Edit tour

Windows Analysis Report
Order 20233.exe

Overview

General Information

Sample Name:	Order 20233.exe
Analysis ID:	780222
MD5:	cfc3542e983b4a7436dabb73132cbbdb
SHA1:	c792d80b3667badeef358a872cc5b548d9114151
SHA256:	614490e3bf7cf0672ecda890e33b49f4f8b80da18333111489284df04ab7d934
Tags:	exeformbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Sample uses process hollowing technique

Tries to steal Mail credentials (via file / registry access)

Maps a DLL or memory area into another process

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Injects a PE file into a foreign processes

Queues an APC in another process (thread injection)

.NET source code contains very large strings

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Enables debug privileges

PE file does not import any functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64

Order 20233.exe (PID: 5872 cmdline: C:\Users\user\Desktop\Order 20233.exe MD5: CFC3542E983B4A7436DABB73132CBBDB)

aspnet_compiler.exe (PID: 6120 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe MD5: 7809A19AA8DA1A41F36B60B0664C4E20)

AddInProcess.exe (PID: 2140 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)

Microsoft.Workflow.Compiler.exe (PID: 1360 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4)

dfsvc.exe (PID: 2288 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)

aspnet_wp.exe (PID: 2104 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe MD5: 3F68BCF536EEAE067038C67022CDF6D8)

aspnet_regsql.exe (PID: 5300 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe MD5: F31014EE4DE7FE48E9B7C9BE94CFB45F)

aspnet_regiis.exe (PID: 1760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe MD5: 061D8C0371566D560C5B15C77A34046F)

mscorsvw.exe (PID: 3956 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F)

ngen.exe (PID: 5612 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe MD5: FBA5E8D94C9EADC279BC06B9CF041A9A)

AddInProcess32.exe (PID: 4392 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

mstsc.exe (PID: 5380 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ahmedo.ch/dcn0/"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0e9:$sqlite3step: 68 34 1C 7B E1 0x1ac61:$sqlite3step: 68 34 1C 7B E1 0x1a12b:$sqlite3text: 68 38 2A 90 C5 0x1aca6:$sqlite3text: 68 38 2A 90 C5 0x1a142:$sqlite3blob: 68 53 D8 7F 8C 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6d48:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f7b7:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xafe6:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x1851e:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x1831c:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17dc8:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x1841e:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x18596:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xabb1:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x17013:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1e52e:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1f521:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a820:$sqlite3step: 68 34 1C 7B E1 0x1b398:$sqlite3step: 68 34 1C 7B E1 0x1a862:$sqlite3text: 68 38 2A 90 C5 0x1b3dd:$sqlite3text: 68 38 2A 90 C5 0x1a879:$sqlite3blob: 68 53 D8 7F 8C 0x1b3f3:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0e9:$sqlite3step: 68 34 1C 7B E1 0x1ac61:$sqlite3step: 68 34 1C 7B E1 0x1a12b:$sqlite3text: 68 38 2A 90 C5 0x1aca6:$sqlite3text: 68 38 2A 90 C5 0x1a142:$sqlite3blob: 68 53 D8 7F 8C 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x10080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0x8de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x8691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x8ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x8e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x78dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xedf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xfdea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0xb0e9:$sqlite3step: 68 34 1C 7B E1 0xbc61:$sqlite3step: 68 34 1C 7B E1 0xb12b:$sqlite3text: 68 38 2A 90 C5 0xbca6:$sqlite3text: 68 38 2A 90 C5 0xb142:$sqlite3blob: 68 53 D8 7F 8C 0xbcbc:$sqlite3blob: 68 53 D8 7F 8C
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0x1f080:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01 0x17de7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x17be5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x17691:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x17ce7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x17e5f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xa47a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x168dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x1ddf7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1edea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x1a0e9:$sqlite3step: 68 34 1C 7B E1 0x1ac61:$sqlite3step: 68 34 1C 7B E1 0x1a12b:$sqlite3text: 68 38 2A 90 C5 0x1aca6:$sqlite3text: 68 38 2A 90 C5 0x1a142:$sqlite3blob: 68 53 D8 7F 8C 0x1acbc:$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook_1	Yara detected FormBook	Joe Security
00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x6611:$a1: 3C 30 50 4F 53 54 74 09 40 0xa8af:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: Order 20233.exe PID: 5872	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Order 20233.exe PID: 5872	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: AddInProcess32.exe PID: 4392	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x2c4bc:$a1: 3C 30 50 4F 53 54 74 09 40 0x12e9f0:$a1: 3C 30 50 4F 53 54 74 09 40
Process Memory Space: mstsc.exe PID: 5380	Windows_Trojan_Formbook_1112e116	unknown	unknown	0x69808:$a1: 3C 30 50 4F 53 54 74 09 40 0xa5fea:$a1: 3C 30 50 4F 53 54 74 09 40 0x103fe5:$a1: 3C 30 50 4F 53 54 74 09 40
Click to see the 26 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.Order 20233.exe.21700429a18.0.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.Order 20233.exe.21700429a18.0.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9c39:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x9c68:$e2: Add-MpPreference -ExclusionPath
0.2.Order 20233.exe.21700429a18.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9c09:$r1: Classes\Folder\shell\open\command 0x9058:$k1: DelegateExecute

