Windows Analysis Report
vZnbpHVO9Ay3PKW.exe

Overview

General Information

Sample Name: vZnbpHVO9Ay3PKW.exe
Analysis ID: 583349
MD5: 8e898565abe03640846bca9be730eac2
SHA1: bc2f5ec79debfac8f87fde09b0d9d72dac9b6f93
SHA256: 943206c8028ed79aa0aafefa101ffa5d3034cf92b82f705556f12cf0a7eb5a5c
Tags: exexloader
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Writes to foreign memory regions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Binary contains a suspicious time stamp
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Found malware configuration
Source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.wanfengzp.com/k8yh/"], "decoy": ["lift2.cloud", "tradeplay.net", "familyattorneybg.com", "accurbizlist.com", "xrcasino.online", "walletwriter.space", "tiendasbioaseo.com", "mrcandywholesale.com", "multicoopltda.com", "buylebsack.com", "pilatesvilanova.com", "fendoremi.com", "vmfband.com", "hrtaro.com", "todosartenes.net", "glusanka.info", "dusa.codes", "cfcfcs.xyz", "ecostarsenergy.com", "tokenbooze.com", "3dvizscope.com", "covenantarkal.com", "magadethkult.net", "gma-marineservices.com", "streamgift9.info", "zshhxx.com", "discriminatorily.xyz", "hxiemetals.com", "theloansexperts.com", "katarinapalushaj.com", "greencity-college-club.com", "tenlog062.xyz", "librosyarteclub.com", "fleuritionfloralandevents.com", "walemiketalk.online", "anariely.com", "smutlinxxx.com", "jcfim.com", "sportssolutions.store", "universityhelpworkshops.com", "kbyt103.online", "petronelli.group", "gamingbd.pro", "4kx.claims", "eventdirective.com", "atlanticpromotionsworldwide.com", "mastercity.online", "agrocet.com", "dualipadenver.com", "iepnewschool.com", "myesthetic.club", "betdivers.com", "viviangreenenft.store", "gratefulgangstas.com", "dcfrc.com", "chefscuderi.com", "velvettask.com", "korlad.com", "19hawthornedrive166.com", "zevklifoods.com", "the-look-uae.com", "financialservicesforyou.com", "blauing.digital", "stealameme.com"]}
Multi AV Scanner detection for submitted file
Source: vZnbpHVO9Ay3PKW.exe Virustotal: Detection: 39% Perma Link
Source: vZnbpHVO9Ay3PKW.exe Metadefender: Detection: 31% Perma Link
Source: vZnbpHVO9Ay3PKW.exe ReversingLabs: Detection: 77%
Yara detected FormBook
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: https://www.multicoopltda.com/k8yh/?b6fXyX=qPcT3ZF0rXk8OR&TvWlL=g5y8LnFT155fteZvFM8pUfyNt3b Avira URL Cloud: Label: malware
Source: http://www.wanfengzp.com/k8yh/?TvWlL=WlkszVQWggehkNRKyk9knMdKAerz3SY7s+8TALNmeeNpu66eiTCmHshqdICGuNLnjgQy&b6fXyX=qPcT3ZF0rXk8OR Avira URL Cloud: Label: malware
Source: http://www.multicoopltda.com/k8yh/?b6fXyX=qPcT3ZF0rXk8OR&TvWlL=g5y8LnFT155fteZvFM8pUfyNt3b+XWGWDwM5uEmj7cZhEHDH+KATfNiPLE3gzjMDZxnL Avira URL Cloud: Label: malware
Source: www.wanfengzp.com/k8yh/ Avira URL Cloud: Label: malware
Machine Learning detection for sample
Source: vZnbpHVO9Ay3PKW.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 5.0.RegSvcs.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.RegSvcs.exe.400000.2.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.0.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 5.2.RegSvcs.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: vZnbpHVO9Ay3PKW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: vZnbpHVO9Ay3PKW.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 00000005.00000002.435760705.0000000001707000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435636748.00000000016F0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000005.00000002.435760705.0000000001707000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435636748.00000000016F0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: cmmon32.exe, 0000000A.00000002.562891767.0000000004E77000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.561918829.0000000002D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.436281285.0000000001C5F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435882830.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.562493341.0000000004A5F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.562313208.0000000004940000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.436281285.0000000001C5F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435882830.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000A.00000002.562493341.0000000004A5F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.562313208.0000000004940000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: cmmon32.exe, 0000000A.00000002.562891767.0000000004E77000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.561918829.0000000002D34000.00000004.00000020.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 4x nop then pop edi 5_2_0040C403
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop edi 10_2_0079C403

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.wanfengzp.com
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.multicoopltda.com
Source: C:\Windows\explorer.exe Domain query: www.4kx.claims
Source: C:\Windows\explorer.exe Network Connect: 154.213.81.89 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.wanfengzp.com/k8yh/
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: COMING-ASABCDEGROUPCOMPANYLIMITEDHK COMING-ASABCDEGROUPCOMPANYLIMITEDHK
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /k8yh/?b6fXyX=qPcT3ZF0rXk8OR&TvWlL=g5y8LnFT155fteZvFM8pUfyNt3b+XWGWDwM5uEmj7cZhEHDH+KATfNiPLE3gzjMDZxnL HTTP/1.1Host: www.multicoopltda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /k8yh/?TvWlL=WlkszVQWggehkNRKyk9knMdKAerz3SY7s+8TALNmeeNpu66eiTCmHshqdICGuNLnjgQy&b6fXyX=qPcT3ZF0rXk8OR HTTP/1.1Host: www.wanfengzp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /k8yh/?TvWlL=WlkszVQWggehkNRKyk9knMdKAerz3SY7s+8TALNmeeNpu66eiTCmHshqdICGuNLnjgQy&b6fXyX=qPcT3ZF0rXk8OR HTTP/1.1Host: www.wanfengzp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 188.114.97.7 188.114.97.7
Source: Joe Sandbox View IP Address: 188.114.97.7 188.114.97.7
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://fontfabrik.com
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.fonts.com
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sakkal.com
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.tiro.com
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.typography.netD
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.368892993.00000000069F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: cmmon32.exe, 0000000A.00000002.562941773.0000000004FF2000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.multicoopltda.com/k8yh/?b6fXyX=qPcT3ZF0rXk8OR&TvWlL=g5y8LnFT155fteZvFM8pUfyNt3b
Source: unknown DNS traffic detected: queries for: www.multicoopltda.com
