Windows Analysis Report
unpaid_invoices.exe

Overview

General Information

Sample Name: unpaid_invoices.exe
Analysis ID: 626537
MD5: fa28e3d61ae49fda627abfc78ca84dea
SHA1: 7ecf93e5d4a2873a10510d007b33b4c3460b29d5
SHA256: a7162eb3744c8a0629f9c3967700bf4e015e807340c4e1be3327011a637108c4
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Maps a DLL or memory area into another process
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
Executable has a suspicious name (potential lure to open the executable)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Extensive use of GetProcAddress (often used to hide API calls)
PE file contains strange resources
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.beamaster.info/p0ip/"], "decoy": ["webberkerr.com", "lelezhuanshu.xyz", "weedformellc.com", "ikzoekeenbedrijfsruimte.com", "swahlove.com", "dubaidesertsafari.travel", "atozmedicalimages.com", "uniytriox.com", "clickyourcat.com", "shandun-safety.com", "pakmart.center", "roxxiesixx.com", "twistedtaqueriachicago.com", "studynursingaustralia.online", "wellnesstestinggroup.com", "justusebias.com", "yqvzs.com", "co1l7o8vy.com", "lightning.legal", "cardamagescanner.com", "megawatchinc.com", "sadebademli.com", "bcoky.com", "unleashingyou-lifecoaching.com", "epsubtitles.online", "susanpetersonrealty.com", "gdderui.com", "claris-studio.cloud", "cryptomnis.com", "1ens.domains", "localbusinessassets.com", "et9n7e4vf.com", "quoteypants.com", "bokepremaja18.biz", "xiangqinmao.com", "lilot-pland45.site", "exilings.com", "nft-id.net", "sport-outdoorpacks.com", "plnykosik.online", "cidesadelcentro.com", "stunning-black.xyz", "zoeyunker.com", "videogamesgroup.com", "autodnstest.com", "bookworms.store", "69817269.com", "one-session22-lp.com", "modelofindia.com", "kennnyshands.com", "otopenishop.net", "freegameswithoutdownload.online", "alaskanwave.net", "tjkt8.com", "abv.wiki", "protoncarsale.com", "zhipurc.com", "psicologamoderna.com", "hidinginplainsight.digital", "cuamini-trankien.xyz", "yustunning.com", "apeironpay.xyz", "allowdrops.xyz", "allyouneedstore.xyz"]}
Yara detected FormBook
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.beamaster.info/p0ip/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Virustotal: Detection: 34% Perma Link
Machine Learning detection for sample
Source: unpaid_invoices.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 1.2.ronkhfyq.exe.d80000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.ronkhfyq.exe.400000.8.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.ronkhfyq.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.ronkhfyq.exe.400000.4.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.0.ronkhfyq.exe.400000.6.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: unpaid_invoices.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unpaid_invoices.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdb source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\yysuo\kzzcum\izya\0db06ea2233046af83ff72ba291e1f8f\exvtus\fxibtxmq\Release\fxibtxmq.pdb source: unpaid_invoices.exe, 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmp, ronkhfyq.exe, 00000001.00000000.229638861.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000002.00000000.235483979.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, control.exe, 00000011.00000002.499584872.000000000311A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000011.00000002.500336053.00000000050D7000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.462569690.0000000007497000.00000004.80000000.00040000.00000000.sdmp, nss7D29.tmp.0.dr, ronkhfyq.exe.0.dr
Source: Binary string: control.pdbUGP source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 4x nop then pop edi 2_2_0040CA02
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 4x nop then pop ebx 2_2_00406EA4
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop edi 17_2_02EECA02
Source: C:\Windows\SysWOW64\control.exe Code function: 4x nop then pop ebx 17_2_02EE6EA5

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.beamaster.info/p0ip/
Source: explorer.exe, 0000001B.00000000.491457253.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.451885872.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.468009786.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.466224505.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.465809176.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.450166228.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.449810104.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.464512993.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.490550575.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.443910972.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.441840899.0000000009B83000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.488161679.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491255412.0000000009B66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491310221.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.493308123.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491580962.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.493220220.0000000009B66000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.450978989.0000000009B80000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.488054487.0000000009B82000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.464944706.0000000009B6A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.491957407.0000000009B80000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 0000001B.00000003.441376750.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.442769912.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.m
Source: unpaid_invoices.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_0040580F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040580F