Snort Signatures

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 213.239.221.71

Timestamp:	192.168.2.3213.239.221.7149698802031412 01/08/23-16:24:08.929621
SID:	2031412
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 213.239.221.71

Timestamp:	192.168.2.3213.239.221.7149698802031449 01/08/23-16:24:08.929621
SID:	2031449
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN FormBook CnC Checkin (GET) - Source IP: 192.168.2.3 - Destination IP: 213.239.221.71

Timestamp:	192.168.2.3213.239.221.7149698802031453 01/08/23-16:24:08.929621
SID:	2031453
Source Port:	49698
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Order 20233.exe	ReversingLabs: Detection: 51%
Source: Order 20233.exe	Virustotal: Detection: 40%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.ahmedo.ch/dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==	Avira URL Cloud: Label: malware
Source: www.ahmedo.ch/dcn0/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: iamme-label.com	Virustotal: Detection: 8%			Perma Link
Source: www.ahmedo.ch/dcn0/	Virustotal: Detection: 9%			Perma Link

Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.ahmedo.ch/dcn0/"]}

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Order 20233.exe PID: 5872, type: MEMORYSTR

Source: Order 20233.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: AddInProcess32.pdb source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: c:\TeamCity\buildAgent\work\5644082abfe4d909\EFBuild\obj\Release\Migrate\migrate.pdb source: Order 20233.exe
Source:	Binary string: mstsc.pdb source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.239.221.71 80
Source: C:\Windows\explorer.exe	Domain query: www.ahmedo.ch

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 213.239.221.71:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 213.239.221.71:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 213.239.221.71:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.ahmedo.ch/dcn0/

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: global traffic

HTTP traffic detected: GET /dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w== HTTP/1.1Host: www.ahmedo.chConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 213.239.221.71 213.239.221.71

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sun, 08 Jan 2023 15:24:08 GMTContent-Type: text/html; charset=utf-8Content-Length: 254Connection: closeX-Varnish: 1006141483Retry-After: 5Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 20 20 20 20 3c 70 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 70 3e 0a 20 20 20 20 3c 68 33 3e 47 75 72 75 20 4d 65 64 69 74 61 74 69 6f 6e 3a 3c 2f 68 33 3e 0a 20 20 20 20 3c 70 3e 58 49 44 3a 20 31 30 30 36 31 34 31 34 38 33 3c 2f 70 3e 0a 20 20 20 20 3c 68 72 3e 0a 20 20 20 20 3c 70 3e 56 61 72 6e 69 73 68 20 63 61 63 68 65 20 73 65 72 76 65 72 3c 2f 70 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html> <head> <title>404 Not Found</title> </head> <body> <h1>Error 404 Not Found</h1> <p>Not Found</p> <h3>Guru Meditation:</h3> <p>XID: 1006141483</p> <hr> <p>Varnish cache server</p> </body></html>

Source: 4184-48M.21.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 4184-48M.21.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 4184-48M.21.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4184-48M.21.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sysinternals.com0

Source: unknown

DNS traffic detected: queries for: www.ahmedo.ch

Source: global traffic

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order 20233.exe

.NET source code contains very large strings

Source: Order 20233.exe, moabGi8lf8iend/moabGu5ss.cs

Long String: Length: 602136

Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.Order 20233.exe.21700429a18.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: AddInProcess32.exe PID: 4392, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: mstsc.exe PID: 5380, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3854F8
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3830A0
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3830B0
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3948D9
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD38A969
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD385588
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD38BD36
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD382FD0
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD38D285
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3854F0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185F900
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B090
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019220A8
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019228EC
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911002
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192E824
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188EBB0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191DBD2
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019103DA
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01922B28
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AB40
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019222AE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190FA2B
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019225DD
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186D5E0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01922D07
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01850D20
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01921D55
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186841F
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191D466
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192DFCE
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01921FF1
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01922EF7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191D616
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01876E30
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004012A7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004223E6
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040B443
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040B447
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004044C0
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004044C7
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040FE77
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004046E7

