Windows Analysis Report
CSA73881.exe

Overview

General Information

Sample Name: CSA73881.exe
Analysis ID: 680378
MD5: 3ed3236517a40602d654555bc912d926
SHA1: 16dc042b543fe473703e711844f508d353d6d6af
SHA256: 3702b6cfa76e492d56bd9da5f99f7ff805e32c16b3840ee66bb13a812f5d3155
Tags: exeformbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queues an APC in another process (thread injection)
.NET source code contains very large array initializations
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Yara detected FormBook
Source: Yara match File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Antivirus / Scanner detection for submitted sample
Source: CSA73881.exe Avira: detected
Antivirus detection for URL or domain
Source: www.northpierangling.info/mh76/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: www.browardhomeappraisal.com Virustotal: Detection: 6% Perma Link
Source: segurambiental.com Virustotal: Detection: 8% Perma Link
Source: www.segurambiental.com Virustotal: Detection: 5% Perma Link
Machine Learning detection for sample
Source: CSA73881.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 14.0.InstallUtil.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.northpierangling.info/mh76/"], "decoy": ["healthgovcalottery.net", "wenxinliao.com", "rooterphd.com", "bbobbo.one", "american-mes-de-dezembro.xyz", "mintager.com", "thespecialtstore.com", "wemakegreenhomes.com", "occurandmental.xyz", "fidelityrealtytitle.com", "numerisat.asia", "wearestallions.com", "supxl.com", "rajacumi.com", "renaziv.online", "blixtindustries.com", "fjljq.com", "exploretrivenicamping.com", "authenticusspa.com", "uucloud.press", "conclaveraleighapts.com", "moqaq.com", "graphicressie.com", "homebest.online", "yisaco.com", "thedrybonesareawakening.com", "browardhomeappraisal.com", "xn--agroisleos-09a.com", "clinchrecovery.com", "rekoladev.com", "mlbl1.xyz", "tunecaring.com", "avconstant.com", "chelseavictorioustravels.com", "esrfy.xyz", "frijolitoswey.com", "zsfsidltd.com", "natashasadler.com", "kice1.xyz", "drivemytrains.xyz", "shopalthosa.xyz", "merendri.com", "yetkiliveznem7.xyz", "milestonesconstruction.com", "apparodeoexpos.com", "momotou.xyz", "chatkhoneh.com", "cacconsults.com", "kigif-indonesia.com", "segurambiental.com", "verynicegirls.com", "curearrow.com", "fdupcoffee.com", "theclevergolfers.com", "moushimonster.com", "qdchuangyedaikuan.com", "hopefortodayrecovery.com", "wk6agoboyxg6.xyz", "giybetfm.com", "completedn.xyz", "eluawastudio.com", "legacysportsusatexas.com", "comgmaik.com", "intelsearchtech.com"]}
Uses 32bit PE files
Source: CSA73881.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: CSA73881.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.segurambiental.com
Source: C:\Windows\explorer.exe Domain query: www.browardhomeappraisal.com
Source: C:\Windows\explorer.exe Network Connect: 103.224.182.210 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.esrfy.xyz
Source: C:\Windows\explorer.exe Domain query: www.comgmaik.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.merendri.com
Source: C:\Windows\explorer.exe Network Connect: 75.2.26.18 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49841 -> 34.102.136.180:80
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49846 -> 103.224.182.210:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49846 -> 103.224.182.210:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49846 -> 103.224.182.210:80
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.esrfy.xyz
Yara detected Generic Downloader
Source: Yara match File source: 0.2.CSA73881.exe.ee70000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.northpierangling.info/mh76/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06 HTTP/1.1Host: www.segurambiental.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06 HTTP/1.1Host: www.browardhomeappraisal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06 HTTP/1.1Host: www.comgmaik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 103.224.182.210 103.224.182.210
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 08 Aug 2022 12:28:06 GMTContent-Type: text/htmlContent-Length: 291ETag: "62f0fdc3-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Mon, 08 Aug 2022 12:28:27 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: CSA73881.exe, 00000000.00000002.314006871.00000000032B1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://google.com
Source: CSA73881.exe, 00000000.00000000.240713040.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://google.com)Exvkpxtvtblcdcgising7Uvadca.Properties.Resources
Source: CSA73881.exe, 00000000.00000002.315860973.00000000033D0000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.314521039.00000000032FA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://james.newtonking.com/projects/json
Source: control.exe, 0000001C.00000002.776382935.00000000056CF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: http://ww38.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLz
Source: CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: unknown DNS traffic detected: queries for: www.merendri.com
Source: global traffic HTTP traffic detected: GET /mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06 HTTP/1.1Host: www.segurambiental.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06 HTTP/1.1Host: www.browardhomeappraisal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06 HTTP/1.1Host: www.comgmaik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.315621485.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: CSA73881.exe PID: 5724, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: InstallUtil.exe PID: 5408, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 3004, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
.NET source code contains very large array initializations
Source: CSA73881.exe, tdt.cs Large array initialization: sis: array initializer size 2178560
Uses 32bit PE files
