000030h] 16_2_02BD4A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBA229 mov eax, dword ptr fs:[00000030h] 16_2_02BBA229
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C24257 mov eax, dword ptr fs:[00000030h] 16_2_02C24257
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C4B260 mov eax, dword ptr fs:[00000030h] 16_2_02C4B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C4B260 mov eax, dword ptr fs:[00000030h] 16_2_02C4B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C68A62 mov eax, dword ptr fs:[00000030h] 16_2_02C68A62
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB3A1C mov eax, dword ptr fs:[00000030h] 16_2_02BB3A1C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B95210 mov eax, dword ptr fs:[00000030h] 16_2_02B95210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B95210 mov ecx, dword ptr fs:[00000030h] 16_2_02B95210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B95210 mov eax, dword ptr fs:[00000030h] 16_2_02B95210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B95210 mov eax, dword ptr fs:[00000030h] 16_2_02B95210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9AA16 mov eax, dword ptr fs:[00000030h] 16_2_02B9AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9AA16 mov eax, dword ptr fs:[00000030h] 16_2_02B9AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA8A0A mov eax, dword ptr fs:[00000030h] 16_2_02BA8A0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD927A mov eax, dword ptr fs:[00000030h] 16_2_02BD927A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5AA16 mov eax, dword ptr fs:[00000030h] 16_2_02C5AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5AA16 mov eax, dword ptr fs:[00000030h] 16_2_02C5AA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99240 mov eax, dword ptr fs:[00000030h] 16_2_02B99240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99240 mov eax, dword ptr fs:[00000030h] 16_2_02B99240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99240 mov eax, dword ptr fs:[00000030h] 16_2_02B99240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99240 mov eax, dword ptr fs:[00000030h] 16_2_02B99240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C153CA mov eax, dword ptr fs:[00000030h] 16_2_02C153CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C153CA mov eax, dword ptr fs:[00000030h] 16_2_02C153CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC4BAD mov eax, dword ptr fs:[00000030h] 16_2_02BC4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC4BAD mov eax, dword ptr fs:[00000030h] 16_2_02BC4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC4BAD mov eax, dword ptr fs:[00000030h] 16_2_02BC4BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2397 mov eax, dword ptr fs:[00000030h] 16_2_02BC2397
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCB390 mov eax, dword ptr fs:[00000030h] 16_2_02BCB390
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA1B8F mov eax, dword ptr fs:[00000030h] 16_2_02BA1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA1B8F mov eax, dword ptr fs:[00000030h] 16_2_02BA1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C4D380 mov ecx, dword ptr fs:[00000030h] 16_2_02C4D380
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5138A mov eax, dword ptr fs:[00000030h] 16_2_02C5138A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBDBE9 mov eax, dword ptr fs:[00000030h] 16_2_02BBDBE9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC03E2 mov eax, dword ptr fs:[00000030h] 16_2_02BC03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC03E2 mov eax, dword ptr fs:[00000030h] 16_2_02BC03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC03E2 mov eax, dword ptr fs:[00000030h] 16_2_02BC03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC03E2 mov eax, dword ptr fs:[00000030h] 16_2_02BC03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC03E2 mov eax, dword ptr fs:[00000030h] 16_2_02BC03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC03E2 mov eax, dword ptr fs:[00000030h] 16_2_02BC03E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C65BA5 mov eax, dword ptr fs:[00000030h] 16_2_02C65BA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C68B58 mov eax, dword ptr fs:[00000030h] 16_2_02C68B58
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC3B7A mov eax, dword ptr fs:[00000030h] 16_2_02BC3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC3B7A mov eax, dword ptr fs:[00000030h] 16_2_02BC3B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9DB60 mov ecx, dword ptr fs:[00000030h] 16_2_02B9DB60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5131B mov eax, dword ptr fs:[00000030h] 16_2_02C5131B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9F358 mov eax, dword ptr fs:[00000030h] 16_2_02B9F358