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: String function: 0185B150 appears 45 times

Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD39A0AD NtResumeThread,
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD399F90 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD39A538 NtResumeThread,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018998F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018995D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018997A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018999D0 NtCreateProcessEx,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899950 NtQueueApcThread,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018998A0 NtWriteVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899820 NtEnumerateKey,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189B040 NtSuspendThread,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189A3B0 NtGetContextThread,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899B00 NtSetValueKey,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A80 NtOpenDirectoryObject,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899A10 NtQuerySection,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018995F0 NtQueryInformationFile,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899520 NtWaitForSingleObject,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189AD30 NtSetContextThread,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899560 NtWriteFile,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189A710 NtOpenProcessToken,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899730 NtQueryVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899760 NtOpenProcess,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189A770 NtOpenThread,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899770 NtSetInformationFile,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018996D0 NtCreateKey,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899610 NtEnumerateValueKey,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899650 NtQueryValueKey,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01899670 NtQueryInformationProcess,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041E097 NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004012A7 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DEB7 NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DF67 NtReadFile,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DFE7 NtClose,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041E091 NtAllocateVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004014E9 NtProtectVirtualMemory,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DEB1 NtCreateFile,
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041DFE2 NtClose,

Source: Order 20233.exe

Static PE information: No import functions for PE file found

Source: Order 20233.exe, 00000000.00000002.316784972.00000217728BB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Order 20233.exe
Source: Order 20233.exe, 00000000.00000002.317830281.00000217742B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe
Source: Order 20233.exe, 00000000.00000002.312683792.0000021710011000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs Order 20233.exe
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprocexp.SysB vs Order 20233.exe

Source: Order 20233.exe	ReversingLabs: Detection: 51%
Source: Order 20233.exe	Virustotal: Detection: 40%

Source: Order 20233.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order 20233.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Order 20233.exe C:\Users\user\Desktop\Order 20233.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Source: C:\Windows\SysWOW64\mstsc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32

Source: C:\Users\user\Desktop\Order 20233.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order 20233.exe.log

Jump to behavior

Source: C:\Windows\SysWOW64\mstsc.exe

File created: C:\Users\user\AppData\Local\Temp\4184-48M

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@22/2@2/1

Source: Order 20233.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\Order 20233.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll

Source: Order 20233.exe, moabGi8lf8iend/moabGu5ss.cs

Base64 encoded string: 'Jr0xBz+D+BELGing3agbwsAiJOAQiCxuo8V9PAF/wB9EXrxYPhbXm/9FZtg67D4Pu5gkIVh2Jt0Z0mfXiLyT7qEBYe/8i8zpbJYUZP2dX/pJ5zXISHZ9mD+skozjHoqZYOFGs+6gMw/Gf66pqYSKc+6V6t3+zbYnJczVBRi+pPZoCWhxuiTU+IfihPJhzit4wnx9uXqKB1rEdLoF0LOATjSCOziQQ14gxzGP4L7hVCsKybhqIG8Dd+1rFp21TshLOrLTVd37HEVMT1/4QRXI/BclrpWkv6mIuWefL6cQ5dTzM+zcGZ4Ggy0HGqzOdNGMjAaf1euDFGL51KFGQNpLGafNVim6FJbLl75St+6y1nMKkXRrbgs2QtiuwTLGmc84RF68WD4W15v/RWbYOuw+D0RevFg+Fteb/0Vm2DrsPg9EXrxYPhbXm/9FZtg67D4PRF68WD4W15v/RWbYOuw+D0RevFg+Fteb/0Vm2DrsPg9vNXSMmjRXsWUcjcFx6HlNqOo3bXIF94qAeyFKNv4UdfW0JQHIh7RQx3ufFu4qrkXdvrzcqIM7EvDg6ZcaOoPFwgVspZ6/1FVuO0NMF2Bojy5aXe893GVf4xKTVgSbStSJN/W1P/arSFPDPbmfKC+nRF68WD4W15v/RWbYOuw+D0RevFg+Fteb/0Vm2DrsPg+IjShPa6MqIjcJVxubYZHFFl18fIuZLxmY5SogkctNqkRevFg+Fteb/0Vm2DrsPg9EXrxYPhbXm/9FZtg67D4PP7m4exSTdy5g9ph8fIHPMuS/L9Xl2jIfNrh8PMfCDOO9OK0p6NBowlTXt6ko7ND53D14FQDMeIy2EmvL9dcSpGLpXd6IGbHPZgpLOXcBsTVFYV4r8ktGmTk3Kal8GmbrSNaKf9gSGC9QCjtaglNj/Rrzux/WptmXrkggyARXV31OR9qr26v/HUfczrp2BWnActzRK5v/iYAhq2EdWkjsISk6IdBjb6k1/trfTcVcMZ6PxCHcB8evEZBqGBZRdl30qGLfwZiEVEo66Mj5ES9Vv95N10txq+daeKH2ox1bD7DPBtMF0DR6SIReu3NAbBdi9dofkCR9rD5WcxwWUECtqKh5ylV6Xyura3e7HZBCctPpsY9KTQ6ks/Jlq+7x91e7TH4XPA9sxPVpyK5Vqbm7EJ3VgbuvuZM/MkPc9tG4JbiNzLqo6rUWP1UkIuMzO1vMCUyYpXkBu9twDwqwonjSUQBIs/guI+szq1iNDQdkhjVK5qzMnLoCdQ6GfnH/yB9QGLkRPbzSRdltX/wxLr0OEMNTsNGMaH9tskvdJFhNvSTjNZdEPejI5SdAJsU/Woy0sL1eTNizHsnQjlKKtuaVxlSuYvnBNk71I/RatuZ46vqvutQ1O+1PLfRgn1MVaQuxV+nQY8EM4tid7HWd2Xzyqeq1Bb0b92Mb9F+UZhgqBsuuhyREUVk1OKmTtAa09hk4w6jub8gV1H/GxKYvl2Z/InWFo8LYVj+3EFYVrflA8PyvtLTTLYlAVkF9x5SyV3IcTls9BqVw0lad13OMJgbnFsB8rkkKxXQko/kB7LECbvyLkXQXiGTIcLadkjgHWo5iALZr705SKnsuQm+hzGvN+OWiGLFnUGwPQSWFFW9hiPGOQZeza6fptCg5HWbSSmxwBLOg9++ygql8F1gF/2fJgWEIgcsNzRc0nFveeSVId63avstX0jCiMRcs0BN7YmuwUFrZW6Som5FmB9hOHAkKYnM6um6LgAaFT4TCJk8PqQMRkKyydFsOX9Ug3Il2wK1UL6htE2vqT70KMrb2ovY1bw1Sm+VM6r8khQPXDmCdlvhdl3a7zJVN/32RGoXUtTftW9/hbKJHoxiBC0+vwqnIRWqodcfnyie8yevlU/Jmkg1e0lNKBTYbOTExyT9VArNlW1hScYhPtzlUn2h+qdKVq7YXcN+HmGxB1fs/etzThQNk7+JWwAKfBh7Aqj+efbL6WO1nrvw3Q7xVag+9Hkj8n9lxwT5S32mrwOZtG71MFWHYIdg6gDM7qehCVWSoDEXRJxk5BZW8aOui4HIuUamxafGJMnEpu2lXjJzXJ9D4hwSgCy9ukpVrpEuVbkFwlAdTBY5StrYhqRRZ1pYUVq0EmPc55R3XWw/BFbzwrx80kYQ37VQGkpDslX5sXfx8RpdhvVqdGtq3H5dRLC0Y9q7mzjeoxW+DcnZtuqtnKRW2I+n1Tnw4MwFw73Q/IGtcdGaVuLBNpW4EqXi9f2M0YtdG2tlDKuUCoB3eFPG6fyOf5+nQGosH7vfnMEpU1f+paIXNd/Dt1EyGfp07Bu4dMN/dyn2z07w46Z0MgYDOuELiagUlwxxIQy5R1QaEs+hxpGEfSbkZHwug2g9BgKPxCn71go1bqcoZp9LDI79NYr6Nh677MiCmE4pfZ/LvEtqH+cU9hgC1YZIPSsypXKgVFexFQUBwkMPwgx4WzOdfp3teElc15qeroeYN6+Y5bvudEvPLrpTUfNBGGJKV4uzqFMFWY9R3ecHN1msI1FHiPj4a0+ewdYLrG/UzEitTLVJYaKCP2TWMnBfSp6B5m+egRqpip3AEVmYPM53PTGbK49LxfdNCm2s19K8KcH3Tc8vpW3LU/PYYSmuW0EibVkFFSdaeA6uAgnMTZ5RA8PAy7J0qT0igYRdGt9bOaxIAW8mn36EB8kAtPEtrMHfh7IIjhDBWsQRzGzDjs8lZ60c2HX52dLleI8ArkkGJQpACOCZaIGDC9k/3R0W9sJb60cw5fTrtQC0Zgo74QVHctpFnrvqmP+KFWf7o6A1eswjHJ1vOgpc37wvkMfeWwiXJgdwLo0GREJQphgd5COG5qx65NTqguxc+yvMbe/NOUpadv5RNNnaUKdVKszW88kV9xvpiPuenB/2TKGc86Twl6W7z8GABGPkwVDMJkQOyc3omUv2kLVnsMjd9K7JdukBIzvTAvCGe4fVbeQ7K/RWwvrjHrsAW2OKYxJouvVknRTc