Source: global traffic HTTP traffic detected: GET /k8yh/?b6fXyX=qPcT3ZF0rXk8OR&TvWlL=g5y8LnFT155fteZvFM8pUfyNt3b+XWGWDwM5uEmj7cZhEHDH+KATfNiPLE3gzjMDZxnL HTTP/1.1Host: www.multicoopltda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /k8yh/?TvWlL=WlkszVQWggehkNRKyk9knMdKAerz3SY7s+8TALNmeeNpu66eiTCmHshqdICGuNLnjgQy&b6fXyX=qPcT3ZF0rXk8OR HTTP/1.1Host: www.wanfengzp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /k8yh/?TvWlL=WlkszVQWggehkNRKyk9knMdKAerz3SY7s+8TALNmeeNpu66eiTCmHshqdICGuNLnjgQy&b6fXyX=qPcT3ZF0rXk8OR HTTP/1.1Host: www.wanfengzp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.vZnbpHVO9Ay3PKW.exe.28603fc.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: vZnbpHVO9Ay3PKW.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.vZnbpHVO9Ay3PKW.exe.28603fc.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Code function: 1_2_00D14762 1_2_00D14762
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Code function: 1_2_00D1FD30 1_2_00D1FD30
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Code function: 1_2_00D1CACC 1_2_00D1CACC
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Code function: 1_2_00D1ED40 1_2_00D1ED40
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Code function: 1_2_00D1ED31 1_2_00D1ED31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00401030 5_2_00401030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041B8C6 5_2_0041B8C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041BBFB 5_2_0041BBFB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00408C3B 5_2_00408C3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00408C80 5_2_00408C80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00402D90 5_2_00402D90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041CFE3 5_2_0041CFE3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00402FB0 5_2_00402FB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B84120 5_2_01B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6F900 5_2_01B6F900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B920A0 5_2_01B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7B090 5_2_01B7B090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C328EC 5_2_01C328EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C320A8 5_2_01C320A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21002 5_2_01C21002
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9EBB0 5_2_01B9EBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2DBD2 5_2_01C2DBD2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C32B28 5_2_01C32B28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C322AE 5_2_01C322AE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C325DD 5_2_01C325DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92581 5_2_01B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7D5E0 5_2_01B7D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B60D20 5_2_01B60D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C31D55 5_2_01C31D55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C32D07 5_2_01C32D07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7841F 5_2_01B7841F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C31FF1 5_2_01C31FF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C32EF7 5_2_01C32EF7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B86E30 5_2_01B86E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497841F 10_2_0497841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2D466 10_2_04A2D466
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992581 10_2_04992581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497D5E0 10_2_0497D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A325DD 10_2_04A325DD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A32D07 10_2_04A32D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04960D20 10_2_04960D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A31D55 10_2_04A31D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A32EF7 10_2_04A32EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04986E30 10_2_04986E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2D616 10_2_04A2D616
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A31FF1 10_2_04A31FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497B090 10_2_0497B090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A320A8 10_2_04A320A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049920A0 10_2_049920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A328EC 10_2_04A328EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21002 10_2_04A21002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496F900 10_2_0496F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04984120 10_2_04984120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A322AE 10_2_04A322AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499EBB0 10_2_0499EBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2DBD2 10_2_04A2DBD2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A32B28 10_2_04A32B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007AB8C6 10_2_007AB8C6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007ABBFB 10_2_007ABBFB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_00798C3B 10_2_00798C3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_00798C80 10_2_00798C80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_00792D90 10_2_00792D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007ACFE3 10_2_007ACFE3
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_00792FB0 10_2_00792FB0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 01B6B150 appears 35 times
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 0496B150 appears 35 times
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_004185E0 NtCreateFile, 5_2_004185E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00418690 NtReadFile, 5_2_00418690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00418710 NtClose, 5_2_00418710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_004187C0 NtAllocateVirtualMemory, 5_2_004187C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_004187BA NtAllocateVirtualMemory, 5_2_004187BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA99A0 NtCreateSection,LdrInitializeThunk, 5_2_01BA99A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 5_2_01BA9910
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA98F0 NtReadVirtualMemory,LdrInitializeThunk, 5_2_01BA98F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9860 NtQuerySystemInformation,LdrInitializeThunk, 5_2_01BA9860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9840 NtDelayExecution,LdrInitializeThunk, 5_2_01BA9840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9A20 NtResumeThread,LdrInitializeThunk, 5_2_01BA9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9A00 NtProtectVirtualMemory,LdrInitializeThunk, 5_2_01BA9A00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9A50 NtCreateFile,LdrInitializeThunk, 5_2_01BA9A50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA95D0 NtClose,LdrInitializeThunk, 5_2_01BA95D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9540 NtReadFile,LdrInitializeThunk, 5_2_01BA9540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA97A0 NtUnmapViewOfSection,LdrInitializeThunk, 5_2_01BA97A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9780 NtMapViewOfSection,LdrInitializeThunk, 5_2_01BA9780