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9DB40 mov eax, dword ptr fs:[00000030h] 16_2_02B9DB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCF0BF mov ecx, dword ptr fs:[00000030h] 16_2_02BCF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCF0BF mov eax, dword ptr fs:[00000030h] 16_2_02BCF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCF0BF mov eax, dword ptr fs:[00000030h] 16_2_02BCF0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD90AF mov eax, dword ptr fs:[00000030h] 16_2_02BD90AF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2B8D0 mov eax, dword ptr fs:[00000030h] 16_2_02C2B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2B8D0 mov ecx, dword ptr fs:[00000030h] 16_2_02C2B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2B8D0 mov eax, dword ptr fs:[00000030h] 16_2_02C2B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2B8D0 mov eax, dword ptr fs:[00000030h] 16_2_02C2B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2B8D0 mov eax, dword ptr fs:[00000030h] 16_2_02C2B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2B8D0 mov eax, dword ptr fs:[00000030h] 16_2_02C2B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC20A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC20A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC20A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC20A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC20A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC20A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC20A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99080 mov eax, dword ptr fs:[00000030h] 16_2_02B99080
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C13884 mov eax, dword ptr fs:[00000030h] 16_2_02C13884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C13884 mov eax, dword ptr fs:[00000030h] 16_2_02C13884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B958EC mov eax, dword ptr fs:[00000030h] 16_2_02B958EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B940E1 mov eax, dword ptr fs:[00000030h] 16_2_02B940E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B940E1 mov eax, dword ptr fs:[00000030h] 16_2_02B940E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B940E1 mov eax, dword ptr fs:[00000030h] 16_2_02B940E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAB02A mov eax, dword ptr fs:[00000030h] 16_2_02BAB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAB02A mov eax, dword ptr fs:[00000030h] 16_2_02BAB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAB02A mov eax, dword ptr fs:[00000030h] 16_2_02BAB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAB02A mov eax, dword ptr fs:[00000030h] 16_2_02BAB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC002D mov eax, dword ptr fs:[00000030h] 16_2_02BC002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC002D mov eax, dword ptr fs:[00000030h] 16_2_02BC002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC002D mov eax, dword ptr fs:[00000030h] 16_2_02BC002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC002D mov eax, dword ptr fs:[00000030h] 16_2_02BC002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC002D mov eax, dword ptr fs:[00000030h] 16_2_02BC002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C61074 mov eax, dword ptr fs:[00000030h] 16_2_02C61074
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C52073 mov eax, dword ptr fs:[00000030h] 16_2_02C52073
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C64015 mov eax, dword ptr fs:[00000030h] 16_2_02C64015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C64015 mov eax, dword ptr fs:[00000030h] 16_2_02C64015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C17016 mov eax, dword ptr fs:[00000030h] 16_2_02C17016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C17016 mov eax, dword ptr fs:[00000030h] 16_2_02C17016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C17016 mov eax, dword ptr fs:[00000030h] 16_2_02C17016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB0050 mov eax, dword ptr fs:[00000030h] 16_2_02BB0050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB0050 mov eax, dword ptr fs:[00000030h] 16_2_02BB0050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC61A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC61A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC61A0 mov eax, dword ptr fs:[00000030h] 16_2_02BC61A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C241E8 mov eax, dword ptr fs:[00000030h] 16_2_02C241E8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2990 mov eax, dword ptr fs:[00000030h] 16_2_02BC2990
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBC182 mov eax, dword ptr fs:[00000030h] 16_2_02BBC182
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCA185 mov eax, dword ptr fs:[00000030h] 16_2_02BCA185