Source: Order 20233.exe, moabDefe1da1t/moab0ecade.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Order 20233.exe, moabDefe1da1t/moab0ecade.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\Order 20233.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: Order 20233.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: C:\Windows\SysWOW64\mstsc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\

Source: Order 20233.exe

Static file information: File size 1827328 > 1048576

Source: Order 20233.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Order 20233.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bde00

Source: Order 20233.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Order 20233.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: AddInProcess32.pdb source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: AddInProcess32.exe, AddInProcess32.exe, 00000011.00000003.308531715.0000000001697000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.305774318.00000000014FF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000002.429111171.0000000001830000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.431126939.0000000005003000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.531941308.00000000051A0000.00000040.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000003.428147207.0000000004E69000.00000004.00000800.00020000.00000000.sdmp, mstsc.exe, 00000015.00000002.533058558.00000000052BF000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: mstsc.pdbGCTL source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: AddInProcess32.pdbpw source: mstsc.exe, 00000015.00000002.533525731.00000000054E3000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: c:\TeamCity\buildAgent\work\5644082abfe4d909\EFBuild\obj\Release\Migrate\migrate.pdb source: Order 20233.exe
Source:	Binary string: mstsc.pdb source: AddInProcess32.exe, 00000011.00000003.416107815.000000000386B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000011.00000003.420075103.0000000003BC4000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_000002177258A635 pushfq ; retf
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3881DE push eax; ret
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD3881C3 pushad ; ret
Source: C:\Users\user\Desktop\Order 20233.exe	Code function: 0_2_00007FFBAD387F17 push ebx; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018AD0D1 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004210F9 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040A0FE push ds; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004210AC push eax; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00421163 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00421102 push eax; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_004082D9 pushad ; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041B2F7 push edi; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AA83 push ecx; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0040CAAF pushad ; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AABE push ebx; ret
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AB17 push edx; retf
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0041AC8C push es; retf
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_00419F2C pushfd ; ret

Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Order 20233.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\mstsc.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Order 20233.exe PID: 5872, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Order 20233.exe TID: 6048

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\explorer.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 17_2_01886B90 rdtsc

Source: C:\Users\user\Desktop\Order 20233.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

API coverage: 8.3 %

Source: C:\Users\user\Desktop\Order 20233.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Order 20233.exe

Thread delayed: delay time: 922337203685477

Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000014.00000000.332547025.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Order 20233.exe	Binary or memory string: krW0yvrDWyLEsalvv9+gJn4HXY2Vl3oUSouBYpABUpILCnMKeZOCp4tGtHKoVCk8NpdWGHrn5rVTmS77oiljOkKoFUpHgfs9AD+dv7F0vkXKD8MG11HzATdEKuZ0Wj8hJq
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 00000014.00000000.359291499.0000000007166000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000014.00000000.332547025.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: explorer.exe, 00000014.00000000.366252688.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
Source: explorer.exe, 00000014.00000000.332547025.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
Source: explorer.exe, 00000014.00000000.354585161.0000000005063000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000014.00000000.366252688.0000000008FE9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 17_2_01886B90 rdtsc