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9FE0 NtCreateMutant,LdrInitializeThunk, 5_2_01BA9FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9710 NtQueryInformationToken,LdrInitializeThunk, 5_2_01BA9710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA96E0 NtFreeVirtualMemory,LdrInitializeThunk, 5_2_01BA96E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9660 NtAllocateVirtualMemory,LdrInitializeThunk, 5_2_01BA9660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA99D0 NtCreateProcessEx, 5_2_01BA99D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9950 NtQueueApcThread, 5_2_01BA9950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA98A0 NtWriteVirtualMemory, 5_2_01BA98A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9820 NtEnumerateKey, 5_2_01BA9820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BAB040 NtSuspendThread, 5_2_01BAB040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BAA3B0 NtGetContextThread, 5_2_01BAA3B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9B00 NtSetValueKey, 5_2_01BA9B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9A80 NtOpenDirectoryObject, 5_2_01BA9A80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9A10 NtQuerySection, 5_2_01BA9A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA95F0 NtQueryInformationFile, 5_2_01BA95F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BAAD30 NtSetContextThread, 5_2_01BAAD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9520 NtWaitForSingleObject, 5_2_01BA9520
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9560 NtWriteFile, 5_2_01BA9560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9730 NtQueryVirtualMemory, 5_2_01BA9730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BAA710 NtOpenProcessToken, 5_2_01BAA710
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9770 NtSetInformationFile, 5_2_01BA9770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BAA770 NtOpenThread, 5_2_01BAA770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9760 NtOpenProcess, 5_2_01BA9760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA96D0 NtCreateKey, 5_2_01BA96D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9610 NtEnumerateValueKey, 5_2_01BA9610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9670 NtQueryInformationProcess, 5_2_01BA9670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA9650 NtQueryValueKey, 5_2_01BA9650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A95D0 NtClose,LdrInitializeThunk, 10_2_049A95D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9540 NtReadFile,LdrInitializeThunk, 10_2_049A9540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A96D0 NtCreateKey,LdrInitializeThunk, 10_2_049A96D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 10_2_049A96E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9650 NtQueryValueKey,LdrInitializeThunk, 10_2_049A9650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 10_2_049A9660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9780 NtMapViewOfSection,LdrInitializeThunk, 10_2_049A9780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9FE0 NtCreateMutant,LdrInitializeThunk, 10_2_049A9FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9710 NtQueryInformationToken,LdrInitializeThunk, 10_2_049A9710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9840 NtDelayExecution,LdrInitializeThunk, 10_2_049A9840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9860 NtQuerySystemInformation,LdrInitializeThunk, 10_2_049A9860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A99A0 NtCreateSection,LdrInitializeThunk, 10_2_049A99A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 10_2_049A9910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9A50 NtCreateFile,LdrInitializeThunk, 10_2_049A9A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A95F0 NtQueryInformationFile, 10_2_049A95F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049AAD30 NtSetContextThread, 10_2_049AAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9520 NtWaitForSingleObject, 10_2_049A9520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9560 NtWriteFile, 10_2_049A9560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9610 NtEnumerateValueKey, 10_2_049A9610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9670 NtQueryInformationProcess, 10_2_049A9670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A97A0 NtUnmapViewOfSection, 10_2_049A97A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049AA710 NtOpenProcessToken, 10_2_049AA710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9730 NtQueryVirtualMemory, 10_2_049A9730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049AA770 NtOpenThread, 10_2_049AA770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9770 NtSetInformationFile, 10_2_049A9770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9760 NtOpenProcess, 10_2_049A9760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A98A0 NtWriteVirtualMemory, 10_2_049A98A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A98F0 NtReadVirtualMemory, 10_2_049A98F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9820 NtEnumerateKey, 10_2_049A9820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049AB040 NtSuspendThread, 10_2_049AB040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A99D0 NtCreateProcessEx, 10_2_049A99D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9950 NtQueueApcThread, 10_2_049A9950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9A80 NtOpenDirectoryObject, 10_2_049A9A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9A10 NtQuerySection, 10_2_049A9A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9A00 NtProtectVirtualMemory, 10_2_049A9A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9A20 NtResumeThread, 10_2_049A9A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049AA3B0 NtGetContextThread, 10_2_049AA3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A9B00 NtSetValueKey, 10_2_049A9B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007A85E0 NtCreateFile, 10_2_007A85E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007A8690 NtReadFile, 10_2_007A8690
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007A8710 NtClose, 10_2_007A8710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007A87C0 NtAllocateVirtualMemory, 10_2_007A87C0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007A87BA NtAllocateVirtualMemory, 10_2_007A87BA
Sample file is different than original file name gathered from version info
Source: vZnbpHVO9Ay3PKW.exe Binary or memory string: OriginalFilename vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.369376408.00000000071F0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.369311133.0000000006EC0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000000.289343459.0000000000422000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAv2.exe> vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMajorRevision.exe< vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe Binary or memory string: OriginalFilenameAv2.exe> vs vZnbpHVO9Ay3PKW.exe