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9B1E1 mov eax, dword ptr fs:[00000030h] 16_2_02B9B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9B1E1 mov eax, dword ptr fs:[00000030h] 16_2_02B9B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9B1E1 mov eax, dword ptr fs:[00000030h] 16_2_02B9B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C549A4 mov eax, dword ptr fs:[00000030h] 16_2_02C549A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C549A4 mov eax, dword ptr fs:[00000030h] 16_2_02C549A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C549A4 mov eax, dword ptr fs:[00000030h] 16_2_02C549A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C549A4 mov eax, dword ptr fs:[00000030h] 16_2_02C549A4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C169A6 mov eax, dword ptr fs:[00000030h] 16_2_02C169A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C151BE mov eax, dword ptr fs:[00000030h] 16_2_02C151BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C151BE mov eax, dword ptr fs:[00000030h] 16_2_02C151BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C151BE mov eax, dword ptr fs:[00000030h] 16_2_02C151BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C151BE mov eax, dword ptr fs:[00000030h] 16_2_02C151BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC513A mov eax, dword ptr fs:[00000030h] 16_2_02BC513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC513A mov eax, dword ptr fs:[00000030h] 16_2_02BC513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB4120 mov eax, dword ptr fs:[00000030h] 16_2_02BB4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB4120 mov eax, dword ptr fs:[00000030h] 16_2_02BB4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB4120 mov eax, dword ptr fs:[00000030h] 16_2_02BB4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB4120 mov eax, dword ptr fs:[00000030h] 16_2_02BB4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB4120 mov ecx, dword ptr fs:[00000030h] 16_2_02BB4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99100 mov eax, dword ptr fs:[00000030h] 16_2_02B99100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99100 mov eax, dword ptr fs:[00000030h] 16_2_02B99100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B99100 mov eax, dword ptr fs:[00000030h] 16_2_02B99100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9B171 mov eax, dword ptr fs:[00000030h] 16_2_02B9B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9B171 mov eax, dword ptr fs:[00000030h] 16_2_02B9B171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9C962 mov eax, dword ptr fs:[00000030h] 16_2_02B9C962
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBB944 mov eax, dword ptr fs:[00000030h] 16_2_02BBB944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBB944 mov eax, dword ptr fs:[00000030h] 16_2_02BBB944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C4FEC0 mov eax, dword ptr fs:[00000030h] 16_2_02C4FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C68ED6 mov eax, dword ptr fs:[00000030h] 16_2_02C68ED6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2FE87 mov eax, dword ptr fs:[00000030h] 16_2_02C2FE87
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA76E2 mov eax, dword ptr fs:[00000030h] 16_2_02BA76E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC16E0 mov ecx, dword ptr fs:[00000030h] 16_2_02BC16E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C60EA5 mov eax, dword ptr fs:[00000030h] 16_2_02C60EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C60EA5 mov eax, dword ptr fs:[00000030h] 16_2_02C60EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C60EA5 mov eax, dword ptr fs:[00000030h] 16_2_02C60EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C146A7 mov eax, dword ptr fs:[00000030h] 16_2_02C146A7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC36CC mov eax, dword ptr fs:[00000030h] 16_2_02BC36CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD8EC7 mov eax, dword ptr fs:[00000030h] 16_2_02BD8EC7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5AE44 mov eax, dword ptr fs:[00000030h] 16_2_02C5AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5AE44 mov eax, dword ptr fs:[00000030h] 16_2_02C5AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9E620 mov eax, dword ptr fs:[00000030h] 16_2_02B9E620
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCA61C mov eax, dword ptr fs:[00000030h] 16_2_02BCA61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCA61C mov eax, dword ptr fs:[00000030h] 16_2_02BCA61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9C600 mov eax, dword ptr fs:[00000030h] 16_2_02B9C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9C600 mov eax, dword ptr fs:[00000030h] 16_2_02B9C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9C600 mov eax, dword ptr fs:[00000030h] 16_2_02B9C600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC8E00 mov eax, dword ptr fs:[00000030h] 16_2_02BC8E00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBAE73 mov eax, dword ptr fs:[00000030h] 16_2_02BBAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBAE73 mov eax, dword ptr fs:[00000030h] 16_2_02BBAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBAE73 mov eax, dword ptr fs:[00000030h] 16_2_02BBAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBAE73 mov eax, dword ptr fs:[00000030h] 16_2_02BBAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBAE73 mov eax, dword ptr fs:[00000030h] 16_2_02BBAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51608 mov eax, dword ptr fs:[00000030h] 16_2_02C51608