Source: C:\Users\user\Desktop\Order 20233.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019149A4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018E41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01874120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018990AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018540E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018558EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01924015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01924015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01870050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01870050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01912073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01921074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01861B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01861B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01925BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191131B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01883B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01883B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01868A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01855210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01873A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01894A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01894A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01859240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018E4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0189927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01882581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01852D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018835A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01881DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01881DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01881DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01908DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01863D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01884D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018DA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01893D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01903D40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01877D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_019114FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01868794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0192070D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01854F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01854F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186EF40 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018EFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018D46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01920EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01920EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01920EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01928ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018836CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01898EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190FEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018676E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_018816E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01888E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0188A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01911608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0185E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0190FE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_01867E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0191AE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0186766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Code function: 17_2_0187AE73 mov eax, dword ptr fs:[00000030h]

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\mstsc.exe	Process queried: DebugPort

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Code function: 17_2_018999A0 NtCreateSection,LdrInitializeThunk,

Source: C:\Users\user\Desktop\Order 20233.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 213.239.221.71 80
Source: C:\Windows\explorer.exe	Domain query: www.ahmedo.ch

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Section unmapped: C:\Windows\SysWOW64\mstsc.exe base address: 1310000

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Section loaded: unknown target: C:\Windows\SysWOW64\mstsc.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\mstsc.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Order 20233.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\Desktop\Order 20233.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 401000
Source: C:\Users\user\Desktop\Order 20233.exe	Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 11DF008

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\Order 20233.exe

Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Thread register set: target process: 3452
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Thread register set: target process: 3452
Source: C:\Windows\SysWOW64\mstsc.exe	Thread register set: target process: 3452

Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Source: C:\Users\user\Desktop\Order 20233.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe

Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.380769672.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.353276802.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program ManagerT7<=ge
Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.323500035.0000000006770000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.369946324.00000000090D8000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.380769672.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.353276802.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000014.00000000.380301258.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000000.311808218.0000000001378000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CProgmanile
Source: explorer.exe, 00000014.00000000.312817573.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.380769672.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000014.00000000.353276802.0000000001980000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Order 20233.exe

Queries volume information: C:\Users\user\Desktop\Order 20233.exe VolumeInformation

Source: C:\Users\user\Desktop\Order 20233.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\SysWOW64\mstsc.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\mstsc.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Shared Modules	Path Interception	712 Process Injection	1 Masquerading	1 OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	1 Data from Local System	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	712 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Order 20233.exe	51%	ReversingLabs	ByteCode-MSIL.Trojan.Heracles
Order 20233.exe	40%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
17.0.AddInProcess32.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

Source	Detection	Scanner	Link
www.ahmedo.ch	4%	Virustotal	Browse
iamme-label.com	9%	Virustotal	Browse
www.iamme-label.com	3%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://www.sysinternals.com0	0%	URL Reputation	safe
http://www.ahmedo.ch/dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==	100%	Avira URL Cloud	malware
www.ahmedo.ch/dcn0/	10%	Virustotal		Browse
www.ahmedo.ch/dcn0/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.ahmedo.ch	213.239.221.71	true	true	4%, Virustotal, Browse	unknown
iamme-label.com	81.169.145.80	true	false	9%, Virustotal, Browse	unknown
www.iamme-label.com	unknown	unknown	true	3%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
www.ahmedo.ch/dcn0/	true	10%, Virustotal, Browse Avira URL Cloud: malware	low
http://www.ahmedo.ch/dcn0/?pFQ0Q=4h6DHJsXwPiPeVap&oRk4IZo0=C4IpA5iiNFvhwRpGGB75QVE24l/FHjdcJi1XKvHDvYafZRhhpOblpVmnT5Y5r50LceSQqf3teF0eh20kxL606x8yuiPd0JQ74w==	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	4184-48M.21.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://duckduckgo.com/chrome_newtab	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://duckduckgo.com/ac/?q=	4184-48M.21.dr	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://www.sysinternals.com0	Order 20233.exe, 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	4184-48M.21.dr	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	4184-48M.21.dr	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	mstsc.exe, 00000015.00000003.521808734.0000000001016000.00000004.00000020.00020000.00000000.sdmp, 4184-48M.21.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
213.239.221.71	www.ahmedo.ch	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	36.0.0 Rainbow Opal
Analysis ID:	780222
Start date and time:	2023-01-08 16:21:13 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 39s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Order 20233.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@22/2@2/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 33.5% (good quality ratio 29.1%) Quality average: 71.4% Quality standard deviation: 33.6%
HCA Information:	Successful, ratio: 97% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ctldl.windowsupdate.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Process:	C:\Users\user\Desktop\Order 20233.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	1510
Entropy (8bit):	5.381105762964764
Encrypted:	false
SSDEEP:	24:ML9E4KrL1qE4GiD0E4KeGiKDE4KGKN08AKhPKIE4TKD1KoZAE4KKPN+84xpNT:MxHKn1qHGiD0HKeGiYHKGD8AoPtHTG1f
MD5:	A3195731DF98BB6BDA4A3DE6D454C33C
SHA1:	CBEE1CB7EAFDE247618CC50DDE5D9A143732C7E4
SHA-256:	68DD8AFDE633D8CEF50498ADA0CAD19DEEAF370EB6A01D718D11A499D44E2CCA
SHA-512:	11DF23E67BBC8A6DA19406BB025FB0F90304B9FD7A2987FC7678E072AE288094A022E9BB8EDB06B102095BFB54BC8C703FD7D646925D6681F256B52354D04DFD
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\49e5c0579db170be9741dccc34c1998e\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\6d7d43e19d7fc0006285b85b7e2c8702\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

