| Source: Yara match |
File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
| Source: |
Binary string: AddInProcess32.pdb source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp |
| Source: |
Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp |
| Source: |
Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp |
| Source: |
Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp |
| Source: |
Binary string: AddInProcess32.pdbpw source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp |
| Source: |
Binary string: c:\TeamCity\buildAgent\work\5644082abfe4d909\EFBuild\obj\Release\Migrate\migrate.pdb source: Order 20233.exe |
| Source: |
Binary string: mstsc.pdb source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp |
| Source: |
Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp |
| Source: 4184-48M.21.dr |
String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
| Source: 4184-48M.21.dr |
String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
| Source: 4184-48M.21.dr |
String found in binary or memory: https://duckduckgo.com/ac/?q= |
| Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr |
String found in binary or memory: https://duckduckgo.com/chrome_newtab |
| Source: 4184-48M.21.dr |
String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
| Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr |
String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
| Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr |
String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
| Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr |
String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
| Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr |
String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
| Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr |
String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
| Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: https://www.sysinternals.com0 |
| Source: Yara match |
File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
| Source: Yara match |
File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
| Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
| Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
| Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
| Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
| Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
| Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
| Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
| Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
| Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
| Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR |
Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD3854F8 |
0_2_00007FFBAD3854F8 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD3830A0 |
0_2_00007FFBAD3830A0 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD3830B0 |
0_2_00007FFBAD3830B0 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD3948D9 |
0_2_00007FFBAD3948D9 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD38A969 |
0_2_00007FFBAD38A969 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD385588 |
0_2_00007FFBAD385588 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD38BD36 |
0_2_00007FFBAD38BD36 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD382FD0 |
0_2_00007FFBAD382FD0 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD38D285 |
0_2_00007FFBAD38D285 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD3854F0 |
0_2_00007FFBAD3854F0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0185F900 |
17_2_0185F900 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01874120 |
17_2_01874120 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0186B090 |
17_2_0186B090 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018820A0 |
17_2_018820A0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_019220A8 |
17_2_019220A8 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_019228EC |
17_2_019228EC |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01911002 |
17_2_01911002 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0192E824 |
17_2_0192E824 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0188EBB0 |
17_2_0188EBB0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0191DBD2 |
17_2_0191DBD2 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_019103DA |
17_2_019103DA |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01922B28 |
17_2_01922B28 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0187AB40 |
17_2_0187AB40 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_019222AE |
17_2_019222AE |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0190FA2B |
17_2_0190FA2B |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01882581 |
17_2_01882581 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_019225DD |
17_2_019225DD |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0186D5E0 |
17_2_0186D5E0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01922D07 |
17_2_01922D07 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01850D20 |
17_2_01850D20 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01921D55 |
17_2_01921D55 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0186841F |
17_2_0186841F |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0191D466 |
17_2_0191D466 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0192DFCE |
17_2_0192DFCE |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01921FF1 |
17_2_01921FF1 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01922EF7 |
17_2_01922EF7 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0191D616 |
17_2_0191D616 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01876E30 |
17_2_01876E30 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_004012A7 |
17_2_004012A7 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_004223E6 |
17_2_004223E6 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0040B443 |
17_2_0040B443 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0040B447 |
17_2_0040B447 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_004044C0 |
17_2_004044C0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_004044C7 |
17_2_004044C7 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0040FE77 |