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA766D mov eax, dword ptr fs:[00000030h] 16_2_02BA766D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C4FE3F mov eax, dword ptr fs:[00000030h] 16_2_02C4FE3F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA7E41 mov eax, dword ptr fs:[00000030h] 16_2_02BA7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA7E41 mov eax, dword ptr fs:[00000030h] 16_2_02BA7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA7E41 mov eax, dword ptr fs:[00000030h] 16_2_02BA7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA7E41 mov eax, dword ptr fs:[00000030h] 16_2_02BA7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA7E41 mov eax, dword ptr fs:[00000030h] 16_2_02BA7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA7E41 mov eax, dword ptr fs:[00000030h] 16_2_02BA7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA8794 mov eax, dword ptr fs:[00000030h] 16_2_02BA8794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD37F5 mov eax, dword ptr fs:[00000030h] 16_2_02BD37F5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C17794 mov eax, dword ptr fs:[00000030h] 16_2_02C17794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C17794 mov eax, dword ptr fs:[00000030h] 16_2_02C17794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C17794 mov eax, dword ptr fs:[00000030h] 16_2_02C17794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCE730 mov eax, dword ptr fs:[00000030h] 16_2_02BCE730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B94F2E mov eax, dword ptr fs:[00000030h] 16_2_02B94F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B94F2E mov eax, dword ptr fs:[00000030h] 16_2_02B94F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C68F6A mov eax, dword ptr fs:[00000030h] 16_2_02C68F6A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBF716 mov eax, dword ptr fs:[00000030h] 16_2_02BBF716
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCA70E mov eax, dword ptr fs:[00000030h] 16_2_02BCA70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCA70E mov eax, dword ptr fs:[00000030h] 16_2_02BCA70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C6070D mov eax, dword ptr fs:[00000030h] 16_2_02C6070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C6070D mov eax, dword ptr fs:[00000030h] 16_2_02C6070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2FF10 mov eax, dword ptr fs:[00000030h] 16_2_02C2FF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2FF10 mov eax, dword ptr fs:[00000030h] 16_2_02C2FF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAFF60 mov eax, dword ptr fs:[00000030h] 16_2_02BAFF60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAEF40 mov eax, dword ptr fs:[00000030h] 16_2_02BAEF40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C68CD6 mov eax, dword ptr fs:[00000030h] 16_2_02C68CD6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA849B mov eax, dword ptr fs:[00000030h] 16_2_02BA849B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16CF0 mov eax, dword ptr fs:[00000030h] 16_2_02C16CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16CF0 mov eax, dword ptr fs:[00000030h] 16_2_02C16CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16CF0 mov eax, dword ptr fs:[00000030h] 16_2_02C16CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C514FB mov eax, dword ptr fs:[00000030h] 16_2_02C514FB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCBC2C mov eax, dword ptr fs:[00000030h] 16_2_02BCBC2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2C450 mov eax, dword ptr fs:[00000030h] 16_2_02C2C450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C2C450 mov eax, dword ptr fs:[00000030h] 16_2_02C2C450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C51C06 mov eax, dword ptr fs:[00000030h] 16_2_02C51C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C6740D mov eax, dword ptr fs:[00000030h] 16_2_02C6740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C6740D mov eax, dword ptr fs:[00000030h] 16_2_02C6740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C6740D mov eax, dword ptr fs:[00000030h] 16_2_02C6740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16C0A mov eax, dword ptr fs:[00000030h] 16_2_02C16C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16C0A mov eax, dword ptr fs:[00000030h] 16_2_02C16C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16C0A mov eax, dword ptr fs:[00000030h] 16_2_02C16C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16C0A mov eax, dword ptr fs:[00000030h] 16_2_02C16C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB746D mov eax, dword ptr fs:[00000030h] 16_2_02BB746D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCA44B mov eax, dword ptr fs:[00000030h] 