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: unpaid_invoices.exe
Executable has a suspicious name (potential lure to open the executable)
Source: unpaid_invoices.exe Static file information: Suspicious name
Uses 32bit PE files
Source: unpaid_invoices.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E118A0 1_2_00E118A0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E196B0 1_2_00E196B0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E17E99 1_2_00E17E99
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E19C22 1_2_00E19C22
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E1B401 1_2_00E1B401
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E1C3CD 1_2_00E1C3CD
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E1A194 1_2_00E1A194
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00401030 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0040926B 2_2_0040926B
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00409270 2_2_00409270
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0040DC0B 2_2_0040DC0B
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0040DC10 2_2_0040DC10
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00402D90 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041EFA7 2_2_0041EFA7
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00402FB0 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041E7BA 2_2_0041E7BA
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E118A0 2_2_00E118A0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E1A194 2_2_00E1A194
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E1C3CD 2_2_00E1C3CD
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E19C22 2_2_00E19C22
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E1B401 2_2_00E1B401
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E196B0 2_2_00E196B0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E17E99 2_2_00E17E99
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDB090 17_2_04BDB090
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD841F 17_2_04BD841F
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81002 17_2_04C81002
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC0D20 17_2_04BC0D20
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C91D55 17_2_04C91D55
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE4120 17_2_04BE4120
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCF900 17_2_04BCF900
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE6E30 17_2_04BE6E30
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFEBB0 17_2_04BFEBB0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EE926B 17_2_02EE926B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EE9270 17_2_02EE9270
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFEFA7 17_2_02EFEFA7
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFE7BA 17_2_02EFE7BA
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EE2FB0 17_2_02EE2FB0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EEDC0B 17_2_02EEDC0B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EEDC10 17_2_02EEDC10
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EE2D90 17_2_02EE2D90
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: String function: 00E145A9 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: String function: 00E12410 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A310 NtCreateFile, 2_2_0041A310
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A3C0 NtReadFile, 2_2_0041A3C0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A440 NtClose, 2_2_0041A440
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A4F0 NtAllocateVirtualMemory, 2_2_0041A4F0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A368 NtReadFile, 2_2_0041A368
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A30A NtCreateFile, 2_2_0041A30A
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A43A NtClose, 2_2_0041A43A
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041A4EA NtAllocateVirtualMemory, 2_2_0041A4EA
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09840 NtDelayExecution,LdrInitializeThunk, 17_2_04C09840
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09860 NtQuerySystemInformation,LdrInitializeThunk, 17_2_04C09860
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C095D0 NtClose,LdrInitializeThunk, 17_2_04C095D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C099A0 NtCreateSection,LdrInitializeThunk, 17_2_04C099A0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09540 NtReadFile,LdrInitializeThunk, 17_2_04C09540
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09910 NtAdjustPrivilegesToken,LdrInitializeThunk, 17_2_04C09910
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C096D0 NtCreateKey,LdrInitializeThunk, 17_2_04C096D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C096E0 NtFreeVirtualMemory,LdrInitializeThunk, 17_2_04C096E0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09650 NtQueryValueKey,LdrInitializeThunk, 17_2_04C09650
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09A50 NtCreateFile,LdrInitializeThunk, 17_2_04C09A50
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09660 NtAllocateVirtualMemory,LdrInitializeThunk, 17_2_04C09660
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09FE0 NtCreateMutant,LdrInitializeThunk, 17_2_04C09FE0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09780 NtMapViewOfSection,LdrInitializeThunk, 17_2_04C09780
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09710 NtQueryInformationToken,LdrInitializeThunk, 17_2_04C09710
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C098F0 NtReadVirtualMemory, 17_2_04C098F0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C098A0 NtWriteVirtualMemory, 17_2_04C098A0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C0B040 NtSuspendThread, 17_2_04C0B040
