Source: Yara match | File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: | Binary string: AddInProcess32.pdb source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp |
Source: | Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp |
Source: | Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp |
Source: | Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: AddInProcess32.pdbpw source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp |
Source: | Binary string: c:\TeamCity\buildAgent\work\5644082abfe4d909\EFBuild\obj\Release\Migrate\migrate.pdb source: Order 20233.exe |
Source: | Binary string: mstsc.pdb source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp |
Source: | Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp |
Source: 4184-48M.21.dr | String found in binary or memory: https://ac.ecosia.org/autocomplete?q= |
Source: 4184-48M.21.dr | String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q= |
Source: 4184-48M.21.dr | String found in binary or memory: https://duckduckgo.com/ac/?q= |
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr | String found in binary or memory: https://duckduckgo.com/chrome_newtab |
Source: 4184-48M.21.dr | String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q= |
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr | String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search |
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr | String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command= |
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp |
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr | String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf |
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr | String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico |
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: https://www.sysinternals.com0 |
Source: Yara match | File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY |
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com |
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group |
Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown |
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE |
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research |
Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR | Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD3854F8 | 0_2_00007FFBAD3854F8 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD3830A0 | 0_2_00007FFBAD3830A0 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD3830B0 | 0_2_00007FFBAD3830B0 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD3948D9 | 0_2_00007FFBAD3948D9 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD38A969 | 0_2_00007FFBAD38A969 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD385588 | 0_2_00007FFBAD385588 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD38BD36 | 0_2_00007FFBAD38BD36 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD382FD0 | 0_2_00007FFBAD382FD0 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD38D285 | 0_2_00007FFBAD38D285 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD3854F0 | 0_2_00007FFBAD3854F0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0185F900 | 17_2_0185F900 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01874120 | 17_2_01874120 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0186B090 | 17_2_0186B090 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018820A0 | 17_2_018820A0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_019220A8 | 17_2_019220A8 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_019228EC | 17_2_019228EC |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01911002 | 17_2_01911002 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0192E824 | 17_2_0192E824 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0188EBB0 | 17_2_0188EBB0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0191DBD2 | 17_2_0191DBD2 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_019103DA | 17_2_019103DA |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01922B28 | 17_2_01922B28 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0187AB40 | 17_2_0187AB40 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_019222AE | 17_2_019222AE |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0190FA2B | 17_2_0190FA2B |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01882581 | 17_2_01882581 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_019225DD | 17_2_019225DD |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0186D5E0 | 17_2_0186D5E0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01922D07 | 17_2_01922D07 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01850D20 | 17_2_01850D20 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01921D55 | 17_2_01921D55 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0186841F | 17_2_0186841F |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0191D466 | 17_2_0191D466 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0192DFCE | 17_2_0192DFCE |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01921FF1 | 17_2_01921FF1 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01922EF7 | 17_2_01922EF7 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0191D616 | 17_2_0191D616 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01876E30 | 17_2_01876E30 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_004012A7 | 17_2_004012A7 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_004223E6 | 17_2_004223E6 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0040B443 | 17_2_0040B443 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0040B447 | 17_2_0040B447 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_004044C0 | 17_2_004044C0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_004044C7 | 17_2_004044C7 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0040FE77 | 17_2_0040FE77 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_004046E7 | 17_2_004046E7 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD39A0AD NtResumeThread, | 0_2_00007FFBAD39A0AD |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD399F90 NtWriteVirtualMemory, | 0_2_00007FFBAD399F90 |