16_2_02BCA44B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16DC9 mov eax, dword ptr fs:[00000030h] 16_2_02C16DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16DC9 mov eax, dword ptr fs:[00000030h] 16_2_02C16DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16DC9 mov eax, dword ptr fs:[00000030h] 16_2_02C16DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16DC9 mov ecx, dword ptr fs:[00000030h] 16_2_02C16DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16DC9 mov eax, dword ptr fs:[00000030h] 16_2_02C16DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C16DC9 mov eax, dword ptr fs:[00000030h] 16_2_02C16DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC1DB5 mov eax, dword ptr fs:[00000030h] 16_2_02BC1DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC1DB5 mov eax, dword ptr fs:[00000030h] 16_2_02BC1DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC1DB5 mov eax, dword ptr fs:[00000030h] 16_2_02BC1DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC35A1 mov eax, dword ptr fs:[00000030h] 16_2_02BC35A1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCFD9B mov eax, dword ptr fs:[00000030h] 16_2_02BCFD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BCFD9B mov eax, dword ptr fs:[00000030h] 16_2_02BCFD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5FDE2 mov eax, dword ptr fs:[00000030h] 16_2_02C5FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5FDE2 mov eax, dword ptr fs:[00000030h] 16_2_02C5FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5FDE2 mov eax, dword ptr fs:[00000030h] 16_2_02C5FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5FDE2 mov eax, dword ptr fs:[00000030h] 16_2_02C5FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B92D8A mov eax, dword ptr fs:[00000030h] 16_2_02B92D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B92D8A mov eax, dword ptr fs:[00000030h] 16_2_02B92D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B92D8A mov eax, dword ptr fs:[00000030h] 16_2_02B92D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B92D8A mov eax, dword ptr fs:[00000030h] 16_2_02B92D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B92D8A mov eax, dword ptr fs:[00000030h] 16_2_02B92D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C48DF1 mov eax, dword ptr fs:[00000030h] 16_2_02C48DF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2581 mov eax, dword ptr fs:[00000030h] 16_2_02BC2581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2581 mov eax, dword ptr fs:[00000030h] 16_2_02BC2581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2581 mov eax, dword ptr fs:[00000030h] 16_2_02BC2581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC2581 mov eax, dword ptr fs:[00000030h] 16_2_02BC2581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAD5E0 mov eax, dword ptr fs:[00000030h] 16_2_02BAD5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BAD5E0 mov eax, dword ptr fs:[00000030h] 16_2_02BAD5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C605AC mov eax, dword ptr fs:[00000030h] 16_2_02C605AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C605AC mov eax, dword ptr fs:[00000030h] 16_2_02C605AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C13540 mov eax, dword ptr fs:[00000030h] 16_2_02C13540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C43D40 mov eax, dword ptr fs:[00000030h] 16_2_02C43D40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC4D3B mov eax, dword ptr fs:[00000030h] 16_2_02BC4D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC4D3B mov eax, dword ptr fs:[00000030h] 16_2_02BC4D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BC4D3B mov eax, dword ptr fs:[00000030h] 16_2_02BC4D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02B9AD30 mov eax, dword ptr fs:[00000030h] 16_2_02B9AD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BA3D34 mov eax, dword ptr fs:[00000030h] 16_2_02BA3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBC577 mov eax, dword ptr fs:[00000030h] 16_2_02BBC577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BBC577 mov eax, dword ptr fs:[00000030h] 16_2_02BBC577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BB7D50 mov eax, dword ptr fs:[00000030h] 16_2_02BB7D50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C68D34 mov eax, dword ptr fs:[00000030h] 16_2_02C68D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C1A537 mov eax, dword ptr fs:[00000030h] 16_2_02C1A537
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02C5E539 mov eax, dword ptr fs:[00000030h] 16_2_02C5E539
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 16_2_02BD3D43 mov eax, dword ptr fs:[00000030h] 16_2_02BD3D43
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Code function: 2_2_0040ACF0 LdrLoadDll, 2_2_0040ACF0
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 184.168.131.241 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.carterscts.com
Source: C:\Windows\explorer.exe Domain query: www.lenovoidc.com
Source: C:\Windows\explorer.exe Domain query: www.mr-exclusive.com