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09820 NtEnumerateKey, 17_2_04C09820
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C099D0 NtCreateProcessEx, 17_2_04C099D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C095F0 NtQueryInformationFile, 17_2_04C095F0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09950 NtQueueApcThread, 17_2_04C09950
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09560 NtWriteFile, 17_2_04C09560
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09520 NtWaitForSingleObject, 17_2_04C09520
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C0AD30 NtSetContextThread, 17_2_04C0AD30
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09A80 NtOpenDirectoryObject, 17_2_04C09A80
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09670 NtQueryInformationProcess, 17_2_04C09670
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09A00 NtProtectVirtualMemory, 17_2_04C09A00
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09610 NtEnumerateValueKey, 17_2_04C09610
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09A10 NtQuerySection, 17_2_04C09A10
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09A20 NtResumeThread, 17_2_04C09A20
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C097A0 NtUnmapViewOfSection, 17_2_04C097A0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C0A3B0 NtGetContextThread, 17_2_04C0A3B0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09760 NtOpenProcess, 17_2_04C09760
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09770 NtSetInformationFile, 17_2_04C09770
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C0A770 NtOpenThread, 17_2_04C0A770
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09B00 NtSetValueKey, 17_2_04C09B00
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C0A710 NtOpenProcessToken, 17_2_04C0A710
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C09730 NtQueryVirtualMemory, 17_2_04C09730
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA3C0 NtReadFile, 17_2_02EFA3C0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA310 NtCreateFile, 17_2_02EFA310
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA4F0 NtAllocateVirtualMemory, 17_2_02EFA4F0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA440 NtClose, 17_2_02EFA440
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA368 NtReadFile, 17_2_02EFA368
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA30A NtCreateFile, 17_2_02EFA30A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA4EA NtAllocateVirtualMemory, 17_2_02EFA4EA
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFA43A NtClose, 17_2_02EFA43A
PE file contains strange resources
Source: unpaid_invoices.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\Desktop\unpaid_invoices.exe File read: C:\Users\user\Desktop\unpaid_invoices.exe Jump to behavior
Source: unpaid_invoices.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\unpaid_invoices.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\unpaid_invoices.exe "C:\Users\user\Desktop\unpaid_invoices.exe"
Source: C:\Users\user\Desktop\unpaid_invoices.exe Process created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Process created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
Source: C:\Users\user\Desktop\unpaid_invoices.exe Process created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Process created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe" Jump to behavior
Source: C:\Users\user\Desktop\unpaid_invoices.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x0000000000000019.db Jump to behavior
Source: C:\Users\user\Desktop\unpaid_invoices.exe File created: C:\Users\user\AppData\Local\Temp\nsx7CF9.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@10/4@0/0
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_004021AA CoCreateInstance, 0_2_004021AA
Source: C:\Users\user\Desktop\unpaid_invoices.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_00404ABB GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_00404ABB
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Command line argument: nF 1_2_00E145C0
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Command line argument: nF 2_2_00E145C0
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\explorer.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: unpaid_invoices.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: wntdll.pdbUGP source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: control.pdb source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ronkhfyq.exe, 00000001.00000003.234061206.000000001A710000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000001.00000003.237833298.000000001A8A0000.00000004.00001000.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.239686577.0000000000E36000.00000004.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303340292.0000000000FD0000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303914689.00000000010EF000.00000040.00000800.00020000.00000000.sdmp, ronkhfyq.exe, 00000002.00000003.238238247.0000000000B9E000.00000004.00000800.00020000.00000000.sdmp, control.exe, control.exe, 00000011.00000002.500024193.0000000004CBF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.303050048.0000000003204000.00000004.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000002.499888198.0000000004BA0000.00000040.00000800.00020000.00000000.sdmp, control.exe, 00000011.00000003.304479870.0000000004A09000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\yysuo\kzzcum\izya\0db06ea2233046af83ff72ba291e1f8f\exvtus\fxibtxmq\Release\fxibtxmq.pdb source: unpaid_invoices.exe, 00000000.00000002.248833606.0000000000788000.00000004.00000001.01000000.00000003.sdmp, ronkhfyq.exe, 00000001.00000000.229638861.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000001.00000002.238525617.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, ronkhfyq.exe, 00000002.00000000.235483979.0000000000E1E000.00000002.00000001.01000000.00000004.sdmp, control.exe, 00000011.00000002.499584872.000000000311A000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000011.00000002.500336053.00000000050D7000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 0000001B.00000000.462569690.0000000007497000.00000004.80000000.00040000.00000000.sdmp, nss7D29.tmp.0.dr, ronkhfyq.exe.0.dr