Source: C:\Users\user\Desktop\Order 20233.exe | Code function: 0_2_00007FFBAD39A538 NtResumeThread, | 0_2_00007FFBAD39A538 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018999A0 NtCreateSection,LdrInitializeThunk, | 17_2_018999A0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899910 NtAdjustPrivilegesToken,LdrInitializeThunk, | 17_2_01899910 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018998F0 NtReadVirtualMemory,LdrInitializeThunk, | 17_2_018998F0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899840 NtDelayExecution,LdrInitializeThunk, | 17_2_01899840 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899860 NtQuerySystemInformation,LdrInitializeThunk, | 17_2_01899860 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899A00 NtProtectVirtualMemory,LdrInitializeThunk, | 17_2_01899A00 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899A20 NtResumeThread,LdrInitializeThunk, | 17_2_01899A20 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899A50 NtCreateFile,LdrInitializeThunk, | 17_2_01899A50 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018995D0 NtClose,LdrInitializeThunk, | 17_2_018995D0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899540 NtReadFile,LdrInitializeThunk, | 17_2_01899540 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899780 NtMapViewOfSection,LdrInitializeThunk, | 17_2_01899780 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018997A0 NtUnmapViewOfSection,LdrInitializeThunk, | 17_2_018997A0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899FE0 NtCreateMutant,LdrInitializeThunk, | 17_2_01899FE0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899710 NtQueryInformationToken,LdrInitializeThunk, | 17_2_01899710 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018996E0 NtFreeVirtualMemory,LdrInitializeThunk, | 17_2_018996E0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899660 NtAllocateVirtualMemory,LdrInitializeThunk, | 17_2_01899660 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018999D0 NtCreateProcessEx, | 17_2_018999D0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899950 NtQueueApcThread, | 17_2_01899950 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018998A0 NtWriteVirtualMemory, | 17_2_018998A0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899820 NtEnumerateKey, | 17_2_01899820 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0189B040 NtSuspendThread, | 17_2_0189B040 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0189A3B0 NtGetContextThread, | 17_2_0189A3B0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899B00 NtSetValueKey, | 17_2_01899B00 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899A80 NtOpenDirectoryObject, | 17_2_01899A80 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899A10 NtQuerySection, | 17_2_01899A10 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018995F0 NtQueryInformationFile, | 17_2_018995F0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899520 NtWaitForSingleObject, | 17_2_01899520 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0189AD30 NtSetContextThread, | 17_2_0189AD30 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899560 NtWriteFile, | 17_2_01899560 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0189A710 NtOpenProcessToken, | 17_2_0189A710 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899730 NtQueryVirtualMemory, | 17_2_01899730 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899760 NtOpenProcess, | 17_2_01899760 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0189A770 NtOpenThread, | 17_2_0189A770 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899770 NtSetInformationFile, | 17_2_01899770 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_018996D0 NtCreateKey, | 17_2_018996D0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899610 NtEnumerateValueKey, | 17_2_01899610 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899650 NtQueryValueKey, | 17_2_01899650 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_01899670 NtQueryInformationProcess, | 17_2_01899670 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0041E097 NtAllocateVirtualMemory, | 17_2_0041E097 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_004012A7 NtProtectVirtualMemory, | 17_2_004012A7 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0041DEB7 NtCreateFile, | 17_2_0041DEB7 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0041DF67 NtReadFile, | 17_2_0041DF67 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0041DFE7 NtClose, | 17_2_0041DFE7 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0041E091 NtAllocateVirtualMemory, | 17_2_0041E091 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_004014E9 NtProtectVirtualMemory, | 17_2_004014E9 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0041DEB1 NtCreateFile, | 17_2_0041DEB1 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Code function: 17_2_0041DFE2 NtClose, | 17_2_0041DFE2 |
Source: Order 20233.exe, 00000000.00000002.316784972.00000217728BB000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameclr.dllT vs Order 20233.exe |
Source: Order 20233.exe, 00000000.00000002.317830281.00000217742B0000.00000004.08000000.00040000.00000000.sdmp | Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe |
Source: Order 20233.exe, 00000000.00000002.312683792.0000021710011000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe |
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameprocexp.SysB vs Order 20233.exe |
Source: unknown | Process created: C:\Users\user\Desktop\Order 20233.exe C:\Users\user\Desktop\Order 20233.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | |
Source: C:\Windows\explorer.exe | Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe | |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe | Jump to behavior |
Source: C:\Users\user\Desktop\Order 20233.exe | Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe | Jump to behavior |