Source: CSA73881.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.315621485.00000000033A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: CSA73881.exe PID: 5724, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: InstallUtil.exe PID: 5408, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 3004, type: MEMORYSTR Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Detected potential crypto function
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_0325C1A0 0_2_0325C1A0
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_064534C8 0_2_064534C8
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06453058 0_2_06453058
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_064510B0 0_2_064510B0
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06456AA0 0_2_06456AA0
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06458870 0_2_06458870
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06453018 0_2_06453018
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06459087 0_2_06459087
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_064510A0 0_2_064510A0
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06456A90 0_2_06456A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E4120 14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CF900 14_2_012CF900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0139E824 14_2_0139E824
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA830 14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381002 14_2_01381002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F20A0 14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013920A8 14_2_013920A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DB090 14_2_012DB090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013928EC 14_2_013928EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01392B28 14_2_01392B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EAB40 14_2_012EAB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FEBB0 14_2_012FEBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013803DA 14_2_013803DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138DBD2 14_2_0138DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0137FA2B 14_2_0137FA2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013922AE 14_2_013922AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C0D20 14_2_012C0D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01392D07 14_2_01392D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01391D55 14_2_01391D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2581 14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DD5E0 14_2_012DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013925DD 14_2_013925DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D841F 14_2_012D841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138D466 14_2_0138D466
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01391FF1 14_2_01391FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0139DFCE 14_2_0139DFCE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E6E30 14_2_012E6E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138D616 14_2_0138D616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01392EF7 14_2_01392EF7
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: String function: 012CB150 appears 54 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_01309910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013099A0 NtCreateSection,LdrInitializeThunk, 14_2_013099A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309860 NtQuerySystemInformation,LdrInitializeThunk, 14_2_01309860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309840 NtDelayExecution,LdrInitializeThunk, 14_2_01309840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013098F0 NtReadVirtualMemory,LdrInitializeThunk, 14_2_013098F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309A20 NtResumeThread,LdrInitializeThunk, 14_2_01309A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309A00 NtProtectVirtualMemory,LdrInitializeThunk, 14_2_01309A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309A50 NtCreateFile,LdrInitializeThunk, 14_2_01309A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309540 NtReadFile,LdrInitializeThunk, 14_2_01309540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013095D0 NtClose,LdrInitializeThunk, 14_2_013095D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309710 NtQueryInformationToken,LdrInitializeThunk, 14_2_01309710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013097A0 NtUnmapViewOfSection,LdrInitializeThunk, 14_2_013097A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309780 NtMapViewOfSection,LdrInitializeThunk, 14_2_01309780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309660 NtAllocateVirtualMemory,LdrInitializeThunk, 14_2_01309660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013096E0 NtFreeVirtualMemory,LdrInitializeThunk, 14_2_013096E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309950 NtQueueApcThread, 14_2_01309950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013099D0 NtCreateProcessEx, 14_2_013099D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309820 NtEnumerateKey, 14_2_01309820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0130B040 NtSuspendThread, 14_2_0130B040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013098A0 NtWriteVirtualMemory, 14_2_013098A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309B00 NtSetValueKey, 14_2_01309B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0130A3B0 NtGetContextThread, 14_2_0130A3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309A10 NtQuerySection, 14_2_01309A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309A80 NtOpenDirectoryObject, 14_2_01309A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0130AD30 NtSetContextThread, 14_2_0130AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309520 NtWaitForSingleObject, 14_2_01309520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309560 