Windows Analysis Report
SNO22 PriceLetter595406_RACX-159814.exe

Overview

General Information

Sample Name: SNO22 PriceLetter595406_RACX-159814.exe
Analysis ID: 562167
MD5: 7088f42f3e34585a113c57d472e7f6e9
SHA1: a3bae33f21a6068eb3c76bc3e74c61df20d5596b
SHA256: 472f77899f797ab92af8a3b5eacbf827ce8e287971f4dd3a9f23ae00d7b25475
Tags: exexloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Found malware configuration
Source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.gebaeudetechnik-burscheid.com/p8ce/"], "decoy": ["wishmeluck1.xyz", "nawabumi.com", "terra.fish", "eoraipsumami.quest", "awakeningyourid.com", "csyein.com", "tslsinteligentes.com", "cataractusa.com", "capitalwheelstogo.com", "staffremotely.com", "trashbinwasher.com", "blaneyparkrendezvous.com", "yolrt.com", "northendtaproom.com", "showgeini.com", "b95206.com", "almcpersonaltraining.com", "lovabledoodleshome.com", "woodlandstationcondos.com", "nikahlive.com", "sassholesentiments.com", "bupis44.info", "salahiheartclinic.com", "loveandpersonality.com", "electric-cortex.com", "beijixing-zs.com", "proper-sa.com", "legacyfamilypartners.com", "psidsamor.com", "schotinderoos.com", "kosma-concept.com", "onitled.com", "zscyyds.xyz", "mannatgroups.com", "radweb-demo.com", "lambanghieuquangcao.info", "antabatik.com", "lerongclub.com", "mobssvipshop.com", "dr-walther.com", "ibexitconsultants.com", "cnyprospects.com", "j9mkt64.com", "archer-claims.com", "lggrandinn.com", "jowhp.com", "outdoormz.store", "cantikgroup.company", "2brothersprinting.com", "ginamodernart.com", "koupeespen.quest", "senerants.tech", "designthrottle.com", "emquality.com", "cerulesafe.com", "orascomservice.com", "skinsotight.com", "premiumconciergemarbella.com", "cottagepor.xyz", "gwayav.com", "johnguidesyou.com", "corporativokale.com", "jskswj.com", "xinico.info"]}
Multi AV Scanner detection for submitted file
Source: SNO22 PriceLetter595406_RACX-159814.exe Virustotal: Detection: 29% Perma Link
Source: SNO22 PriceLetter595406_RACX-159814.exe Metadefender: Detection: 27% Perma Link
Source: SNO22 PriceLetter595406_RACX-159814.exe ReversingLabs: Detection: 53%
Yara detected FormBook
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Antivirus or Machine Learning detection for unpacked file
Source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.7:49752 version: TLS 1.2
Source: SNO22 PriceLetter595406_RACX-159814.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: msiexec.pdb source: aspnet_regbrowsers.exe, 00000011.00000002.514739895.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdbp source: msiexec.exe, 00000015.00000002.528080755.0000000005047000.00000004.00000001.00040000.00000000.sdmp, msiexec.exe, 00000015.00000002.524296300.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: aspnet_regbrowsers.exe, 00000011.00000002.514739895.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: aspnet_regbrowsers.exe, 00000011.00000002.513492728.0000000000F7F000.00000040.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.512870377.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000015.00000002.524532882.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000015.00000002.524387982.0000000004B10000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 00000011.00000002.513492728.0000000000F7F000.00000040.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.512870377.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000015.00000002.524532882.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000015.00000002.524387982.0000000004B10000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdb source: msiexec.exe, 00000015.00000002.528080755.0000000005047000.00000004.00000001.00040000.00000000.sdmp, msiexec.exe, 00000015.00000002.524296300.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1530308638\un_priv\bonkersV2\obj\Release\bonkersV2.pdb source: SNO22 PriceLetter595406_RACX-159814.exe

Software Vulnerabilities
barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 4x nop then pop ebx 17_2_00406AB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 4x nop then pop edi 17_2_0041563F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop ebx 21_2_00C26AB6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 4x nop then pop edi 21_2_00C3563F

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.gebaeudetechnik-burscheid.com/p8ce/
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /iUqAEkob.rtf HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /iUqAEkob.rtf HTTP/1.1Host: a.uguu.se
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: explorer.exe, 00000012.00000000.469553539.000000000686B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.485777639.000000000686B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.454836416.000000000686B000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: SNO22 PriceLetter595406_RACX-159814.exe String found in binary or memory: https://a.uguu.se/iUqAEkob.rtf
Source: unknown DNS traffic detected: queries for: a.uguu.se
Source: global traffic HTTP traffic detected: GET /iUqAEkob.rtf HTTP/1.1Host: a.uguu.seConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /iUqAEkob.rtf HTTP/1.1Host: a.uguu.se
Source: unknown HTTPS traffic detected: 188.40.83.211:443 -> 192.168.2.7:49752 version: TLS 1.2

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Yara signature match
Source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00401030 17_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041C94A 17_2_0041C94A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041B9D2 17_2_0041B9D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041CBAE 17_2_0041CBAE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00408C70 17_2_00408C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00402D90 17_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041BF15 17_2_0041BF15
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00402FB0 17_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F528EC 17_2_00F528EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB20A0 17_2_00EB20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F520A8 17_2_00F520A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E9B090 17_2_00E9B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F41002 17_2_00F41002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA4120 17_2_00EA4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E8F900 17_2_00E8F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F522AE 17_2_00F522AE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B620A0 21_2_04B620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4B090 21_2_04B4B090
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C020A8 21_2_04C020A8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4841F 21_2_04B4841F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1002 21_2_04BF1002
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62581 21_2_04B62581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4D5E0 21_2_04B4D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B30D20 21_2_04B30D20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C01D55 21_2_04C01D55
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B54120 21_2_04B54120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3F900 21_2_04B3F900
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C02D07 21_2_04C02D07