Source: Binary string: control.pdbUGP source: ronkhfyq.exe, 00000002.00000002.303244940.0000000000DB0000.00000040.10000000.00040000.00000000.sdmp, ronkhfyq.exe, 00000002.00000002.303149130.0000000000A9A000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E12455 push ecx; ret 1_2_00E12468
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041D662 push eax; ret 2_2_0041D668
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041D66B push eax; ret 2_2_0041D6D2
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041D615 push eax; ret 2_2_0041D668
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0041D6CC push eax; ret 2_2_0041D6D2
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00417EE1 pushad ; retf 2_2_00417EE2
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E12455 push ecx; ret 2_2_00E12468
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C1D0D1 push ecx; ret 17_2_04C1D0E4
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EF7EE1 pushad ; retf 17_2_02EF7EE2
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFD6CC push eax; ret 17_2_02EFD6D2
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFD66B push eax; ret 17_2_02EFD6D2
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFD662 push eax; ret 17_2_02EFD668
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_02EFD615 push eax; ret 17_2_02EFD668
Drops PE files
Source: C:\Users\user\Desktop\unpaid_invoices.exe File created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Jump to dropped file
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E118A0 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 1_2_00E118A0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\explorer.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\unpaid_invoices.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe RDTSC instruction interceptor: First address: 0000000000408C04 second address: 0000000000408C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe RDTSC instruction interceptor: First address: 0000000000408F8E second address: 0000000000408F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 0000000002EE8C04 second address: 0000000002EE8C0A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 0000000002EE8F8E second address: 0000000002EE8F94 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00408EC0 rdtsc 2_2_00408EC0
Contains capabilities to detect virtual machines
Source: C:\Windows\explorer.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#5&1ec51bf7&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_00405D7A CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, 0_2_00405D7A
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_004069A4 FindFirstFileW,FindClose, 0_2_004069A4
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_0040290B FindFirstFileW, 0_2_0040290B
Source: C:\Users\user\Desktop\unpaid_invoices.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 0000001B.00000000.491150367.0000000009A47000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 0000001B.00000003.466175807.0000000009BD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\H
Source: explorer.exe, 0000001B.00000003.450410263.0000000009BEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000000.491457253.0000000009B82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}user
Source: explorer.exe, 0000001B.00000000.464739705.0000000009AB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00{S
Source: explorer.exe, 0000001B.00000000.473356899.0000000006505000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m
Source: explorer.exe, 00000005.00000000.249331621.000000000510C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00j
Source: explorer.exe, 0000001B.00000003.464053628.0000000009B80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bs"
Source: explorer.exe, 0000001B.00000003.449810104.0000000009B82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 0d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001B.00000003.437309717.0000000009AF7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9Tm\Device\HarddiskVolume2\??\Volume{ef47ea26-ec76-4a6e-8680-9e53b539546d}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:G
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}ed:Wednesday:Thu:Thursday:Fri:Friday:Sat:Saturday
Source: explorer.exe, 0000001B.00000000.491408664.0000000009B4E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Users
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00y
Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00dRom0cY
Source: explorer.exe, 0000001B.00000003.490329188.0000000009B66000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
Source: explorer.exe, 0000001B.00000003.441177582.0000000009C46000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}h
Source: explorer.exe, 0000001B.00000000.487131227.0000000006410000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000005.00000000.271975150.0000000006005000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000000.487131227.0000000006410000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AASCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001B.00000000.487465818.0000000006505000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: war&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94fZ