Source: C:\Windows\explorer.exe Network Connect: 198.46.90.29 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 200000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Memory written: C:\Users\user\Desktop\NvkGETsSDb.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Process created: C:\Users\user\Desktop\NvkGETsSDb.exe C:\Users\user\Desktop\NvkGETsSDb.exe Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\NvkGETsSDb.exe' Jump to behavior
Source: explorer.exe, 00000004.00000000.351908572.0000000001640000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.519261931.0000000004000000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.351908572.0000000001640000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.519261931.0000000004000000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.351908572.0000000001640000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.519261931.0000000004000000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 00000004.00000000.274817479.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 00000004.00000000.351908572.0000000001640000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.519261931.0000000004000000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 00000004.00000000.351908572.0000000001640000.00000002.00020000.sdmp, ipconfig.exe, 00000010.00000002.519261931.0000000004000000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Queries volume information: C:\Users\user\Desktop\NvkGETsSDb.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\NvkGETsSDb.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.NvkGETsSDb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.3a2f770.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.NvkGETsSDb.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.NvkGETsSDb.exe.39e0150.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.315401814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.516991020.00000000028C0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.303659400.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.514736730.0000000000150000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253147010.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315756855.0000000000FD0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.515839448.0000000002700000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.288307054.000000000F70F000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.253638394.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.315792746.0000000001000000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.257370628.00000000038A9000.00000004.00000001.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510425 Sample: NvkGETsSDb.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 7 other signatures 2->42 10 NvkGETsSDb.exe 3 2->10         started        process3 file4 28 C:\Users\user\AppData\...28vkGETsSDb.exe.log, ASCII 10->28 dropped 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Injects a PE file into a foreign processes 10->58 14 NvkGETsSDb.exe 10->14         started        signatures5 process6 signatures7 60 Modifies the context of a thread in another process (thread injection) 14->60 62 Maps a DLL or memory area into another process 14->62 64 Sample uses process hollowing technique 14->64 66 Queues an APC in another process (thread injection) 14->66 17 explorer.exe 14->17 injected process8 dnsIp9 30 carterscts.com 198.46.90.29, 49799, 80 INMOTI-1US United States 17->30 32 mr-exclusive.com 184.168.131.241, 49808, 80 AS-26496-GO-DADDY-COM-LLCUS United States 17->32 34 4 other IPs or domains 17->34 44 System process connects to network (likely due to code injection or exploit) 17->44 46 Uses ipconfig to lookup or modify the Windows network settings 17->46 21 ipconfig.exe 17->21         started        signatures10 process11 signatures12 48 Self deletion via cmd delete 21->48 50 Modifies the context of a thread in another process (thread injection) 21->50 52 Maps a DLL or memory area into another process 21->52 54 Tries to detect virtualization through RDTSC time measurements 21->54 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
184.168.131.241
 mr-exclusive.com United States
26496 AS-26496-GO-DADDY-COM-LLCUS true
198.46.90.29
 carterscts.com United States
54641 INMOTI-1US true

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
mr-exclusive.com 184.168.131.241 true
carterscts.com 198.46.90.29 true
www.lenovoidc.com unknown unknown
www.mr-exclusive.com unknown unknown
www.carterscts.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.mr-exclusive.com/s18y/?eXwdIN10=Pa4nojFHNdgR9BnFd7o8aKQocYkXN/E4z79GVA9AtWALsHU61u0W5ib2TTz7NOJsFj7K&3fU4r=D2MpiZv true
  • Avira URL Cloud: safe
 unknown
http://www.carterscts.com/s18y/?eXwdIN10=4Ci6vsYQWs8id7GhdYTjZRJculBFGSFOZGvHXdH6NGfnjVfmX1rRX92W0hUQgL+8jwmH&3fU4r=D2MpiZv true
  • Avira URL Cloud: safe
 unknown
www.agentpathleurre.space/s18y/ true
  • Avira URL Cloud: safe
 low