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C02EF7 21_2_04C02EF7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C022AE 21_2_04C022AE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B56E30 21_2_04B56E30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6EBB0 21_2_04B6EBB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C01FF1 21_2_04C01FF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C02B28 21_2_04C02B28
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3B9D2 21_2_00C3B9D2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3C94A 21_2_00C3C94A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3CBAE 21_2_00C3CBAE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C28C70 21_2_00C28C70
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C22D90 21_2_00C22D90
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C22FB0 21_2_00C22FB0
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\msiexec.exe Code function: String function: 04B3B150 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_004185D0 NtCreateFile, 17_2_004185D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00418680 NtReadFile, 17_2_00418680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00418700 NtClose, 17_2_00418700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_004187B0 NtAllocateVirtualMemory, 17_2_004187B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_004185CA NtCreateFile, 17_2_004185CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041867B NtReadFile, 17_2_0041867B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_004187AA NtAllocateVirtualMemory, 17_2_004187AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC98F0 NtReadVirtualMemory,LdrInitializeThunk, 17_2_00EC98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_00EC9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9840 NtDelayExecution,LdrInitializeThunk, 17_2_00EC9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC99A0 NtCreateSection,LdrInitializeThunk, 17_2_00EC99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_00EC9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9A50 NtCreateFile,LdrInitializeThunk, 17_2_00EC9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9A20 NtResumeThread,LdrInitializeThunk, 17_2_00EC9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9A00 NtProtectVirtualMemory,LdrInitializeThunk, 17_2_00EC9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC95D0 NtClose,LdrInitializeThunk, 17_2_00EC95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9540 NtReadFile,LdrInitializeThunk, 17_2_00EC9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC96E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_00EC96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_00EC9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9FE0 NtCreateMutant,LdrInitializeThunk, 17_2_00EC9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC97A0 NtUnmapViewOfSection,LdrInitializeThunk, 17_2_00EC97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9780 NtMapViewOfSection,LdrInitializeThunk, 17_2_00EC9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9710 NtQueryInformationToken,LdrInitializeThunk, 17_2_00EC9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC98A0 NtWriteVirtualMemory, 17_2_00EC98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00ECB040 NtSuspendThread, 17_2_00ECB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9820 NtEnumerateKey, 17_2_00EC9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC99D0 NtCreateProcessEx, 17_2_00EC99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9950 NtQueueApcThread, 17_2_00EC9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC9A80 NtOpenDirectoryObject, 17_2_00EC9A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79860 NtQuerySystemInformation,LdrInitializeThunk, 21_2_04B79860
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B795D0 NtClose,LdrInitializeThunk, 21_2_04B795D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79910 NtAdjustPrivilegesToken,LdrInitializeThunk, 21_2_04B79910
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79540 NtReadFile,LdrInitializeThunk, 21_2_04B79540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B796E0 NtFreeVirtualMemory,LdrInitializeThunk, 21_2_04B796E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79A50 NtCreateFile,LdrInitializeThunk, 21_2_04B79A50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79FE0 NtCreateMutant,LdrInitializeThunk, 21_2_04B79FE0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B798A0 NtWriteVirtualMemory, 21_2_04B798A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B798F0 NtReadVirtualMemory, 21_2_04B798F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79820 NtEnumerateKey, 21_2_04B79820
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B7B040 NtSuspendThread, 21_2_04B7B040
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79840 NtDelayExecution, 21_2_04B79840
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B799A0 NtCreateSection, 21_2_04B799A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B795F0 NtQueryInformationFile, 21_2_04B795F0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B799D0 NtCreateProcessEx, 21_2_04B799D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B7AD30 NtSetContextThread, 21_2_04B7AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79520 NtWaitForSingleObject, 21_2_04B79520
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79560 NtWriteFile, 21_2_04B79560
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79950 NtQueueApcThread, 21_2_04B79950
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79A80 NtOpenDirectoryObject, 21_2_04B79A80
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B796D0 NtCreateKey, 21_2_04B796D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79A20 NtResumeThread, 21_2_04B79A20
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79610 NtEnumerateValueKey, 21_2_04B79610
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79A10 NtQuerySection, 21_2_04B79A10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79A00 NtProtectVirtualMemory, 21_2_04B79A00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79670 NtQueryInformationProcess, 21_2_04B79670
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79660 NtAllocateVirtualMemory, 21_2_04B79660
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79650 NtQueryValueKey, 21_2_04B79650
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B7A3B0 NtGetContextThread, 21_2_04B7A3B0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B797A0 NtUnmapViewOfSection, 21_2_04B797A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79780 NtMapViewOfSection, 21_2_04B79780
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79730 NtQueryVirtualMemory, 21_2_04B79730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B7A710 NtOpenProcessToken, 21_2_04B7A710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79710 NtQueryInformationToken, 21_2_04B79710
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79B00 NtSetValueKey, 21_2_04B79B00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79770 NtSetInformationFile, 21_2_04B79770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B7A770 NtOpenThread, 21_2_04B7A770
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B79760 NtOpenProcess, 21_2_04B79760
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C385D0 NtCreateFile, 21_2_00C385D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C38680 NtReadFile, 21_2_00C38680
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C38700 NtClose, 21_2_00C38700