Source: explorer.exe, 0000001B.00000000.487465818.0000000006505000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}[
Source: explorer.exe, 0000001B.00000003.451527442.0000000009B80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\R
Source: explorer.exe, 0000001B.00000000.484707590.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000\
Source: explorer.exe, 0000001B.00000003.443497127.0000000009C01000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Br
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00
Source: explorer.exe, 00000005.00000000.271012632.00000000051F7000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: -94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}71USER
Source: explorer.exe, 0000001B.00000000.413259157.0000000000A48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\.dllC
Source: explorer.exe, 0000001B.00000000.470592589.0000000000A74000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}'b
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}.Users
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001B.00000003.441522193.0000000009C19000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001B.00000003.490653470.0000000009CCF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Bdle'
Source: explorer.exe, 0000001B.00000003.450109036.0000000009B37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: k\\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000003.451942981.0000000009BEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: E#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Users
Source: explorer.exe, 0000001B.00000000.492168075.0000000009CD1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001B.00000003.491915553.0000000009CCE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.252434435.0000000005EAB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 0000001B.00000003.489338000.0000000009B4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: me#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B
Source: explorer.exe, 0000001B.00000003.452231677.0000000009B81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000001B.00000003.491932067.0000000009CD0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B6s
Source: explorer.exe, 0000001B.00000003.452231677.0000000009B81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewB
Source: explorer.exe, 0000001B.00000003.486435704.0000000009B37000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}B}
Source: explorer.exe, 0000001B.00000003.464937366.0000000009B80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f563
Source: explorer.exe, 00000005.00000000.249331621.000000000510C000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 0000001B.00000003.443034408.0000000009C0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NECVMWarVMware SATA CD001.00X
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E17AA5 IsDebuggerPresent, 1_2_00E17AA5
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E1559A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 1_2_00E1559A
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E186FE __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 1_2_00E186FE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00408EC0 rdtsc 2_2_00408EC0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFF0BF mov ecx, dword ptr fs:[00000030h] 17_2_04BFF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFF0BF mov eax, dword ptr fs:[00000030h] 17_2_04BFF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFF0BF mov eax, dword ptr fs:[00000030h] 17_2_04BFF0BF
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] 17_2_04C5B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5B8D0 mov ecx, dword ptr fs:[00000030h] 17_2_04C5B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] 17_2_04C5B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] 17_2_04C5B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] 17_2_04C5B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5B8D0 mov eax, dword ptr fs:[00000030h] 17_2_04C5B8D0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C98CD6 mov eax, dword ptr fs:[00000030h] 17_2_04C98CD6
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C814FB mov eax, dword ptr fs:[00000030h] 17_2_04C814FB
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h] 17_2_04C46CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h] 17_2_04C46CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C46CF0 mov eax, dword ptr fs:[00000030h] 17_2_04C46CF0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9080 mov eax, dword ptr fs:[00000030h] 17_2_04BC9080
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C43884 mov eax, dword ptr fs:[00000030h] 17_2_04C43884
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C43884 mov eax, dword ptr fs:[00000030h] 17_2_04C43884
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C090AF mov eax, dword ptr fs:[00000030h] 17_2_04C090AF
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFBC2C mov eax, dword ptr fs:[00000030h] 17_2_04BFBC2C
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5C450 mov eax, dword ptr fs:[00000030h] 17_2_04C5C450
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5C450 mov eax, dword ptr fs:[00000030h] 17_2_04C5C450
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] 17_2_04BDB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] 17_2_04BDB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] 17_2_04BDB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDB02A mov eax, dword ptr fs:[00000030h] 17_2_04BDB02A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C82073 mov eax, dword ptr fs:[00000030h] 17_2_04C82073
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C91074 mov eax, dword ptr fs:[00000030h] 17_2_04C91074