NtWriteFile, 14_2_01309560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013095F0 NtQueryInformationFile, 14_2_013095F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309730 NtQueryVirtualMemory, 14_2_01309730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0130A710 NtOpenProcessToken, 14_2_0130A710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0130A770 NtOpenThread, 14_2_0130A770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309770 NtSetInformationFile, 14_2_01309770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309760 NtOpenProcess, 14_2_01309760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309FE0 NtCreateMutant, 14_2_01309FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309610 NtEnumerateValueKey, 14_2_01309610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309670 NtQueryInformationProcess, 14_2_01309670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309650 NtQueryValueKey, 14_2_01309650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013096D0 NtCreateKey, 14_2_013096D0
Sample file is different than original file name gathered from version info
Source: CSA73881.exe, 00000000.00000000.240713040.0000000000DE2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamemobitech66754.exe. vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.311026406.0000000001388000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameFbniqdbbwru.dll" vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.327687009.000000000EE70000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameFbniqdbbwru.dll" vs CSA73881.exe
Source: CSA73881.exe, 00000000.00000002.314157578.00000000032C5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs CSA73881.exe
Source: CSA73881.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CSA73881.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\CSA73881.exe "C:\Users\user\Desktop\CSA73881.exe"
Source: C:\Users\user\Desktop\CSA73881.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\CSA73881.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CSA73881.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@8/1@5/3
Source: CSA73881.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\CSA73881.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3236:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: CSA73881.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: CSA73881.exe Static file information: File size 2187264 > 1048576
Source: CSA73881.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: CSA73881.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x215200
Source: CSA73881.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: wntdll.pdbUGP source: InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: InstallUtil.exe, InstallUtil.exe, 0000000E.00000002.471073827.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, InstallUtil.exe, 0000000E.00000003.313743282.0000000001108000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.470353191.0000000004975000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.774017184.0000000004DCF000.00000040.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000003.474545794.0000000004B15000.00000004.00000800.00020000.00000000.sdmp, control.exe, 0000001C.00000002.771221161.0000000004CB0000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp
Source: Binary string: InstallUtil.pdb source: control.exe, 0000001C.00000002.767573609.00000000009FA000.00000004.00000020.00020000.00000000.sdmp, control.exe, 0000001C.00000002.776199164.00000000051DF000.00000004.10000000.00040000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: CSA73881.exe, tds.cs .Net Code: cov System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_0325F888 push E8944D8Bh; ret 0_2_0325F88D
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_064534C8 push es; iretd 0_2_06456600
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_064534C8 push es; ret 0_2_0645663C
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_064534C8 push es; retf 453Bh 0_2_0645666C
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06456601 push es; ret 0_2_0645663C
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_0645658D push es; retf 0_2_064565A4
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_0645658D push es; iretd 0_2_06456600
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_064565A5 push es; iretd 0_2_06456600
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_0645CCE6 push es; retf 0_2_0645CD04
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_0645CD4D push es; retf 0_2_0645CD2C
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_0645CD16 push ss; retf 0_2_0645CD19
Source: C:\Users\user\Desktop\CSA73881.exe Code function: 0_2_06452A75 push es; iretd 0_2_06452A78
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0131D0D1 push ecx; ret 14_2_0131D0E4

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8A 0xAE 0xED
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000030A9904 second address: 00000000030A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe RDTSC instruction interceptor: First address: 00000000030A9B7E second address: 00000000030A9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\CSA73881.exe TID: 5728 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5708 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Windows\explorer.exe TID: 5708 Thread sleep time: -68000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 5548 Thread sleep time: -60000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01395BA5 rdtsc 14_2_01395BA5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\CSA73881.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe API coverage: 4.7 %
Source: C:\Users\user\Desktop\CSA73881.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000010.00000000.406845206.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000010.00000000.406845206.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Prod_VMware_SATA