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C385CA NtCreateFile, 21_2_00C385CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3867B NtReadFile, 21_2_00C3867B
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: SNO22 PriceLetter595406_RACX-159814.exe, 00000001.00000000.250874330.0000000000852000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamebonkersV2.exe4 vs SNO22 PriceLetter595406_RACX-159814.exe
Source: SNO22 PriceLetter595406_RACX-159814.exe Binary or memory string: OriginalFilenamebonkersV2.exe4 vs SNO22 PriceLetter595406_RACX-159814.exe
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: SNO22 PriceLetter595406_RACX-159814.exe Virustotal: Detection: 29%
Source: SNO22 PriceLetter595406_RACX-159814.exe Metadefender: Detection: 27%
Source: SNO22 PriceLetter595406_RACX-159814.exe ReversingLabs: Detection: 53%
Source: SNO22 PriceLetter595406_RACX-159814.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe "C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe"
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe"
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SNO22 PriceLetter595406_RACX-159814.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/1@1/1
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: SNO22 PriceLetter595406_RACX-159814.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: SNO22 PriceLetter595406_RACX-159814.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: SNO22 PriceLetter595406_RACX-159814.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: msiexec.pdb source: aspnet_regbrowsers.exe, 00000011.00000002.514739895.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdbp source: msiexec.exe, 00000015.00000002.528080755.0000000005047000.00000004.00000001.00040000.00000000.sdmp, msiexec.exe, 00000015.00000002.524296300.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: msiexec.pdbGCTL source: aspnet_regbrowsers.exe, 00000011.00000002.514739895.0000000002DD0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: aspnet_regbrowsers.exe, 00000011.00000002.513492728.0000000000F7F000.00000040.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.512870377.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000015.00000002.524532882.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000015.00000002.524387982.0000000004B10000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: aspnet_regbrowsers.exe, aspnet_regbrowsers.exe, 00000011.00000002.513492728.0000000000F7F000.00000040.00000800.00020000.00000000.sdmp, aspnet_regbrowsers.exe, 00000011.00000002.512870377.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, msiexec.exe, 00000015.00000002.524532882.0000000004C2F000.00000040.00000800.00020000.00000000.sdmp, msiexec.exe, 00000015.00000002.524387982.0000000004B10000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: aspnet_regbrowsers.pdb source: msiexec.exe, 00000015.00000002.528080755.0000000005047000.00000004.00000001.00040000.00000000.sdmp, msiexec.exe, 00000015.00000002.524296300.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Administrator\Desktop\Builder\stub\1530308638\un_priv\bonkersV2\obj\Release\bonkersV2.pdb source: SNO22 PriceLetter595406_RACX-159814.exe

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: SNO22 PriceLetter595406_RACX-159814.exe, Program.cs .Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.SNO22 PriceLetter595406_RACX-159814.exe.850000.0.unpack, Program.cs .Net Code: hselector System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041B87C push eax; ret 17_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041B812 push eax; ret 17_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041B81B push eax; ret 17_2_0041B882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_004152A6 push ss; retf 17_2_004152B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041CECF push cs; retf 17_2_0041CED7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00415F5C push ebp; ret 17_2_00415F5D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041A702 push es; ret 17_2_0041A747
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041CF2D push cs; ret 17_2_0041CF2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_0041B7C5 push eax; ret 17_2_0041B818
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EDD0D1 push ecx; ret 17_2_00EDD0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B8D0D1 push ecx; ret 21_2_04B8D0E4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3B87C push eax; ret 21_2_00C3B882
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3B812 push eax; ret 21_2_00C3B818
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3B81B push eax; ret 21_2_00C3B882
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C352A6 push ss; retf 21_2_00C352B9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3CECF push cs; retf 21_2_00C3CED7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3B7C5 push eax; ret 21_2_00C3B818
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C35F5C push ebp; ret 21_2_00C35F5D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3A702 push es; ret 21_2_00C3A747
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_00C3CF2D push cs; ret 21_2_00C3CF2E
Binary contains a suspicious time stamp
Source: SNO22 PriceLetter595406_RACX-159814.exe Static PE information: 0xCC7F8886 [Tue Sep 20 14:34:46 2078 UTC]
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe RDTSC instruction interceptor: First address: 000000000040898E second address: 0000000000408994 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe TID: 6696 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe TID: 6684 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_004088C0 rdtsc 17_2_004088C0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\msiexec.exe API coverage: 5.1 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000012.00000000.459039685.0000000008B88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.495916119.0000000008A32000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000012.00000000.495916119.0000000008A32000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000012.00000000.459039685.0000000008B88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.459039685.0000000008B88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000012.00000002.529991671.00000000048E0000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000012.00000000.459039685.0000000008B88000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}C
Source: explorer.exe, 00000012.00000000.495990544.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000Datc
Source: explorer.exe, 00000012.00000000.495990544.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000012.00000000.455004676.00000000069D5000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD002

Anti Debugging
barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_004088C0 rdtsc 17_2_004088C0
Enables debug privileges