Source: vZnbpHVO9Ay3PKW.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: vZnbpHVO9Ay3PKW.exe Virustotal: Detection: 39%
Source: vZnbpHVO9Ay3PKW.exe Metadefender: Detection: 31%
Source: vZnbpHVO9Ay3PKW.exe ReversingLabs: Detection: 77%
Source: vZnbpHVO9Ay3PKW.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe "C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe"
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vZnbpHVO9Ay3PKW.exe.log Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/1@4/2
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000000.289343459.0000000000422000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE Patrons SET Money=@money, Give=@give, Played=@played WHERE Id=qYou ran out of money! You need to leave and find an ATM!UUPDATE Patrons SET HouseMoney=@houseMoney;
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Mutant created: \Sessions\1\BaseNamedObjects\BHxotwLoclF
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4516:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: vZnbpHVO9Ay3PKW.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: vZnbpHVO9Ay3PKW.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: cmmon32.pdb source: RegSvcs.exe, 00000005.00000002.435760705.0000000001707000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435636748.00000000016F0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RegSvcs.exe, 00000005.00000002.435760705.0000000001707000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435636748.00000000016F0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: cmmon32.exe, 0000000A.00000002.562891767.0000000004E77000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.561918829.0000000002D34000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.436281285.0000000001C5F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435882830.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.562493341.0000000004A5F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.562313208.0000000004940000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: RegSvcs.exe, RegSvcs.exe, 00000005.00000002.436281285.0000000001C5F000.00000040.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.435882830.0000000001B40000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, cmmon32.exe, 0000000A.00000002.562493341.0000000004A5F000.00000040.00000800.00020000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.562313208.0000000004940000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: cmmon32.exe, 0000000A.00000002.562891767.0000000004E77000.00000004.10000000.00040000.00000000.sdmp, cmmon32.exe, 0000000A.00000002.561918829.0000000002D34000.00000004.00000020.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Code function: 1_2_00425DE7 push eax; iretd 1_2_00425E05
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Code function: 1_2_004248BA push esp; iretd 1_2_004248BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041B822 push eax; ret 5_2_0041B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041B82B push eax; ret 5_2_0041B892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041B88C push eax; ret 5_2_0041B892
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00415B7C push ss; iretd 5_2_00415B7F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00414DE0 push 915755ECh; retf 5_2_00414E0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_0041B7D5 push eax; ret 5_2_0041B828
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BBD0D1 push ecx; ret 5_2_01BBD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049BD0D1 push ecx; ret 10_2_049BD0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007AB82B push eax; ret 10_2_007AB892
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007AB822 push eax; ret 10_2_007AB828
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007AB88C push eax; ret 10_2_007AB892
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007A5B7C push ss; iretd 10_2_007A5B7F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007A4DE0 push 915755ECh; retf 10_2_007A4E0F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_007AB7D5 push eax; ret 10_2_007AB828
Binary contains a suspicious time stamp
Source: vZnbpHVO9Ay3PKW.exe Static PE information: 0x849DA0AF [Tue Jul 3 10:06:39 2040 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.44171937109
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 1.2.vZnbpHVO9Ay3PKW.exe.28603fc.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: vZnbpHVO9Ay3PKW.exe PID: 5540, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000000798604 second address: 000000000079860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 000000000079899E second address: 00000000007989A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe TID: 5608 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_004088D0 rdtsc 5_2_004088D0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API coverage: 9.1 %
Source: C:\Windows\SysWOW64\cmmon32.exe API coverage: 9.5 %
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000006.00000000.408645877.0000000000C10000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
Source: explorer.exe, 00000006.00000000.398836617.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 00000006.00000000.399201344.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000006.00000000.375207684.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.398836617.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000006.00000000.375207684.00000000067C2000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: vZnbpHVO9Ay3PKW.exe, 00000001.00000002.364307611.0000000002811000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000006.00000000.398836617.00000000086C9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_004088D0 rdtsc 5_2_004088D0
Enables debug privileges
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE51BE mov eax, dword ptr fs:[00000030h] 5_2_01BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE51BE mov eax, dword ptr fs:[00000030h] 5_2_01BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE51BE mov eax, dword ptr fs:[00000030h] 5_2_01BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE51BE mov eax, dword ptr fs:[00000030h] 5_2_01BE51BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE69A6 mov eax, dword ptr fs:[00000030h] 5_2_01BE69A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B961A0 mov eax, dword ptr fs:[00000030h] 5_2_01B961A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B961A0 mov eax, dword ptr fs:[00000030h] 5_2_01B961A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92990 mov eax, dword ptr fs:[00000030h] 5_2_01B92990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8C182 mov eax, dword ptr fs:[00000030h] 5_2_01B8C182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9A185 mov eax, dword ptr fs:[00000030h] 5_2_01B9A185