Source: explorer.exe, 00000010.00000000.377793288.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 00000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000010.00000000.435627274.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000010.00000000.435840749.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000010.00000000.342446094.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000010.00000000.377793288.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000010.00000000.357973152.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000010.00000000.406845206.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000010.00000000.386869206.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01395BA5 rdtsc 14_2_01395BA5
Enables debug privileges
Source: C:\Users\user\Desktop\CSA73881.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h] 14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h] 14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h] 14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E4120 mov eax, dword ptr fs:[00000030h] 14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E4120 mov ecx, dword ptr fs:[00000030h] 14_2_012E4120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F513A mov eax, dword ptr fs:[00000030h] 14_2_012F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F513A mov eax, dword ptr fs:[00000030h] 14_2_012F513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9100 mov eax, dword ptr fs:[00000030h] 14_2_012C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9100 mov eax, dword ptr fs:[00000030h] 14_2_012C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9100 mov eax, dword ptr fs:[00000030h] 14_2_012C9100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CC962 mov eax, dword ptr fs:[00000030h] 14_2_012CC962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CB171 mov eax, dword ptr fs:[00000030h] 14_2_012CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CB171 mov eax, dword ptr fs:[00000030h] 14_2_012CB171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EB944 mov eax, dword ptr fs:[00000030h] 14_2_012EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EB944 mov eax, dword ptr fs:[00000030h] 14_2_012EB944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h] 14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h] 14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h] 14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013451BE mov eax, dword ptr fs:[00000030h] 14_2_013451BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F61A0 mov eax, dword ptr fs:[00000030h] 14_2_012F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F61A0 mov eax, dword ptr fs:[00000030h] 14_2_012F61A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013469A6 mov eax, dword ptr fs:[00000030h] 14_2_013469A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h] 14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h] 14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h] 14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013849A4 mov eax, dword ptr fs:[00000030h] 14_2_013849A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FA185 mov eax, dword ptr fs:[00000030h] 14_2_012FA185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EC182 mov eax, dword ptr fs:[00000030h] 14_2_012EC182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2990 mov eax, dword ptr fs:[00000030h] 14_2_012F2990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CB1E1 mov eax, dword ptr fs:[00000030h] 14_2_012CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CB1E1 mov eax, dword ptr fs:[00000030h] 14_2_012CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CB1E1 mov eax, dword ptr fs:[00000030h] 14_2_012CB1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013541E8 mov eax, dword ptr fs:[00000030h] 14_2_013541E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h] 14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h] 14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h] 14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h] 14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F002D mov eax, dword ptr fs:[00000030h] 14_2_012F002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h] 14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h] 14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h] 14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DB02A mov eax, dword ptr fs:[00000030h] 14_2_012DB02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h] 14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h] 14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h] 14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA830 mov eax, dword ptr fs:[00000030h] 14_2_012EA830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01347016 mov eax, dword ptr fs:[00000030h] 14_2_01347016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01347016 mov eax, dword ptr fs:[00000030h] 14_2_01347016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01347016 mov eax, dword ptr fs:[00000030h] 14_2_01347016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01394015 mov eax, dword ptr fs:[00000030h] 14_2_01394015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01394015 mov eax, dword ptr fs:[00000030h] 14_2_01394015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01382073 mov eax, dword ptr fs:[00000030h] 14_2_01382073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01391074 mov eax, dword ptr fs:[00000030h] 14_2_01391074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E0050 mov eax, dword ptr fs:[00000030h] 14_2_012E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E0050 mov eax, dword ptr fs:[00000030h] 14_2_012E0050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h] 14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h] 14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h] 14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h] 