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E858EC mov eax, dword ptr fs:[00000030h] 17_2_00E858EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00F1B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F1B8D0 mov ecx, dword ptr fs:[00000030h] 17_2_00F1B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00F1B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00F1B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00F1B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F1B8D0 mov eax, dword ptr fs:[00000030h] 17_2_00F1B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC90AF mov eax, dword ptr fs:[00000030h] 17_2_00EC90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB20A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EBF0BF mov ecx, dword ptr fs:[00000030h] 17_2_00EBF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EBF0BF mov eax, dword ptr fs:[00000030h] 17_2_00EBF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EBF0BF mov eax, dword ptr fs:[00000030h] 17_2_00EBF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89080 mov eax, dword ptr fs:[00000030h] 17_2_00E89080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F03884 mov eax, dword ptr fs:[00000030h] 17_2_00F03884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F03884 mov eax, dword ptr fs:[00000030h] 17_2_00F03884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F51074 mov eax, dword ptr fs:[00000030h] 17_2_00F51074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F42073 mov eax, dword ptr fs:[00000030h] 17_2_00F42073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA0050 mov eax, dword ptr fs:[00000030h] 17_2_00EA0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA0050 mov eax, dword ptr fs:[00000030h] 17_2_00EA0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E9B02A mov eax, dword ptr fs:[00000030h] 17_2_00E9B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E9B02A mov eax, dword ptr fs:[00000030h] 17_2_00E9B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E9B02A mov eax, dword ptr fs:[00000030h] 17_2_00E9B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E9B02A mov eax, dword ptr fs:[00000030h] 17_2_00E9B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB002D mov eax, dword ptr fs:[00000030h] 17_2_00EB002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB002D mov eax, dword ptr fs:[00000030h] 17_2_00EB002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB002D mov eax, dword ptr fs:[00000030h] 17_2_00EB002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB002D mov eax, dword ptr fs:[00000030h] 17_2_00EB002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB002D mov eax, dword ptr fs:[00000030h] 17_2_00EB002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F54015 mov eax, dword ptr fs:[00000030h] 17_2_00F54015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F54015 mov eax, dword ptr fs:[00000030h] 17_2_00F54015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F07016 mov eax, dword ptr fs:[00000030h] 17_2_00F07016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F07016 mov eax, dword ptr fs:[00000030h] 17_2_00F07016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F07016 mov eax, dword ptr fs:[00000030h] 17_2_00F07016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E8B1E1 mov eax, dword ptr fs:[00000030h] 17_2_00E8B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E8B1E1 mov eax, dword ptr fs:[00000030h] 17_2_00E8B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E8B1E1 mov eax, dword ptr fs:[00000030h] 17_2_00E8B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F141E8 mov eax, dword ptr fs:[00000030h] 17_2_00F141E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB61A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB61A0 mov eax, dword ptr fs:[00000030h] 17_2_00EB61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F051BE mov eax, dword ptr fs:[00000030h] 17_2_00F051BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F051BE mov eax, dword ptr fs:[00000030h] 17_2_00F051BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F051BE mov eax, dword ptr fs:[00000030h] 17_2_00F051BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F051BE mov eax, dword ptr fs:[00000030h] 17_2_00F051BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F069A6 mov eax, dword ptr fs:[00000030h] 17_2_00F069A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EAC182 mov eax, dword ptr fs:[00000030h] 17_2_00EAC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EBA185 mov eax, dword ptr fs:[00000030h] 17_2_00EBA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB2990 mov eax, dword ptr fs:[00000030h] 17_2_00EB2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E8C962 mov eax, dword ptr fs:[00000030h] 17_2_00E8C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E8B171 mov eax, dword ptr fs:[00000030h] 17_2_00E8B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E8B171 mov eax, dword ptr fs:[00000030h] 17_2_00E8B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EAB944 mov eax, dword ptr fs:[00000030h] 17_2_00EAB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EAB944 mov eax, dword ptr fs:[00000030h] 17_2_00EAB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA4120 mov eax, dword ptr fs:[00000030h] 17_2_00EA4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA4120 mov eax, dword ptr fs:[00000030h] 17_2_00EA4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA4120 mov eax, dword ptr fs:[00000030h] 17_2_00EA4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA4120 mov eax, dword ptr fs:[00000030h] 17_2_00EA4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EA4120 mov ecx, dword ptr fs:[00000030h] 17_2_00EA4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB513A mov eax, dword ptr fs:[00000030h] 17_2_00EB513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB513A mov eax, dword ptr fs:[00000030h] 17_2_00EB513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89100 mov eax, dword ptr fs:[00000030h] 17_2_00E89100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89100 mov eax, dword ptr fs:[00000030h] 17_2_00E89100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89100 mov eax, dword ptr fs:[00000030h] 17_2_00E89100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB2AE4 mov eax, dword ptr fs:[00000030h] 17_2_00EB2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EB2ACB mov eax, dword ptr fs:[00000030h] 17_2_00EB2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E852A5 mov eax, dword ptr fs:[00000030h] 17_2_00E852A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E852A5 mov eax, dword ptr fs:[00000030h] 17_2_00E852A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E852A5 mov eax, dword ptr fs:[00000030h] 17_2_00E852A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E852A5 mov eax, dword ptr fs:[00000030h] 17_2_00E852A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E852A5 mov eax, dword ptr fs:[00000030h] 17_2_00E852A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E9AAB0 mov eax, dword ptr fs:[00000030h] 17_2_00E9AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E9AAB0 mov eax, dword ptr fs:[00000030h] 17_2_00E9AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EBFAB0 mov eax, dword ptr fs:[00000030h] 17_2_00EBFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EBD294 mov eax, dword ptr fs:[00000030h] 17_2_00EBD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EBD294 mov eax, dword ptr fs:[00000030h] 17_2_00EBD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F3B260 mov eax, dword ptr fs:[00000030h] 17_2_00F3B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F3B260 mov eax, dword ptr fs:[00000030h] 17_2_00F3B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC927A mov eax, dword ptr fs:[00000030h] 17_2_00EC927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F58A62 mov eax, dword ptr fs:[00000030h] 17_2_00F58A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F4EA55 mov eax, dword