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6B1E1 mov eax, dword ptr fs:[00000030h] 5_2_01B6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6B1E1 mov eax, dword ptr fs:[00000030h] 5_2_01B6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6B1E1 mov eax, dword ptr fs:[00000030h] 5_2_01B6B1E1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BF41E8 mov eax, dword ptr fs:[00000030h] 5_2_01BF41E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9513A mov eax, dword ptr fs:[00000030h] 5_2_01B9513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9513A mov eax, dword ptr fs:[00000030h] 5_2_01B9513A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B84120 mov eax, dword ptr fs:[00000030h] 5_2_01B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B84120 mov eax, dword ptr fs:[00000030h] 5_2_01B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B84120 mov eax, dword ptr fs:[00000030h] 5_2_01B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B84120 mov eax, dword ptr fs:[00000030h] 5_2_01B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B84120 mov ecx, dword ptr fs:[00000030h] 5_2_01B84120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69100 mov eax, dword ptr fs:[00000030h] 5_2_01B69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69100 mov eax, dword ptr fs:[00000030h] 5_2_01B69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69100 mov eax, dword ptr fs:[00000030h] 5_2_01B69100
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6B171 mov eax, dword ptr fs:[00000030h] 5_2_01B6B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6B171 mov eax, dword ptr fs:[00000030h] 5_2_01B6B171
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6C962 mov eax, dword ptr fs:[00000030h] 5_2_01B6C962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8B944 mov eax, dword ptr fs:[00000030h] 5_2_01B8B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8B944 mov eax, dword ptr fs:[00000030h] 5_2_01B8B944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9F0BF mov ecx, dword ptr fs:[00000030h] 5_2_01B9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9F0BF mov eax, dword ptr fs:[00000030h] 5_2_01B9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9F0BF mov eax, dword ptr fs:[00000030h] 5_2_01B9F0BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA90AF mov eax, dword ptr fs:[00000030h] 5_2_01BA90AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B920A0 mov eax, dword ptr fs:[00000030h] 5_2_01B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B920A0 mov eax, dword ptr fs:[00000030h] 5_2_01B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B920A0 mov eax, dword ptr fs:[00000030h] 5_2_01B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B920A0 mov eax, dword ptr fs:[00000030h] 5_2_01B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B920A0 mov eax, dword ptr fs:[00000030h] 5_2_01B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B920A0 mov eax, dword ptr fs:[00000030h] 5_2_01B920A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69080 mov eax, dword ptr fs:[00000030h] 5_2_01B69080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE3884 mov eax, dword ptr fs:[00000030h] 5_2_01BE3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE3884 mov eax, dword ptr fs:[00000030h] 5_2_01BE3884
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B658EC mov eax, dword ptr fs:[00000030h] 5_2_01B658EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFB8D0 mov eax, dword ptr fs:[00000030h] 5_2_01BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFB8D0 mov ecx, dword ptr fs:[00000030h] 5_2_01BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFB8D0 mov eax, dword ptr fs:[00000030h] 5_2_01BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFB8D0 mov eax, dword ptr fs:[00000030h] 5_2_01BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFB8D0 mov eax, dword ptr fs:[00000030h] 5_2_01BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFB8D0 mov eax, dword ptr fs:[00000030h] 5_2_01BFB8D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9002D mov eax, dword ptr fs:[00000030h] 5_2_01B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9002D mov eax, dword ptr fs:[00000030h] 5_2_01B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9002D mov eax, dword ptr fs:[00000030h] 5_2_01B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9002D mov eax, dword ptr fs:[00000030h] 5_2_01B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9002D mov eax, dword ptr fs:[00000030h] 5_2_01B9002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7B02A mov eax, dword ptr fs:[00000030h] 5_2_01B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7B02A mov eax, dword ptr fs:[00000030h] 5_2_01B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7B02A mov eax, dword ptr fs:[00000030h] 5_2_01B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7B02A mov eax, dword ptr fs:[00000030h] 5_2_01B7B02A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE7016 mov eax, dword ptr fs:[00000030h] 5_2_01BE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE7016 mov eax, dword ptr fs:[00000030h] 5_2_01BE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE7016 mov eax, dword ptr fs:[00000030h] 5_2_01BE7016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C22073 mov eax, dword ptr fs:[00000030h] 5_2_01C22073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C31074 mov eax, dword ptr fs:[00000030h] 5_2_01C31074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C34015 mov eax, dword ptr fs:[00000030h] 5_2_01C34015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C34015 mov eax, dword ptr fs:[00000030h] 5_2_01C34015
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B80050 mov eax, dword ptr fs:[00000030h] 5_2_01B80050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B80050 mov eax, dword ptr fs:[00000030h] 5_2_01B80050
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B94BAD mov eax, dword ptr fs:[00000030h] 5_2_01B94BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B94BAD mov eax, dword ptr fs:[00000030h] 5_2_01B94BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B94BAD mov eax, dword ptr fs:[00000030h] 5_2_01B94BAD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9B390 mov eax, dword ptr fs:[00000030h] 5_2_01B9B390