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h] 17_2_04C9740D
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h] 17_2_04C9740D
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C9740D mov eax, dword ptr fs:[00000030h] 17_2_04C9740D
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C81C06 mov eax, dword ptr fs:[00000030h] 17_2_04C81C06
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] 17_2_04C46C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] 17_2_04C46C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] 17_2_04C46C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C46C0A mov eax, dword ptr fs:[00000030h] 17_2_04C46C0A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h] 17_2_04C47016
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h] 17_2_04C47016
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C47016 mov eax, dword ptr fs:[00000030h] 17_2_04C47016
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE746D mov eax, dword ptr fs:[00000030h] 17_2_04BE746D
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C94015 mov eax, dword ptr fs:[00000030h] 17_2_04C94015
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C94015 mov eax, dword ptr fs:[00000030h] 17_2_04C94015
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE0050 mov eax, dword ptr fs:[00000030h] 17_2_04BE0050
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE0050 mov eax, dword ptr fs:[00000030h] 17_2_04BE0050
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF35A1 mov eax, dword ptr fs:[00000030h] 17_2_04BF35A1
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFFD9B mov eax, dword ptr fs:[00000030h] 17_2_04BFFD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFFD9B mov eax, dword ptr fs:[00000030h] 17_2_04BFFD9B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C78DF1 mov eax, dword ptr fs:[00000030h] 17_2_04C78DF1
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] 17_2_04BC2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] 17_2_04BC2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] 17_2_04BC2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] 17_2_04BC2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC2D8A mov eax, dword ptr fs:[00000030h] 17_2_04BC2D8A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFA185 mov eax, dword ptr fs:[00000030h] 17_2_04BFA185
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEC182 mov eax, dword ptr fs:[00000030h] 17_2_04BEC182
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h] 17_2_04BCB1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h] 17_2_04BCB1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCB1E1 mov eax, dword ptr fs:[00000030h] 17_2_04BCB1E1
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C03D43 mov eax, dword ptr fs:[00000030h] 17_2_04C03D43
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h] 17_2_04BF4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h] 17_2_04BF4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF4D3B mov eax, dword ptr fs:[00000030h] 17_2_04BF4D3B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C43540 mov eax, dword ptr fs:[00000030h] 17_2_04C43540
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF513A mov eax, dword ptr fs:[00000030h] 17_2_04BF513A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF513A mov eax, dword ptr fs:[00000030h] 17_2_04BF513A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD3D34 mov eax, dword ptr fs:[00000030h] 17_2_04BD3D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCAD30 mov eax, dword ptr fs:[00000030h] 17_2_04BCAD30
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] 17_2_04BE4120
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] 17_2_04BE4120
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] 17_2_04BE4120
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE4120 mov eax, dword ptr fs:[00000030h] 17_2_04BE4120
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE4120 mov ecx, dword ptr fs:[00000030h] 17_2_04BE4120
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h] 17_2_04BC9100
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h] 17_2_04BC9100
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9100 mov eax, dword ptr fs:[00000030h] 17_2_04BC9100
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEC577 mov eax, dword ptr fs:[00000030h] 17_2_04BEC577
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEC577 mov eax, dword ptr fs:[00000030h] 17_2_04BEC577
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCB171 mov eax, dword ptr fs:[00000030h] 17_2_04BCB171
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCB171 mov eax, dword ptr fs:[00000030h] 17_2_04BCB171
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE7D50 mov eax, dword ptr fs:[00000030h] 17_2_04BE7D50
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C4A537 mov eax, dword ptr fs:[00000030h] 17_2_04C4A537
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEB944 mov eax, dword ptr fs:[00000030h] 17_2_04BEB944
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEB944 mov eax, dword ptr fs:[00000030h] 17_2_04BEB944
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C98D34 mov eax, dword ptr fs:[00000030h] 17_2_04C98D34
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C7FEC0 mov eax, dword ptr fs:[00000030h] 17_2_04C7FEC0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C08EC7 mov eax, dword ptr fs:[00000030h] 17_2_04C08EC7