ptr fs:[00000030h] 17_2_00F4EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F14257 mov eax, dword ptr fs:[00000030h] 17_2_00F14257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89240 mov eax, dword ptr fs:[00000030h] 17_2_00E89240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89240 mov eax, dword ptr fs:[00000030h] 17_2_00E89240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89240 mov eax, dword ptr fs:[00000030h] 17_2_00E89240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E89240 mov eax, dword ptr fs:[00000030h] 17_2_00E89240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC4A2C mov eax, dword ptr fs:[00000030h] 17_2_00EC4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00EC4A2C mov eax, dword ptr fs:[00000030h] 17_2_00EC4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F4AA16 mov eax, dword ptr fs:[00000030h] 17_2_00F4AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00F4AA16 mov eax, dword ptr fs:[00000030h] 17_2_00F4AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00E98A0A mov eax, dword ptr fs:[00000030h] 17_2_00E98A0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6F0BF mov ecx, dword ptr fs:[00000030h] 21_2_04B6F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6F0BF mov eax, dword ptr fs:[00000030h] 21_2_04B6F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6F0BF mov eax, dword ptr fs:[00000030h] 21_2_04B6F0BF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C08CD6 mov eax, dword ptr fs:[00000030h] 21_2_04C08CD6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B620A0 mov eax, dword ptr fs:[00000030h] 21_2_04B620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B620A0 mov eax, dword ptr fs:[00000030h] 21_2_04B620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B620A0 mov eax, dword ptr fs:[00000030h] 21_2_04B620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B620A0 mov eax, dword ptr fs:[00000030h] 21_2_04B620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B620A0 mov eax, dword ptr fs:[00000030h] 21_2_04B620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B620A0 mov eax, dword ptr fs:[00000030h] 21_2_04B620A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B790AF mov eax, dword ptr fs:[00000030h] 21_2_04B790AF
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4849B mov eax, dword ptr fs:[00000030h] 21_2_04B4849B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39080 mov eax, dword ptr fs:[00000030h] 21_2_04B39080
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB3884 mov eax, dword ptr fs:[00000030h] 21_2_04BB3884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB3884 mov eax, dword ptr fs:[00000030h] 21_2_04BB3884
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF14FB mov eax, dword ptr fs:[00000030h] 21_2_04BF14FB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6CF0 mov eax, dword ptr fs:[00000030h] 21_2_04BB6CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6CF0 mov eax, dword ptr fs:[00000030h] 21_2_04BB6CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6CF0 mov eax, dword ptr fs:[00000030h] 21_2_04BB6CF0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B358EC mov eax, dword ptr fs:[00000030h] 21_2_04B358EC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 21_2_04BCB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCB8D0 mov ecx, dword ptr fs:[00000030h] 21_2_04BCB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 21_2_04BCB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 21_2_04BCB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 21_2_04BCB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCB8D0 mov eax, dword ptr fs:[00000030h] 21_2_04BCB8D0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6BC2C mov eax, dword ptr fs:[00000030h] 21_2_04B6BC2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6002D mov eax, dword ptr fs:[00000030h] 21_2_04B6002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6002D mov eax, dword ptr fs:[00000030h] 21_2_04B6002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6002D mov eax, dword ptr fs:[00000030h] 21_2_04B6002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6002D mov eax, dword ptr fs:[00000030h] 21_2_04B6002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6002D mov eax, dword ptr fs:[00000030h] 21_2_04B6002D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4B02A mov eax, dword ptr fs:[00000030h] 21_2_04B4B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4B02A mov eax, dword ptr fs:[00000030h] 21_2_04B4B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4B02A mov eax, dword ptr fs:[00000030h] 21_2_04B4B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4B02A mov eax, dword ptr fs:[00000030h] 21_2_04B4B02A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB7016 mov eax, dword ptr fs:[00000030h] 21_2_04BB7016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB7016 mov eax, dword ptr fs:[00000030h] 21_2_04BB7016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB7016 mov eax, dword ptr fs:[00000030h] 21_2_04BB7016
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 21_2_04BB6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 21_2_04BB6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 21_2_04BB6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6C0A mov eax, dword ptr fs:[00000030h] 21_2_04BB6C0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C01074 mov eax, dword ptr fs:[00000030h] 21_2_04C01074
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1C06 mov eax, dword ptr fs:[00000030h] 21_2_04BF1C06
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF2073 mov eax, dword ptr fs:[00000030h] 21_2_04BF2073
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C0740D mov eax, dword ptr fs:[00000030h] 21_2_04C0740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C0740D mov eax, dword ptr fs:[00000030h] 21_2_04C0740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C0740D mov eax, dword ptr fs:[00000030h] 21_2_04C0740D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C04015 mov eax, dword ptr fs:[00000030h] 21_2_04C04015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C04015 mov eax, dword ptr fs:[00000030h] 21_2_04C04015
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5746D mov eax, dword ptr fs:[00000030h] 21_2_04B5746D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B50050 mov eax, dword ptr fs:[00000030h] 21_2_04B50050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B50050 mov eax, dword ptr fs:[00000030h] 21_2_04B50050
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCC450 mov eax, dword ptr fs:[00000030h] 21_2_04BCC450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCC450 mov eax, dword ptr fs:[00000030h] 21_2_04BCC450
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6A44B mov eax, dword ptr fs:[00000030h] 21_2_04B6A44B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B61DB5 mov eax, dword ptr fs:[00000030h] 21_2_04B61DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B61DB5 mov eax, dword ptr fs:[00000030h] 21_2_04B61DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B61DB5 mov eax, dword ptr fs:[00000030h] 21_2_04B61DB5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB51BE mov eax, dword ptr fs:[00000030h] 21_2_04BB51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB51BE mov eax, dword ptr fs:[00000030h] 21_2_04BB51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB51BE mov eax, dword ptr fs:[00000030h] 21_2_04BB51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB51BE mov eax, dword ptr fs:[00000030h] 21_2_04BB51BE