17_2_0040FE77 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_004046E7 |
17_2_004046E7 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD39A0AD NtResumeThread, |
0_2_00007FFBAD39A0AD |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD399F90 NtWriteVirtualMemory, |
0_2_00007FFBAD399F90 |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Code function: 0_2_00007FFBAD39A538 NtResumeThread, |
0_2_00007FFBAD39A538 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018999A0 NtCreateSection,LdrInitializeThunk, |
17_2_018999A0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899910 NtAdjustPrivilegesToken,LdrInitializeThunk, |
17_2_01899910 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018998F0 NtReadVirtualMemory,LdrInitializeThunk, |
17_2_018998F0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899840 NtDelayExecution,LdrInitializeThunk, |
17_2_01899840 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899860 NtQuerySystemInformation,LdrInitializeThunk, |
17_2_01899860 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899A00 NtProtectVirtualMemory,LdrInitializeThunk, |
17_2_01899A00 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899A20 NtResumeThread,LdrInitializeThunk, |
17_2_01899A20 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899A50 NtCreateFile,LdrInitializeThunk, |
17_2_01899A50 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018995D0 NtClose,LdrInitializeThunk, |
17_2_018995D0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899540 NtReadFile,LdrInitializeThunk, |
17_2_01899540 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899780 NtMapViewOfSection,LdrInitializeThunk, |
17_2_01899780 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018997A0 NtUnmapViewOfSection,LdrInitializeThunk, |
17_2_018997A0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899FE0 NtCreateMutant,LdrInitializeThunk, |
17_2_01899FE0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899710 NtQueryInformationToken,LdrInitializeThunk, |
17_2_01899710 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018996E0 NtFreeVirtualMemory,LdrInitializeThunk, |
17_2_018996E0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899660 NtAllocateVirtualMemory,LdrInitializeThunk, |
17_2_01899660 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018999D0 NtCreateProcessEx, |
17_2_018999D0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899950 NtQueueApcThread, |
17_2_01899950 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018998A0 NtWriteVirtualMemory, |
17_2_018998A0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899820 NtEnumerateKey, |
17_2_01899820 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0189B040 NtSuspendThread, |
17_2_0189B040 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0189A3B0 NtGetContextThread, |
17_2_0189A3B0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899B00 NtSetValueKey, |
17_2_01899B00 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899A80 NtOpenDirectoryObject, |
17_2_01899A80 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899A10 NtQuerySection, |
17_2_01899A10 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018995F0 NtQueryInformationFile, |
17_2_018995F0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899520 NtWaitForSingleObject, |
17_2_01899520 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0189AD30 NtSetContextThread, |
17_2_0189AD30 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899560 NtWriteFile, |
17_2_01899560 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0189A710 NtOpenProcessToken, |
17_2_0189A710 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899730 NtQueryVirtualMemory, |
17_2_01899730 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899760 NtOpenProcess, |
17_2_01899760 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0189A770 NtOpenThread, |
17_2_0189A770 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899770 NtSetInformationFile, |
17_2_01899770 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_018996D0 NtCreateKey, |
17_2_018996D0 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899610 NtEnumerateValueKey, |
17_2_01899610 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899650 NtQueryValueKey, |
17_2_01899650 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_01899670 NtQueryInformationProcess, |
17_2_01899670 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0041E097 NtAllocateVirtualMemory, |
17_2_0041E097 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_004012A7 NtProtectVirtualMemory, |
17_2_004012A7 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0041DEB7 NtCreateFile, |
17_2_0041DEB7 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0041DF67 NtReadFile, |
17_2_0041DF67 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0041DFE7 NtClose, |
17_2_0041DFE7 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0041E091 NtAllocateVirtualMemory, |
17_2_0041E091 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_004014E9 NtProtectVirtualMemory, |
17_2_004014E9 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0041DEB1 NtCreateFile, |
17_2_0041DEB1 |
| Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Code function: 17_2_0041DFE2 NtClose, |
17_2_0041DFE2 |
| Source: Order 20233.exe, 00000000.00000002.316784972.00000217728BB000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs Order 20233.exe |
| Source: Order 20233.exe, 00000000.00000002.317830281.00000217742B0000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe |
| Source: Order 20233.exe, 00000000.00000002.312683792.0000021710011000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe |
| Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprocexp.SysB vs Order 20233.exe |
| Source: unknown |
Process created: C:\Users\user\Desktop\Order 20233.exe C:\Users\user\Desktop\Order 20233.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
|
| Source: C:\Windows\explorer.exe |
Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe |
|
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe |
Jump to behavior |
| Source: C:\Users\user\Desktop\Order 20233.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Jump to behavior |