C:\Users\user\AppData\Local\Temp\4184-48M

Download File

Process:	C:\Windows\SysWOW64\mstsc.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2882898331044472
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJPn6UVuUhoEwn7PrH944:gS/inPvVuUhoEwn7b944
MD5:	4822E6A71C88A4AB8A27F90192B5A3B3
SHA1:	CC07E541426BFF64981CE6DE7D879306C716B6B9
SHA-256:	A6E2CCBD736E5892E658020543F4DF20BB422253CAC06B37398AA4935987446E
SHA-512:	C4FCA0DBC8A6B00383B593046E30C5754D570AA2009D4E26460833FB1394D348776400174C898701F621C305F53DC03C1B42CF76AA5DC33D5CCD8FA44935B03C
Malicious:	false
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.565938948299627
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	Order 20233.exe
File size:	1827328
MD5:	cfc3542e983b4a7436dabb73132cbbdb
SHA1:	c792d80b3667badeef358a872cc5b548d9114151
SHA256:	614490e3bf7cf0672ecda890e33b49f4f8b80da18333111489284df04ab7d934
SHA512:	f434b55379dc227f8908b6e25c39a61e699a0b6f90b5d48128f148c6c838ead6d8ec330191d62c409236bc109a95b7fa6a5ad234c99ee57584dc2405490d38fb
SSDEEP:	24576:0G/gSI7uzvdh53ATay0Lu9fE124K2Gzo/Xyhp4HtNLpTGLRvO4x:dgruLMayJWao/XC6B
TLSH:	258532203AFE601DF1B3AF795FF4759AA97FFA623B02945D1051034A0A23E41DDD1A3A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....L.Y.........."...0.................. ....@...... ....................... ......5.....`................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59EE4CED [Mon Oct 23 20:11:25 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1c0000	0x10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1bfc02	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1bdc8e	0x1bde00	False	0.39824640366554526	data	4.567184281741237	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x1c0000	0x10	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3213.239.221.7149698802031412 01/08/23-16:24:08.929621	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49698	80	192.168.2.3	213.239.221.71
192.168.2.3213.239.221.7149698802031449 01/08/23-16:24:08.929621	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49698	80	192.168.2.3	213.239.221.71
192.168.2.3213.239.221.7149698802031453 01/08/23-16:24:08.929621	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49698	80	192.168.2.3	213.239.221.71

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:24:08.907176018 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.929352045 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.929502010 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.929620981 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.952090025 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.957961082 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.958008051 CET	80	49698	213.239.221.71	192.168.2.3
Jan 8, 2023 16:24:08.958194971 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.958410025 CET	49698	80	192.168.2.3	213.239.221.71
Jan 8, 2023 16:24:08.980180025 CET	80	49698	213.239.221.71	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2023 16:24:08.849303961 CET	49977	53	192.168.2.3	8.8.8.8
Jan 8, 2023 16:24:08.895353079 CET	53	49977	8.8.8.8	192.168.2.3
Jan 8, 2023 16:24:18.985353947 CET	57840	53	192.168.2.3	8.8.8.8
Jan 8, 2023 16:24:19.005789042 CET	53	57840	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2023 16:24:08.849303961 CET	192.168.2.3	8.8.8.8	0x8412	Standard query (0)	www.ahmedo.ch	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:24:18.985353947 CET	192.168.2.3	8.8.8.8	0x2ac9	Standard query (0)	www.iamme-label.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2023 16:24:08.895353079 CET	8.8.8.8	192.168.2.3	0x8412	No error (0)	www.ahmedo.ch		213.239.221.71	A (IP address)	IN (0x0001)	false
Jan 8, 2023 16:24:19.005789042 CET	8.8.8.8	192.168.2.3	0x2ac9	No error (0)	www.iamme-label.com	iamme-label.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2023 16:24:19.005789042 CET	8.8.8.8	192.168.2.3	0x2ac9	No error (0)	iamme-label.com		81.169.145.80	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.ahmedo.ch