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B661A0 mov eax, dword ptr fs:[00000030h] 21_2_04B661A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B661A0 mov eax, dword ptr fs:[00000030h] 21_2_04B661A0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B635A1 mov eax, dword ptr fs:[00000030h] 21_2_04B635A1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB69A6 mov eax, dword ptr fs:[00000030h] 21_2_04BB69A6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62990 mov eax, dword ptr fs:[00000030h] 21_2_04B62990
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6FD9B mov eax, dword ptr fs:[00000030h] 21_2_04B6FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6FD9B mov eax, dword ptr fs:[00000030h] 21_2_04B6FD9B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6A185 mov eax, dword ptr fs:[00000030h] 21_2_04B6A185
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5C182 mov eax, dword ptr fs:[00000030h] 21_2_04B5C182
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62581 mov eax, dword ptr fs:[00000030h] 21_2_04B62581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62581 mov eax, dword ptr fs:[00000030h] 21_2_04B62581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62581 mov eax, dword ptr fs:[00000030h] 21_2_04B62581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62581 mov eax, dword ptr fs:[00000030h] 21_2_04B62581
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B32D8A mov eax, dword ptr fs:[00000030h] 21_2_04B32D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B32D8A mov eax, dword ptr fs:[00000030h] 21_2_04B32D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B32D8A mov eax, dword ptr fs:[00000030h] 21_2_04B32D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B32D8A mov eax, dword ptr fs:[00000030h] 21_2_04B32D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B32D8A mov eax, dword ptr fs:[00000030h] 21_2_04B32D8A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BE8DF1 mov eax, dword ptr fs:[00000030h] 21_2_04BE8DF1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3B1E1 mov eax, dword ptr fs:[00000030h] 21_2_04B3B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3B1E1 mov eax, dword ptr fs:[00000030h] 21_2_04B3B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3B1E1 mov eax, dword ptr fs:[00000030h] 21_2_04B3B1E1
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BC41E8 mov eax, dword ptr fs:[00000030h] 21_2_04BC41E8
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4D5E0 mov eax, dword ptr fs:[00000030h] 21_2_04B4D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4D5E0 mov eax, dword ptr fs:[00000030h] 21_2_04B4D5E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C005AC mov eax, dword ptr fs:[00000030h] 21_2_04C005AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C005AC mov eax, dword ptr fs:[00000030h] 21_2_04C005AC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 21_2_04BB6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 21_2_04BB6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 21_2_04BB6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6DC9 mov ecx, dword ptr fs:[00000030h] 21_2_04BB6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 21_2_04BB6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB6DC9 mov eax, dword ptr fs:[00000030h] 21_2_04BB6DC9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B43D34 mov eax, dword ptr fs:[00000030h] 21_2_04B43D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3AD30 mov eax, dword ptr fs:[00000030h] 21_2_04B3AD30
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6513A mov eax, dword ptr fs:[00000030h] 21_2_04B6513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6513A mov eax, dword ptr fs:[00000030h] 21_2_04B6513A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BBA537 mov eax, dword ptr fs:[00000030h] 21_2_04BBA537
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B64D3B mov eax, dword ptr fs:[00000030h] 21_2_04B64D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B64D3B mov eax, dword ptr fs:[00000030h] 21_2_04B64D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B64D3B mov eax, dword ptr fs:[00000030h] 21_2_04B64D3B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B54120 mov eax, dword ptr fs:[00000030h] 21_2_04B54120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B54120 mov eax, dword ptr fs:[00000030h] 21_2_04B54120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B54120 mov eax, dword ptr fs:[00000030h] 21_2_04B54120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B54120 mov eax, dword ptr fs:[00000030h] 21_2_04B54120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B54120 mov ecx, dword ptr fs:[00000030h] 21_2_04B54120
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39100 mov eax, dword ptr fs:[00000030h] 21_2_04B39100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39100 mov eax, dword ptr fs:[00000030h] 21_2_04B39100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39100 mov eax, dword ptr fs:[00000030h] 21_2_04B39100
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3B171 mov eax, dword ptr fs:[00000030h] 21_2_04B3B171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3B171 mov eax, dword ptr fs:[00000030h] 21_2_04B3B171
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5C577 mov eax, dword ptr fs:[00000030h] 21_2_04B5C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5C577 mov eax, dword ptr fs:[00000030h] 21_2_04B5C577
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3C962 mov eax, dword ptr fs:[00000030h] 21_2_04B3C962
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B57D50 mov eax, dword ptr fs:[00000030h] 21_2_04B57D50
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5B944 mov eax, dword ptr fs:[00000030h] 21_2_04B5B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5B944 mov eax, dword ptr fs:[00000030h] 21_2_04B5B944
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C08D34 mov eax, dword ptr fs:[00000030h] 21_2_04C08D34
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B73D43 mov eax, dword ptr fs:[00000030h] 21_2_04B73D43
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB3540 mov eax, dword ptr fs:[00000030h] 21_2_04BB3540
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4AAB0 mov eax, dword ptr fs:[00000030h] 21_2_04B4AAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4AAB0 mov eax, dword ptr fs:[00000030h] 21_2_04B4AAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6FAB0 mov eax, dword ptr fs:[00000030h] 21_2_04B6FAB0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B352A5 mov eax, dword ptr fs:[00000030h] 21_2_04B352A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B352A5 mov eax, dword ptr fs:[00000030h] 21_2_04B352A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B352A5 mov eax, dword ptr fs:[00000030h] 21_2_04B352A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B352A5 mov eax, dword ptr fs:[00000030h] 21_2_04B352A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B352A5 mov eax, dword ptr fs:[00000030h] 21_2_04B352A5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C08ED6 mov eax, dword ptr fs:[00000030h] 21_2_04C08ED6
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB46A7 mov eax, dword ptr fs:[00000030h] 21_2_04BB46A7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6D294 mov eax, dword ptr fs:[00000030h] 21_2_04B6D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6D294 mov eax, dword ptr fs:[00000030h] 21_2_04B6D294