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92397 mov eax, dword ptr fs:[00000030h] 5_2_01B92397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B71B8F mov eax, dword ptr fs:[00000030h] 5_2_01B71B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B71B8F mov eax, dword ptr fs:[00000030h] 5_2_01B71B8F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C1D380 mov ecx, dword ptr fs:[00000030h] 5_2_01C1D380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2138A mov eax, dword ptr fs:[00000030h] 5_2_01C2138A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8DBE9 mov eax, dword ptr fs:[00000030h] 5_2_01B8DBE9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B903E2 mov eax, dword ptr fs:[00000030h] 5_2_01B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B903E2 mov eax, dword ptr fs:[00000030h] 5_2_01B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B903E2 mov eax, dword ptr fs:[00000030h] 5_2_01B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B903E2 mov eax, dword ptr fs:[00000030h] 5_2_01B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B903E2 mov eax, dword ptr fs:[00000030h] 5_2_01B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B903E2 mov eax, dword ptr fs:[00000030h] 5_2_01B903E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C35BA5 mov eax, dword ptr fs:[00000030h] 5_2_01C35BA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE53CA mov eax, dword ptr fs:[00000030h] 5_2_01BE53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE53CA mov eax, dword ptr fs:[00000030h] 5_2_01BE53CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C38B58 mov eax, dword ptr fs:[00000030h] 5_2_01C38B58
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B93B7A mov eax, dword ptr fs:[00000030h] 5_2_01B93B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B93B7A mov eax, dword ptr fs:[00000030h] 5_2_01B93B7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6DB60 mov ecx, dword ptr fs:[00000030h] 5_2_01B6DB60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2131B mov eax, dword ptr fs:[00000030h] 5_2_01C2131B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6F358 mov eax, dword ptr fs:[00000030h] 5_2_01B6F358
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6DB40 mov eax, dword ptr fs:[00000030h] 5_2_01B6DB40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7AAB0 mov eax, dword ptr fs:[00000030h] 5_2_01B7AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7AAB0 mov eax, dword ptr fs:[00000030h] 5_2_01B7AAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9FAB0 mov eax, dword ptr fs:[00000030h] 5_2_01B9FAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B652A5 mov eax, dword ptr fs:[00000030h] 5_2_01B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B652A5 mov eax, dword ptr fs:[00000030h] 5_2_01B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B652A5 mov eax, dword ptr fs:[00000030h] 5_2_01B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B652A5 mov eax, dword ptr fs:[00000030h] 5_2_01B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B652A5 mov eax, dword ptr fs:[00000030h] 5_2_01B652A5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9D294 mov eax, dword ptr fs:[00000030h] 5_2_01B9D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9D294 mov eax, dword ptr fs:[00000030h] 5_2_01B9D294
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92AE4 mov eax, dword ptr fs:[00000030h] 5_2_01B92AE4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92ACB mov eax, dword ptr fs:[00000030h] 5_2_01B92ACB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA4A2C mov eax, dword ptr fs:[00000030h] 5_2_01BA4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA4A2C mov eax, dword ptr fs:[00000030h] 5_2_01BA4A2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2EA55 mov eax, dword ptr fs:[00000030h] 5_2_01C2EA55
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6AA16 mov eax, dword ptr fs:[00000030h] 5_2_01B6AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6AA16 mov eax, dword ptr fs:[00000030h] 5_2_01B6AA16
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C1B260 mov eax, dword ptr fs:[00000030h] 5_2_01C1B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C1B260 mov eax, dword ptr fs:[00000030h] 5_2_01C1B260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C38A62 mov eax, dword ptr fs:[00000030h] 5_2_01C38A62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B83A1C mov eax, dword ptr fs:[00000030h] 5_2_01B83A1C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B65210 mov eax, dword ptr fs:[00000030h] 5_2_01B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B65210 mov ecx, dword ptr fs:[00000030h] 5_2_01B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B65210 mov eax, dword ptr fs:[00000030h] 5_2_01B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B65210 mov eax, dword ptr fs:[00000030h] 5_2_01B65210
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B78A0A mov eax, dword ptr fs:[00000030h] 5_2_01B78A0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA927A mov eax, dword ptr fs:[00000030h] 5_2_01BA927A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BF4257 mov eax, dword ptr fs:[00000030h] 5_2_01BF4257
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69240 mov eax, dword ptr fs:[00000030h] 5_2_01B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69240 mov eax, dword ptr fs:[00000030h] 5_2_01B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69240 mov eax, dword ptr fs:[00000030h] 5_2_01B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B69240 mov eax, dword ptr fs:[00000030h] 5_2_01B69240
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B91DB5 mov eax, dword ptr fs:[00000030h] 5_2_01B91DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B91DB5 mov eax, dword ptr fs:[00000030h] 5_2_01B91DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B91DB5 mov eax, dword ptr fs:[00000030h] 5_2_01B91DB5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B935A1 mov eax, dword ptr fs:[00000030h] 5_2_01B935A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2FDE2 mov eax, dword ptr fs:[00000030h] 5_2_01C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2FDE2 mov eax, dword ptr fs:[00000030h] 5_2_01C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2FDE2 mov eax, dword ptr fs:[00000030h] 5_2_01C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2FDE2 mov eax, dword ptr fs:[00000030h] 5_2_01C2FDE2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9FD9B mov eax, dword ptr fs:[00000030h] 5_2_01B9FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9FD9B mov eax, dword ptr fs:[00000030h] 5_2_01B9FD9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C18DF1 mov eax, dword ptr fs:[00000030h] 5_2_01C18DF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92581 mov eax, dword ptr fs:[00000030h] 5_2_01B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92581 mov eax, dword ptr fs:[00000030h] 5_2_01B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92581 mov eax, dword ptr fs:[00000030h] 5_2_01B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B92581 mov eax, dword ptr fs:[00000030h] 5_2_01B92581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B62D8A mov eax, dword ptr fs:[00000030h] 5_2_01B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B62D8A mov eax, dword ptr fs:[00000030h] 5_2_01B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B62D8A mov eax, dword ptr fs:[00000030h] 5_2_01B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B62D8A mov eax, dword ptr fs:[00000030h] 5_2_01B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B62D8A mov eax, dword ptr fs:[00000030h] 5_2_01B62D8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7D5E0 mov eax, dword ptr fs:[00000030h] 