Target ID:	0
Start time:	16:23:10
Start date:	08/01/2023
Path:	C:\Users\user\Desktop\Order 20233.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\Order 20233.exe
Imagebase:	0x21772580000
File size:	1827328 bytes
MD5 hash:	CFC3542E983B4A7436DABB73132CBBDB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.307240317.00000217000D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: aspnet_compiler.exePID: 6120, Parent PID: 5872

General

Target ID:	4
Start time:	16:23:24
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x1eacc870000
File size:	54888 bytes
MD5 hash:	7809A19AA8DA1A41F36B60B0664C4E20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: AddInProcess.exePID: 2140, Parent PID: 5872

General

Target ID:	6
Start time:	16:23:29
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Imagebase:	0x1892c120000
File size:	42080 bytes
MD5 hash:	11D8A500C4C0FBAF20EBDB8CDF6EA452
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: Microsoft.Workflow.Compiler.exePID: 1360, Parent PID: 5872

General

Target ID:	7
Start time:	16:23:29
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Imagebase:	0x29ba2ba0000
File size:	32872 bytes
MD5 hash:	D91462AE31562E241AF5595BA5E1A3C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: dfsvc.exePID: 2288, Parent PID: 5872

General

Target ID:	8
Start time:	16:23:29
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Imagebase:	0x1be839a0000
File size:	24160 bytes
MD5 hash:	48FD4DD682051712E3E7757C525DED71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: aspnet_wp.exePID: 2104, Parent PID: 5872

General

Target ID:	10
Start time:	16:23:30
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Imagebase:	0x7ff651cf0000
File size:	50784 bytes
MD5 hash:	3F68BCF536EEAE067038C67022CDF6D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: aspnet_regsql.exePID: 5300, Parent PID: 5872

General

Target ID:	11
Start time:	16:23:30
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Imagebase:	0x15782f30000
File size:	126560 bytes
MD5 hash:	F31014EE4DE7FE48E9B7C9BE94CFB45F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: aspnet_regiis.exePID: 1760, Parent PID: 5872

General

Target ID:	13
Start time:	16:23:30
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Imagebase:	0x7ff66ccd0000
File size:	44640 bytes
MD5 hash:	061D8C0371566D560C5B15C77A34046F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: mscorsvw.exePID: 3956, Parent PID: 5872

General

Target ID:	15
Start time:	16:23:31
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Imagebase:	0x7ff7da510000
File size:	128584 bytes
MD5 hash:	B00E9325AC7356A3F4864EAAAD48E13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: ngen.exePID: 5612, Parent PID: 5872

General

Target ID:	16
Start time:	16:23:31
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Imagebase:	0x7ff63bfc0000
File size:	174184 bytes
MD5 hash:	FBA5E8D94C9EADC279BC06B9CF041A9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: AddInProcess32.exePID: 4392, Parent PID: 5872

General

Target ID:	17
Start time:	16:23:31
Start date:	08/01/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Imagebase:	0xe60000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000011.00000002.428209911.0000000000401000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000011.00000002.429045725.00000000017F0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown

Analysis Process: explorer.exePID: 3452, Parent PID: 4392

General

Target ID:	20
Start time:	16:23:35
Start date:	08/01/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff69fe90000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000014.00000000.374923978.000000001033E000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

Analysis Process: mstsc.exePID: 5380, Parent PID: 3452

General

Target ID:	21
Start time:	16:24:21
Start date:	08/01/2023
Path:	C:\Windows\SysWOW64\mstsc.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\mstsc.exe
Imagebase:	0x1310000
File size:	3444224 bytes
MD5 hash:	2412003BE253A515C620CE4890F3D8F3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.531522475.00000000037F0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.524509054.0000000000BB0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000015.00000002.528604995.00000000012D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group

Disassembly

⊘No disassembly

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order 20233.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Order 20233.exe.log

C:\Users\user\AppData\Local\Temp\4184-48M

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

Windows Analysis Report
Order 20233.exe