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCFE87 mov eax, dword ptr fs:[00000030h] 21_2_04BCFE87
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62AE4 mov eax, dword ptr fs:[00000030h] 21_2_04B62AE4
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B616E0 mov ecx, dword ptr fs:[00000030h] 21_2_04B616E0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B476E2 mov eax, dword ptr fs:[00000030h] 21_2_04B476E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C00EA5 mov eax, dword ptr fs:[00000030h] 21_2_04C00EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C00EA5 mov eax, dword ptr fs:[00000030h] 21_2_04C00EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C00EA5 mov eax, dword ptr fs:[00000030h] 21_2_04C00EA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B78EC7 mov eax, dword ptr fs:[00000030h] 21_2_04B78EC7
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B636CC mov eax, dword ptr fs:[00000030h] 21_2_04B636CC
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62ACB mov eax, dword ptr fs:[00000030h] 21_2_04B62ACB
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BEFEC0 mov eax, dword ptr fs:[00000030h] 21_2_04BEFEC0
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BEFE3F mov eax, dword ptr fs:[00000030h] 21_2_04BEFE3F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3E620 mov eax, dword ptr fs:[00000030h] 21_2_04B3E620
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B74A2C mov eax, dword ptr fs:[00000030h] 21_2_04B74A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B74A2C mov eax, dword ptr fs:[00000030h] 21_2_04B74A2C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C08A62 mov eax, dword ptr fs:[00000030h] 21_2_04C08A62
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B35210 mov eax, dword ptr fs:[00000030h] 21_2_04B35210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B35210 mov ecx, dword ptr fs:[00000030h] 21_2_04B35210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B35210 mov eax, dword ptr fs:[00000030h] 21_2_04B35210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B35210 mov eax, dword ptr fs:[00000030h] 21_2_04B35210
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3AA16 mov eax, dword ptr fs:[00000030h] 21_2_04B3AA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3AA16 mov eax, dword ptr fs:[00000030h] 21_2_04B3AA16
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B53A1C mov eax, dword ptr fs:[00000030h] 21_2_04B53A1C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6A61C mov eax, dword ptr fs:[00000030h] 21_2_04B6A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6A61C mov eax, dword ptr fs:[00000030h] 21_2_04B6A61C
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3C600 mov eax, dword ptr fs:[00000030h] 21_2_04B3C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3C600 mov eax, dword ptr fs:[00000030h] 21_2_04B3C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3C600 mov eax, dword ptr fs:[00000030h] 21_2_04B3C600
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B68E00 mov eax, dword ptr fs:[00000030h] 21_2_04B68E00
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF1608 mov eax, dword ptr fs:[00000030h] 21_2_04BF1608
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B48A0A mov eax, dword ptr fs:[00000030h] 21_2_04B48A0A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 21_2_04B5AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 21_2_04B5AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 21_2_04B5AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 21_2_04B5AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5AE73 mov eax, dword ptr fs:[00000030h] 21_2_04B5AE73
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B7927A mov eax, dword ptr fs:[00000030h] 21_2_04B7927A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4766D mov eax, dword ptr fs:[00000030h] 21_2_04B4766D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BEB260 mov eax, dword ptr fs:[00000030h] 21_2_04BEB260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BEB260 mov eax, dword ptr fs:[00000030h] 21_2_04BEB260
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BC4257 mov eax, dword ptr fs:[00000030h] 21_2_04BC4257
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39240 mov eax, dword ptr fs:[00000030h] 21_2_04B39240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39240 mov eax, dword ptr fs:[00000030h] 21_2_04B39240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39240 mov eax, dword ptr fs:[00000030h] 21_2_04B39240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B39240 mov eax, dword ptr fs:[00000030h] 21_2_04B39240
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B47E41 mov eax, dword ptr fs:[00000030h] 21_2_04B47E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B47E41 mov eax, dword ptr fs:[00000030h] 21_2_04B47E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B47E41 mov eax, dword ptr fs:[00000030h] 21_2_04B47E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B47E41 mov eax, dword ptr fs:[00000030h] 21_2_04B47E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B47E41 mov eax, dword ptr fs:[00000030h] 21_2_04B47E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B47E41 mov eax, dword ptr fs:[00000030h] 21_2_04B47E41
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B64BAD mov eax, dword ptr fs:[00000030h] 21_2_04B64BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B64BAD mov eax, dword ptr fs:[00000030h] 21_2_04B64BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B64BAD mov eax, dword ptr fs:[00000030h] 21_2_04B64BAD
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B48794 mov eax, dword ptr fs:[00000030h] 21_2_04B48794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B62397 mov eax, dword ptr fs:[00000030h] 21_2_04B62397
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6B390 mov eax, dword ptr fs:[00000030h] 21_2_04B6B390
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB7794 mov eax, dword ptr fs:[00000030h] 21_2_04BB7794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB7794 mov eax, dword ptr fs:[00000030h] 21_2_04BB7794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB7794 mov eax, dword ptr fs:[00000030h] 21_2_04BB7794
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF138A mov eax, dword ptr fs:[00000030h] 21_2_04BF138A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B41B8F mov eax, dword ptr fs:[00000030h] 21_2_04B41B8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B41B8F mov eax, dword ptr fs:[00000030h] 21_2_04B41B8F
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BED380 mov ecx, dword ptr fs:[00000030h] 21_2_04BED380
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B737F5 mov eax, dword ptr fs:[00000030h] 21_2_04B737F5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B603E2 mov eax, dword ptr fs:[00000030h] 21_2_04B603E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B603E2 mov eax, dword ptr fs:[00000030h] 21_2_04B603E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B603E2 mov eax, dword ptr fs:[00000030h] 21_2_04B603E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B603E2 mov eax, dword ptr fs:[00000030h] 21_2_04B603E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B603E2 mov eax, dword ptr fs:[00000030h] 21_2_04B603E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B603E2 mov eax, dword ptr fs:[00000030h] 21_2_04B603E2