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDAAB0 mov eax, dword ptr fs:[00000030h] 17_2_04BDAAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDAAB0 mov eax, dword ptr fs:[00000030h] 17_2_04BDAAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFFAB0 mov eax, dword ptr fs:[00000030h] 17_2_04BFFAB0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] 17_2_04BC52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] 17_2_04BC52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] 17_2_04BC52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] 17_2_04BC52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC52A5 mov eax, dword ptr fs:[00000030h] 17_2_04BC52A5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C98ED6 mov eax, dword ptr fs:[00000030h] 17_2_04C98ED6
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFD294 mov eax, dword ptr fs:[00000030h] 17_2_04BFD294
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFD294 mov eax, dword ptr fs:[00000030h] 17_2_04BFD294
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5FE87 mov eax, dword ptr fs:[00000030h] 17_2_04C5FE87
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF16E0 mov ecx, dword ptr fs:[00000030h] 17_2_04BF16E0
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD76E2 mov eax, dword ptr fs:[00000030h] 17_2_04BD76E2
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C446A7 mov eax, dword ptr fs:[00000030h] 17_2_04C446A7
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h] 17_2_04C90EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h] 17_2_04C90EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C90EA5 mov eax, dword ptr fs:[00000030h] 17_2_04C90EA5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF36CC mov eax, dword ptr fs:[00000030h] 17_2_04BF36CC
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCE620 mov eax, dword ptr fs:[00000030h] 17_2_04BCE620
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BE3A1C mov eax, dword ptr fs:[00000030h] 17_2_04BE3A1C
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C7B260 mov eax, dword ptr fs:[00000030h] 17_2_04C7B260
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C7B260 mov eax, dword ptr fs:[00000030h] 17_2_04C7B260
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C98A62 mov eax, dword ptr fs:[00000030h] 17_2_04C98A62
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C0927A mov eax, dword ptr fs:[00000030h] 17_2_04C0927A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h] 17_2_04BCC600
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h] 17_2_04BCC600
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCC600 mov eax, dword ptr fs:[00000030h] 17_2_04BCC600
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] 17_2_04BEAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] 17_2_04BEAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] 17_2_04BEAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] 17_2_04BEAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BEAE73 mov eax, dword ptr fs:[00000030h] 17_2_04BEAE73
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD766D mov eax, dword ptr fs:[00000030h] 17_2_04BD766D
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C7FE3F mov eax, dword ptr fs:[00000030h] 17_2_04C7FE3F
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] 17_2_04BC9240
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] 17_2_04BC9240
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] 17_2_04BC9240
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC9240 mov eax, dword ptr fs:[00000030h] 17_2_04BC9240
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] 17_2_04BD7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] 17_2_04BD7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] 17_2_04BD7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] 17_2_04BD7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] 17_2_04BD7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD7E41 mov eax, dword ptr fs:[00000030h] 17_2_04BD7E41
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFB390 mov eax, dword ptr fs:[00000030h] 17_2_04BFB390
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD1B8F mov eax, dword ptr fs:[00000030h] 17_2_04BD1B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BD1B8F mov eax, dword ptr fs:[00000030h] 17_2_04BD1B8F
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C8138A mov eax, dword ptr fs:[00000030h] 17_2_04C8138A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C7D380 mov ecx, dword ptr fs:[00000030h] 17_2_04C7D380
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h] 17_2_04C47794
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h] 17_2_04C47794
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C47794 mov eax, dword ptr fs:[00000030h] 17_2_04C47794
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C95BA5 mov eax, dword ptr fs:[00000030h] 17_2_04C95BA5
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BFE730 mov eax, dword ptr fs:[00000030h] 17_2_04BFE730
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C98B58 mov eax, dword ptr fs:[00000030h] 17_2_04C98B58
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC4F2E mov eax, dword ptr fs:[00000030h] 17_2_04BC4F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BC4F2E mov eax, dword ptr fs:[00000030h] 17_2_04BC4F2E
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C98F6A mov eax, dword ptr fs:[00000030h] 17_2_04C98F6A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C9070D mov eax, dword ptr fs:[00000030h] 17_2_04C9070D
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C9070D mov eax, dword ptr fs:[00000030h] 17_2_04C9070D
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF3B7A mov eax, dword ptr fs:[00000030h] 17_2_04BF3B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BF3B7A mov eax, dword ptr fs:[00000030h] 17_2_04BF3B7A
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C8131B mov eax, dword ptr fs:[00000030h] 17_2_04C8131B
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5FF10 mov eax, dword ptr fs:[00000030h] 17_2_04C5FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04C5FF10 mov eax, dword ptr fs:[00000030h] 17_2_04C5FF10