5_2_01B7D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7D5E0 mov eax, dword ptr fs:[00000030h] 5_2_01B7D5E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C305AC mov eax, dword ptr fs:[00000030h] 5_2_01C305AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C305AC mov eax, dword ptr fs:[00000030h] 5_2_01C305AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6DC9 mov eax, dword ptr fs:[00000030h] 5_2_01BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6DC9 mov eax, dword ptr fs:[00000030h] 5_2_01BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6DC9 mov eax, dword ptr fs:[00000030h] 5_2_01BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6DC9 mov ecx, dword ptr fs:[00000030h] 5_2_01BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6DC9 mov eax, dword ptr fs:[00000030h] 5_2_01BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6DC9 mov eax, dword ptr fs:[00000030h] 5_2_01BE6DC9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B94D3B mov eax, dword ptr fs:[00000030h] 5_2_01B94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B94D3B mov eax, dword ptr fs:[00000030h] 5_2_01B94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B94D3B mov eax, dword ptr fs:[00000030h] 5_2_01B94D3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B73D34 mov eax, dword ptr fs:[00000030h] 5_2_01B73D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6AD30 mov eax, dword ptr fs:[00000030h] 5_2_01B6AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BEA537 mov eax, dword ptr fs:[00000030h] 5_2_01BEA537
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8C577 mov eax, dword ptr fs:[00000030h] 5_2_01B8C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8C577 mov eax, dword ptr fs:[00000030h] 5_2_01B8C577
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B87D50 mov eax, dword ptr fs:[00000030h] 5_2_01B87D50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C38D34 mov eax, dword ptr fs:[00000030h] 5_2_01C38D34
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA3D43 mov eax, dword ptr fs:[00000030h] 5_2_01BA3D43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2E539 mov eax, dword ptr fs:[00000030h] 5_2_01C2E539
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE3540 mov eax, dword ptr fs:[00000030h] 5_2_01BE3540
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C38CD6 mov eax, dword ptr fs:[00000030h] 5_2_01C38CD6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7849B mov eax, dword ptr fs:[00000030h] 5_2_01B7849B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C214FB mov eax, dword ptr fs:[00000030h] 5_2_01C214FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6CF0 mov eax, dword ptr fs:[00000030h] 5_2_01BE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6CF0 mov eax, dword ptr fs:[00000030h] 5_2_01BE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6CF0 mov eax, dword ptr fs:[00000030h] 5_2_01BE6CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9BC2C mov eax, dword ptr fs:[00000030h] 5_2_01B9BC2C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6C0A mov eax, dword ptr fs:[00000030h] 5_2_01BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6C0A mov eax, dword ptr fs:[00000030h] 5_2_01BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6C0A mov eax, dword ptr fs:[00000030h] 5_2_01BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE6C0A mov eax, dword ptr fs:[00000030h] 5_2_01BE6C0A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21C06 mov eax, dword ptr fs:[00000030h] 5_2_01C21C06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C3740D mov eax, dword ptr fs:[00000030h] 5_2_01C3740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C3740D mov eax, dword ptr fs:[00000030h] 5_2_01C3740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C3740D mov eax, dword ptr fs:[00000030h] 5_2_01C3740D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8746D mov eax, dword ptr fs:[00000030h] 5_2_01B8746D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFC450 mov eax, dword ptr fs:[00000030h] 5_2_01BFC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFC450 mov eax, dword ptr fs:[00000030h] 5_2_01BFC450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9A44B mov eax, dword ptr fs:[00000030h] 5_2_01B9A44B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B78794 mov eax, dword ptr fs:[00000030h] 5_2_01B78794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE7794 mov eax, dword ptr fs:[00000030h] 5_2_01BE7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE7794 mov eax, dword ptr fs:[00000030h] 5_2_01BE7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE7794 mov eax, dword ptr fs:[00000030h] 5_2_01BE7794
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA37F5 mov eax, dword ptr fs:[00000030h] 5_2_01BA37F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9E730 mov eax, dword ptr fs:[00000030h] 5_2_01B9E730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B64F2E mov eax, dword ptr fs:[00000030h] 5_2_01B64F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B64F2E mov eax, dword ptr fs:[00000030h] 5_2_01B64F2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C38F6A mov eax, dword ptr fs:[00000030h] 5_2_01C38F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8F716 mov eax, dword ptr fs:[00000030h] 5_2_01B8F716
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFFF10 mov eax, dword ptr fs:[00000030h] 5_2_01BFFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFFF10 mov eax, dword ptr fs:[00000030h] 5_2_01BFFF10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9A70E mov eax, dword ptr fs:[00000030h] 5_2_01B9A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9A70E mov eax, dword ptr fs:[00000030h] 5_2_01B9A70E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C3070D mov eax, dword ptr fs:[00000030h] 5_2_01C3070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C3070D mov eax, dword ptr fs:[00000030h] 5_2_01C3070D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7FF60 mov eax, dword ptr fs:[00000030h] 5_2_01B7FF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7EF40 mov eax, dword ptr fs:[00000030h] 5_2_01B7EF40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C1FEC0 mov eax, dword ptr fs:[00000030h] 5_2_01C1FEC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C38ED6 mov eax, dword ptr fs:[00000030h] 5_2_01C38ED6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BE46A7 mov eax, dword ptr fs:[00000030h] 5_2_01BE46A7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BFFE87 mov eax, dword ptr fs:[00000030h] 5_2_01BFFE87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B776E2 mov eax, dword ptr fs:[00000030h] 5_2_01B776E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B916E0 mov ecx, dword ptr fs:[00000030h] 5_2_01B916E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C30EA5 mov eax, dword ptr fs:[00000030h] 5_2_01C30EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C30EA5 mov eax, dword ptr fs:[00000030h] 5_2_01C30EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C30EA5 mov eax, dword ptr fs:[00000030h] 5_2_01C30EA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B936CC mov eax, dword ptr fs:[00000030h] 5_2_01B936CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01BA8EC7 mov eax, dword ptr fs:[00000030h] 5_2_01BA8EC7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2AE44 mov eax, dword ptr fs:[00000030h] 5_2_01C2AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C2AE44 mov eax, dword ptr fs:[00000030h] 5_2_01C2AE44