14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h] 14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F20A0 mov eax, dword ptr fs:[00000030h] 14_2_012F20A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FF0BF mov ecx, dword ptr fs:[00000030h] 14_2_012FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FF0BF mov eax, dword ptr fs:[00000030h] 14_2_012FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FF0BF mov eax, dword ptr fs:[00000030h] 14_2_012FF0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013090AF mov eax, dword ptr fs:[00000030h] 14_2_013090AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9080 mov eax, dword ptr fs:[00000030h] 14_2_012C9080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01343884 mov eax, dword ptr fs:[00000030h] 14_2_01343884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01343884 mov eax, dword ptr fs:[00000030h] 14_2_01343884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C58EC mov eax, dword ptr fs:[00000030h] 14_2_012C58EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C40E1 mov eax, dword ptr fs:[00000030h] 14_2_012C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C40E1 mov eax, dword ptr fs:[00000030h] 14_2_012C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C40E1 mov eax, dword ptr fs:[00000030h] 14_2_012C40E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135B8D0 mov ecx, dword ptr fs:[00000030h] 14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135B8D0 mov eax, dword ptr fs:[00000030h] 14_2_0135B8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138131B mov eax, dword ptr fs:[00000030h] 14_2_0138131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CDB60 mov ecx, dword ptr fs:[00000030h] 14_2_012CDB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F3B7A mov eax, dword ptr fs:[00000030h] 14_2_012F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F3B7A mov eax, dword ptr fs:[00000030h] 14_2_012F3B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01398B58 mov eax, dword ptr fs:[00000030h] 14_2_01398B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CDB40 mov eax, dword ptr fs:[00000030h] 14_2_012CDB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CF358 mov eax, dword ptr fs:[00000030h] 14_2_012CF358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F4BAD mov eax, dword ptr fs:[00000030h] 14_2_012F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F4BAD mov eax, dword ptr fs:[00000030h] 14_2_012F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F4BAD mov eax, dword ptr fs:[00000030h] 14_2_012F4BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01395BA5 mov eax, dword ptr fs:[00000030h] 14_2_01395BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D1B8F mov eax, dword ptr fs:[00000030h] 14_2_012D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D1B8F mov eax, dword ptr fs:[00000030h] 14_2_012D1B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138138A mov eax, dword ptr fs:[00000030h] 14_2_0138138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0137D380 mov ecx, dword ptr fs:[00000030h] 14_2_0137D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2397 mov eax, dword ptr fs:[00000030h] 14_2_012F2397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FB390 mov eax, dword ptr fs:[00000030h] 14_2_012FB390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EDBE9 mov eax, dword ptr fs:[00000030h] 14_2_012EDBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h] 14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h] 14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h] 14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h] 14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h] 14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F03E2 mov eax, dword ptr fs:[00000030h] 14_2_012F03E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013453CA mov eax, dword ptr fs:[00000030h] 14_2_013453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013453CA mov eax, dword ptr fs:[00000030h] 14_2_013453CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EA229 mov eax, dword ptr fs:[00000030h] 14_2_012EA229
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01304A2C mov eax, dword ptr fs:[00000030h] 14_2_01304A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01304A2C mov eax, dword ptr fs:[00000030h] 14_2_01304A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D8A0A mov eax, dword ptr fs:[00000030h] 14_2_012D8A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138AA16 mov eax, dword ptr fs:[00000030h] 14_2_0138AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138AA16 mov eax, dword ptr fs:[00000030h] 14_2_0138AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E3A1C mov eax, dword ptr fs:[00000030h] 14_2_012E3A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CAA16 mov eax, dword ptr fs:[00000030h] 14_2_012CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CAA16 mov eax, dword ptr fs:[00000030h] 14_2_012CAA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C5210 mov eax, dword ptr fs:[00000030h] 14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C5210 mov ecx, dword ptr fs:[00000030h] 14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C5210 mov eax, dword ptr fs:[00000030h] 14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C5210 mov eax, dword ptr fs:[00000030h] 14_2_012C5210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0130927A mov eax, dword ptr fs:[00000030h] 14_2_0130927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0137B260 mov eax, dword ptr fs:[00000030h] 14_2_0137B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0137B260 mov eax, dword ptr fs:[00000030h] 14_2_0137B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01398A62 mov eax, dword ptr fs:[00000030h] 14_2_01398A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01354257 mov eax, dword ptr fs:[00000030h] 14_2_01354257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h] 14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h] 