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCDB60 mov ecx, dword ptr fs:[00000030h] 17_2_04BCDB60
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDFF60 mov eax, dword ptr fs:[00000030h] 17_2_04BDFF60
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCF358 mov eax, dword ptr fs:[00000030h] 17_2_04BCF358
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BCDB40 mov eax, dword ptr fs:[00000030h] 17_2_04BCDB40
Source: C:\Windows\SysWOW64\control.exe Code function: 17_2_04BDEF40 mov eax, dword ptr fs:[00000030h] 17_2_04BDEF40
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_0040A130 LdrLoadDll, 2_2_0040A130
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E143DC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00E143DC
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E143AB SetUnhandledExceptionFilter, 1_2_00E143AB
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E143DC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00E143DC
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 2_2_00E143AB SetUnhandledExceptionFilter, 2_2_00E143AB

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: unknown protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Thread register set: target process: 3616 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3616 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3080 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Process created: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\ronkhfyq.exe C:\Users\user\AppData\Local\Temp\neslq Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\ronkhfyq.exe" Jump to behavior
Source: explorer.exe, 00000005.00000000.348518528.0000000005E60000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.286646709.0000000005E60000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.280419842.00000000005C8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.280644910.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.280644910.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342562960.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager,
Source: explorer.exe, 00000005.00000000.265421157.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.280644910.0000000000B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.342562960.0000000000B50000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 0000001B.00000000.470520461.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.458823755.0000000000A48000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000000.483237143.0000000000A48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanUse
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E13293 cpuid 1_2_00E13293
Source: C:\Users\user\AppData\Local\Temp\ronkhfyq.exe Code function: 1_2_00E13ED8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 1_2_00E13ED8
Source: C:\Users\user\Desktop\unpaid_invoices.exe Code function: 0_2_00403646 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_00403646
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 0000001B.00000003.441618102.0000000009AAD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.467442285.0000000009AB4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000001B.00000003.442818303.0000000009AB4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.ronkhfyq.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.ronkhfyq.exe.d80000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.0.ronkhfyq.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000000.237595371.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.275722740.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.290093186.000000000D381000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499446958.0000000003010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303094021.0000000000A40000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.303067369.0000000000A10000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000000.235077972.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499304086.0000000000970000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.238404371.0000000000D80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.499413072.0000000002EE0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.302895088.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 626537 Sample: unpaid_invoices.exe Startdate: 14/05/2022 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Malicious sample detected (through community Yara rule) 2->41 43 Antivirus detection for URL or domain 2->43 45 5 other signatures 2->45 11 unpaid_invoices.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\Local\...\ronkhfyq.exe, PE32 11->31 dropped 14 ronkhfyq.exe 11->14         started        process5 signatures6 53 Multi AV Scanner detection for dropped file 14->53 55 Tries to detect virtualization through RDTSC time measurements 14->55 17 ronkhfyq.exe 14->17         started        process7 signatures8 33 Modifies the context of a thread in another process (thread injection) 17->33 35 Maps a DLL or memory area into another process 17->35 37 Queues an APC in another process (thread injection) 17->37 20 explorer.exe 17->20 injected process9 process10 22 control.exe 20->22         started        signatures11 47 Modifies the context of a thread in another process (thread injection) 22->47 49 Maps a DLL or memory area into another process 22->49 51 Tries to detect virtualization through RDTSC time measurements 22->51 25 cmd.exe 1 22->25         started        27 explorer.exe 2 154 22->27         started        process12 process13 29 conhost.exe 25->29         started       
No contacted IP infos

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.beamaster.info/p0ip/ true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: malware
 low