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5DBE9 mov eax, dword ptr fs:[00000030h] 21_2_04B5DBE9
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C05BA5 mov eax, dword ptr fs:[00000030h] 21_2_04C05BA5
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB53CA mov eax, dword ptr fs:[00000030h] 21_2_04BB53CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BB53CA mov eax, dword ptr fs:[00000030h] 21_2_04BB53CA
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6E730 mov eax, dword ptr fs:[00000030h] 21_2_04B6E730
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C08B58 mov eax, dword ptr fs:[00000030h] 21_2_04C08B58
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B34F2E mov eax, dword ptr fs:[00000030h] 21_2_04B34F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B34F2E mov eax, dword ptr fs:[00000030h] 21_2_04B34F2E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B5F716 mov eax, dword ptr fs:[00000030h] 21_2_04B5F716
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BF131B mov eax, dword ptr fs:[00000030h] 21_2_04BF131B
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C08F6A mov eax, dword ptr fs:[00000030h] 21_2_04C08F6A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCFF10 mov eax, dword ptr fs:[00000030h] 21_2_04BCFF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04BCFF10 mov eax, dword ptr fs:[00000030h] 21_2_04BCFF10
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6A70E mov eax, dword ptr fs:[00000030h] 21_2_04B6A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B6A70E mov eax, dword ptr fs:[00000030h] 21_2_04B6A70E
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B63B7A mov eax, dword ptr fs:[00000030h] 21_2_04B63B7A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B63B7A mov eax, dword ptr fs:[00000030h] 21_2_04B63B7A
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C0070D mov eax, dword ptr fs:[00000030h] 21_2_04C0070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04C0070D mov eax, dword ptr fs:[00000030h] 21_2_04C0070D
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3DB60 mov ecx, dword ptr fs:[00000030h] 21_2_04B3DB60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4FF60 mov eax, dword ptr fs:[00000030h] 21_2_04B4FF60
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3F358 mov eax, dword ptr fs:[00000030h] 21_2_04B3F358
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B3DB40 mov eax, dword ptr fs:[00000030h] 21_2_04B3DB40
Source: C:\Windows\SysWOW64\msiexec.exe Code function: 21_2_04B4EF40 mov eax, dword ptr fs:[00000030h] 21_2_04B4EF40
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Code function: 17_2_00409B30 LdrLoadDll, 17_2_00409B30
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section unmapped: C:\Windows\SysWOW64\msiexec.exe base address: 1010000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Section loaded: unknown target: C:\Windows\SysWOW64\msiexec.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 707008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Thread register set: target process: 3292 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe" Jump to behavior
Source: explorer.exe, 00000012.00000002.527035535.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.466104312.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.444862487.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.481632052.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: uProgram Manager
Source: explorer.exe, 00000012.00000002.532558843.0000000005F40000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000002.527035535.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.466104312.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.444862487.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.481632052.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000012.00000002.527035535.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.466104312.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.444862487.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.481632052.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000012.00000002.522705746.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.481289276.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.443919394.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.465770135.0000000000EB8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanX
Source: explorer.exe, 00000012.00000002.527035535.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.466104312.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.444862487.0000000001400000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000012.00000000.481632052.0000000001400000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000012.00000000.473262428.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.458950717.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000012.00000000.495990544.0000000008ACF000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndAj

Language, Device and Operating System Detection
barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Queries volume information: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SNO22 PriceLetter595406_RACX-159814.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.aspnet_regbrowsers.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.aspnet_regbrowsers.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000000.439286090.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512768825.0000000000E20000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.438944702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.513913485.0000000001190000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000015.00000002.521396052.0000000000C20000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.495639295.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000000.472587688.0000000007D00000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.512466693.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 562167 Sample: SNO22 PriceLetter595406_RAC... Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Malicious sample detected (through community Yara rule) 2->31 33 Multi AV Scanner detection for submitted file 2->33 35 3 other signatures 2->35 9 SNO22 PriceLetter595406_RACX-159814.exe 15 4 2->9         started        process3 dnsIp4 27 a.uguu.se 188.40.83.211, 443, 49752, 49769 HETZNER-ASDE Germany 9->27 25 SNO22 PriceLetter5...RACX-159814.exe.log, ASCII 9->25 dropped 37 Writes to foreign memory regions 9->37 39 Injects a PE file into a foreign processes 9->39 14 aspnet_regbrowsers.exe 9->14         started        17 conhost.exe 9->17         started        file5 signatures6 process7 signatures8 41 Modifies the context of a thread in another process (thread injection) 14->41 43 Maps a DLL or memory area into another process 14->43 45 Sample uses process hollowing technique 14->45 47 2 other signatures 14->47 19 explorer.exe 14->19 injected process9 process10 21 msiexec.exe 19->21         started        process11 23 cmd.exe 21->23         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.40.83.211
 a.uguu.se Germany
24940 HETZNER-ASDE false

Contacted Domains

Name IP Active
a.uguu.se 188.40.83.211 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.gebaeudetechnik-burscheid.com/p8ce/ true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 low
https://a.uguu.se/iUqAEkob.rtf false
    		high