14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h] 14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C9240 mov eax, dword ptr fs:[00000030h] 14_2_012C9240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138EA55 mov eax, dword ptr fs:[00000030h] 14_2_0138EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h] 14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h] 14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h] 14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h] 14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C52A5 mov eax, dword ptr fs:[00000030h] 14_2_012C52A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DAAB0 mov eax, dword ptr fs:[00000030h] 14_2_012DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DAAB0 mov eax, dword ptr fs:[00000030h] 14_2_012DAAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FFAB0 mov eax, dword ptr fs:[00000030h] 14_2_012FFAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FD294 mov eax, dword ptr fs:[00000030h] 14_2_012FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FD294 mov eax, dword ptr fs:[00000030h] 14_2_012FD294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2AE4 mov eax, dword ptr fs:[00000030h] 14_2_012F2AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2ACB mov eax, dword ptr fs:[00000030h] 14_2_012F2ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138E539 mov eax, dword ptr fs:[00000030h] 14_2_0138E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0134A537 mov eax, dword ptr fs:[00000030h] 14_2_0134A537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01398D34 mov eax, dword ptr fs:[00000030h] 14_2_01398D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F4D3B mov eax, dword ptr fs:[00000030h] 14_2_012F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F4D3B mov eax, dword ptr fs:[00000030h] 14_2_012F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F4D3B mov eax, dword ptr fs:[00000030h] 14_2_012F4D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D3D34 mov eax, dword ptr fs:[00000030h] 14_2_012D3D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CAD30 mov eax, dword ptr fs:[00000030h] 14_2_012CAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EC577 mov eax, dword ptr fs:[00000030h] 14_2_012EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EC577 mov eax, dword ptr fs:[00000030h] 14_2_012EC577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01303D43 mov eax, dword ptr fs:[00000030h] 14_2_01303D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01343540 mov eax, dword ptr fs:[00000030h] 14_2_01343540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01373D40 mov eax, dword ptr fs:[00000030h] 14_2_01373D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E7D50 mov eax, dword ptr fs:[00000030h] 14_2_012E7D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F35A1 mov eax, dword ptr fs:[00000030h] 14_2_012F35A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013905AC mov eax, dword ptr fs:[00000030h] 14_2_013905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013905AC mov eax, dword ptr fs:[00000030h] 14_2_013905AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F1DB5 mov eax, dword ptr fs:[00000030h] 14_2_012F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F1DB5 mov eax, dword ptr fs:[00000030h] 14_2_012F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F1DB5 mov eax, dword ptr fs:[00000030h] 14_2_012F1DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h] 14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h] 14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h] 14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h] 14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C2D8A mov eax, dword ptr fs:[00000030h] 14_2_012C2D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h] 14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h] 14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h] 14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F2581 mov eax, dword ptr fs:[00000030h] 14_2_012F2581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FFD9B mov eax, dword ptr fs:[00000030h] 14_2_012FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FFD9B mov eax, dword ptr fs:[00000030h] 14_2_012FFD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01378DF1 mov eax, dword ptr fs:[00000030h] 14_2_01378DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DD5E0 mov eax, dword ptr fs:[00000030h] 14_2_012DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DD5E0 mov eax, dword ptr fs:[00000030h] 14_2_012DD5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138FDE2 mov eax, dword ptr fs:[00000030h] 14_2_0138FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h] 14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h] 14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h] 14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346DC9 mov ecx, dword ptr fs:[00000030h] 14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h] 14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346DC9 mov eax, dword ptr fs:[00000030h] 14_2_01346DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FBC2C mov eax, dword ptr fs:[00000030h] 14_2_012FBC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0139740D mov eax, dword ptr fs:[00000030h] 14_2_0139740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0139740D mov eax, dword ptr fs:[00000030h] 14_2_0139740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0139740D mov eax, dword ptr fs:[00000030h] 14_2_0139740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381C06 mov eax, dword ptr fs:[00000030h] 14_2_01381C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h] 14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h] 14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h] 14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346C0A mov eax, dword ptr fs:[00000030h] 14_2_01346C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012E746D mov eax, dword ptr fs:[00000030h] 14_2_012E746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FA44B mov eax, dword ptr fs:[00000030h] 14_2_012FA44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135C450 mov eax, dword ptr fs:[00000030h] 14_2_0135C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135C450 mov eax, dword ptr fs:[00000030h] 14_2_0135C450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D849B mov eax, dword ptr fs:[00000030h] 14_2_012D849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013814FB mov eax, dword ptr fs:[00000030h] 14_2_013814FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346CF0 mov eax, dword ptr fs:[00000030h] 14_2_01346CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346CF0 mov eax, dword ptr fs:[00000030h] 14_2_01346CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01346CF0 mov eax, dword ptr fs:[00000030h] 14_2_01346CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01398CD6 mov eax, dword ptr fs:[00000030h] 14_2_01398CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C4F2E mov eax, dword ptr fs:[00000030h] 14_2_012C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012C4F2E mov eax, dword ptr fs:[00000030h] 14_2_012C4F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FE730 mov eax, dword ptr fs:[00000030h] 14_2_012FE730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FA70E mov eax, dword ptr fs:[00000030h] 14_2_012FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FA70E mov eax, dword ptr fs:[00000030h] 14_2_012FA70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135FF10 mov eax, dword ptr fs:[00000030h] 14_2_0135FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135FF10 mov eax, dword ptr fs:[00000030h] 14_2_0135FF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0139070D mov eax, dword ptr fs:[00000030h] 14_2_0139070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0139070D mov eax, dword ptr fs:[00000030h] 14_2_0139070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EF716 mov eax, dword ptr fs:[00000030h] 14_2_012EF716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DFF60 mov eax, dword ptr fs:[00000030h] 14_2_012DFF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01398F6A mov eax, dword ptr fs:[00000030h] 14_2_01398F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012DEF40 mov eax, dword ptr fs:[00000030h] 14_2_012DEF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01347794 mov eax, dword ptr fs:[00000030h] 14_2_01347794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01347794 mov eax, dword ptr fs:[00000030h] 14_2_01347794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01347794 mov eax, dword ptr fs:[00000030h] 14_2_01347794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D8794 mov eax, dword ptr fs:[00000030h] 14_2_012D8794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013037F5 mov eax, dword ptr fs:[00000030h] 14_2_013037F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0137FE3F mov eax, dword ptr fs:[00000030h] 14_2_0137FE3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CE620 mov eax, dword ptr fs:[00000030h] 14_2_012CE620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CC600 mov eax, dword ptr fs:[00000030h] 14_2_012CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CC600 mov eax, dword ptr fs:[00000030h] 14_2_012CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012CC600 mov eax, dword ptr fs:[00000030h] 14_2_012CC600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F8E00 mov eax, dword ptr fs:[00000030h] 14_2_012F8E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01381608 mov eax, dword ptr fs:[00000030h] 14_2_01381608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FA61C mov eax, dword ptr fs:[00000030h] 14_2_012FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012FA61C mov eax, dword ptr fs:[00000030h] 14_2_012FA61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D766D mov eax, dword ptr fs:[00000030h] 14_2_012D766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h] 14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h] 14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h] 14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h] 14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012EAE73 mov eax, dword ptr fs:[00000030h] 14_2_012EAE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h] 14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h] 14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h] 14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h] 14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h] 14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D7E41 mov eax, dword ptr fs:[00000030h] 14_2_012D7E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138AE44 mov eax, dword ptr fs:[00000030h] 14_2_0138AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0138AE44 mov eax, dword ptr fs:[00000030h] 14_2_0138AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_013446A7 mov eax, dword ptr fs:[00000030h] 14_2_013446A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01390EA5 mov eax, dword ptr fs:[00000030h] 14_2_01390EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01390EA5 mov eax, dword ptr fs:[00000030h] 14_2_01390EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01390EA5 mov eax, dword ptr fs:[00000030h] 14_2_01390EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0135FE87 mov eax, dword ptr fs:[00000030h] 14_2_0135FE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F16E0 mov ecx, dword ptr fs:[00000030h] 14_2_012F16E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012D76E2 mov eax, dword ptr fs:[00000030h] 14_2_012D76E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_012F36CC mov eax, dword ptr fs:[00000030h] 14_2_012F36CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01398ED6 mov eax, dword ptr fs:[00000030h] 14_2_01398ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_0137FEC0 mov eax, dword ptr fs:[00000030h] 14_2_0137FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01308EC7 mov eax, dword ptr fs:[00000030h] 14_2_01308EC7
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Code function: 14_2_01309910 NtAdjustPrivilegesToken,LdrInitializeThunk, 14_2_01309910
Source: C:\Users\user\Desktop\CSA73881.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.segurambiental.com
Source: C:\Windows\explorer.exe Domain query: www.browardhomeappraisal.com
Source: C:\Windows\explorer.exe Network Connect: 103.224.182.210 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.esrfy.xyz
Source: C:\Windows\explorer.exe Domain query: www.comgmaik.com
Source: C:\Windows\explorer.exe Network Connect: 34.102.136.180 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.merendri.com
Source: C:\Windows\explorer.exe Network Connect: 75.2.26.18 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section unmapped: C:\Windows\SysWOW64\control.exe base address: 890000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\CSA73881.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: AB7008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\CSA73881.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\CSA73881.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe Jump to behavior
Source: C:\Windows\SysWOW64\control.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" Jump to behavior
Source: explorer.exe, 00000010.00000000.318909636.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.375375689.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.435659578.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000010.00000000.356215989.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.386225698.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.396586239.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.437265455.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.396586239.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.437265455.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000010.00000000.395610041.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.319100792.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000000.375444766.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000010.00000000.321643618.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.396586239.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000010.00000000.437265455.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Users\user\Desktop\CSA73881.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\CSA73881.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 14.0.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000010.00000000.411747127.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.765436230.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000000.390629415.000000000D77B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000000.309497191.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.769483906.0000000002DA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.318276189.000000000435E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.319250218.00000000043F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.770516120.00000000030A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 680378 Sample: CSA73881.exe Startdate: 08/08/2022 Architecture: WINDOWS Score: 100 44 Snort IDS alert for network traffic 2->44 46 Multi AV Scanner detection for domain / URL 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 9 other signatures 2->50 9 CSA73881.exe 3 2->9         started        process3 file4 26 C:\Users\user\AppData\...\CSA73881.exe.log, ASCII 9->26 dropped 52 Writes to foreign memory regions 9->52 54 Injects a PE file into a foreign processes 9->54 13 InstallUtil.exe 9->13         started        signatures5 process6 signatures7 56 Modifies the context of a thread in another process (thread injection) 13->56 58 Maps a DLL or memory area into another process 13->58 60 Sample uses process hollowing technique 13->60 62 2 other signatures 13->62 16 control.exe 13->16         started        19 explorer.exe 13->19 injected process8 dnsIp9 34 Modifies the context of a thread in another process (thread injection) 16->34 36 Maps a DLL or memory area into another process 16->36 38 Tries to detect virtualization through RDTSC time measurements 16->38 22 cmd.exe 1 16->22         started        28 www.comgmaik.com 103.224.182.210, 49846, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 19->28 30 www.browardhomeappraisal.com 75.2.26.18, 49844, 80 AMAZON-02US United States 19->30 32 4 other IPs or domains 19->32 40 System process connects to network (likely due to code injection or exploit) 19->40 42 Performs DNS queries to domains with low reputation 19->42 signatures10 process11 process12 24 conhost.exe 22->24         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.102.136.180
 segurambiental.com United States
15169 GOOGLEUS false
103.224.182.210
 www.comgmaik.com Australia
133618 TRELLIAN-AS-APTrellianPtyLimitedAU true
75.2.26.18
 www.browardhomeappraisal.com United States
16509 AMAZON-02US true

Contacted Domains

Name IP Active
www.browardhomeappraisal.com 75.2.26.18 true
www.comgmaik.com 103.224.182.210 true
segurambiental.com 34.102.136.180 true
www.segurambiental.com unknown unknown
www.esrfy.xyz unknown unknown
www.merendri.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.segurambiental.com/mh76/?Axo=j8MnV1AauDvQLYEDQHkxR7wEsLuzS8wOqoRJGUEtb1NYKXHLD1QrWCJCw/4m9jwcj9zX&e0Dd=gPHX06 false
  • Avira URL Cloud: safe
 unknown
www.northpierangling.info/mh76/ true
  • Avira URL Cloud: malware
 low
http://www.browardhomeappraisal.com/mh76/?Axo=ZKvJ8T01Uu5swSUTolvzZP3eEu33eLq9PUpXuYL3kSIE+YGu43QnDiKj3vyinvzv5HiX&e0Dd=gPHX06 true
  • Avira URL Cloud: safe
 unknown
http://www.comgmaik.com/mh76/?Axo=0EXE3m3wBb2Nxgj7DVqNl/WDAC0gNsnNDZKaZxMvJErakGZtakhmesbqHtechaZLzHZ4&e0Dd=gPHX06 true
  • Avira URL Cloud: safe
 unknown