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6E620 mov eax, dword ptr fs:[00000030h] 5_2_01B6E620
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9A61C mov eax, dword ptr fs:[00000030h] 5_2_01B9A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B9A61C mov eax, dword ptr fs:[00000030h] 5_2_01B9A61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6C600 mov eax, dword ptr fs:[00000030h] 5_2_01B6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6C600 mov eax, dword ptr fs:[00000030h] 5_2_01B6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B6C600 mov eax, dword ptr fs:[00000030h] 5_2_01B6C600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B98E00 mov eax, dword ptr fs:[00000030h] 5_2_01B98E00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C21608 mov eax, dword ptr fs:[00000030h] 5_2_01C21608
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8AE73 mov eax, dword ptr fs:[00000030h] 5_2_01B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8AE73 mov eax, dword ptr fs:[00000030h] 5_2_01B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8AE73 mov eax, dword ptr fs:[00000030h] 5_2_01B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8AE73 mov eax, dword ptr fs:[00000030h] 5_2_01B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B8AE73 mov eax, dword ptr fs:[00000030h] 5_2_01B8AE73
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B7766D mov eax, dword ptr fs:[00000030h] 5_2_01B7766D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B77E41 mov eax, dword ptr fs:[00000030h] 5_2_01B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B77E41 mov eax, dword ptr fs:[00000030h] 5_2_01B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B77E41 mov eax, dword ptr fs:[00000030h] 5_2_01B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B77E41 mov eax, dword ptr fs:[00000030h] 5_2_01B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B77E41 mov eax, dword ptr fs:[00000030h] 5_2_01B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01B77E41 mov eax, dword ptr fs:[00000030h] 5_2_01B77E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_01C1FE3F mov eax, dword ptr fs:[00000030h] 5_2_01C1FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497849B mov eax, dword ptr fs:[00000030h] 10_2_0497849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A214FB mov eax, dword ptr fs:[00000030h] 10_2_04A214FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6CF0 mov eax, dword ptr fs:[00000030h] 10_2_049E6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6CF0 mov eax, dword ptr fs:[00000030h] 10_2_049E6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6CF0 mov eax, dword ptr fs:[00000030h] 10_2_049E6CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A38CD6 mov eax, dword ptr fs:[00000030h] 10_2_04A38CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6C0A mov eax, dword ptr fs:[00000030h] 10_2_049E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6C0A mov eax, dword ptr fs:[00000030h] 10_2_049E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6C0A mov eax, dword ptr fs:[00000030h] 10_2_049E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6C0A mov eax, dword ptr fs:[00000030h] 10_2_049E6C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21C06 mov eax, dword ptr fs:[00000030h] 10_2_04A21C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A3740D mov eax, dword ptr fs:[00000030h] 10_2_04A3740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A3740D mov eax, dword ptr fs:[00000030h] 10_2_04A3740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A3740D mov eax, dword ptr fs:[00000030h] 10_2_04A3740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499BC2C mov eax, dword ptr fs:[00000030h] 10_2_0499BC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FC450 mov eax, dword ptr fs:[00000030h] 10_2_049FC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FC450 mov eax, dword ptr fs:[00000030h] 10_2_049FC450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499A44B mov eax, dword ptr fs:[00000030h] 10_2_0499A44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498746D mov eax, dword ptr fs:[00000030h] 10_2_0498746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499FD9B mov eax, dword ptr fs:[00000030h] 10_2_0499FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499FD9B mov eax, dword ptr fs:[00000030h] 10_2_0499FD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A305AC mov eax, dword ptr fs:[00000030h] 10_2_04A305AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A305AC mov eax, dword ptr fs:[00000030h] 10_2_04A305AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992581 mov eax, dword ptr fs:[00000030h] 10_2_04992581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992581 mov eax, dword ptr fs:[00000030h] 10_2_04992581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992581 mov eax, dword ptr fs:[00000030h] 10_2_04992581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992581 mov eax, dword ptr fs:[00000030h] 10_2_04992581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04962D8A mov eax, dword ptr fs:[00000030h] 10_2_04962D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04962D8A mov eax, dword ptr fs:[00000030h] 10_2_04962D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04962D8A mov eax, dword ptr fs:[00000030h] 10_2_04962D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04962D8A mov eax, dword ptr fs:[00000030h] 10_2_04962D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04962D8A mov eax, dword ptr fs:[00000030h] 10_2_04962D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04991DB5 mov eax, dword ptr fs:[00000030h] 10_2_04991DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04991DB5 mov eax, dword ptr fs:[00000030h] 10_2_04991DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04991DB5 mov eax, dword ptr fs:[00000030h] 10_2_04991DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049935A1 mov eax, dword ptr fs:[00000030h] 10_2_049935A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04A2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04A2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04A2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2FDE2 mov eax, dword ptr fs:[00000030h] 10_2_04A2FDE2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A18DF1 mov eax, dword ptr fs:[00000030h] 10_2_04A18DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6DC9 mov eax, dword ptr fs:[00000030h] 10_2_049E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6DC9 mov eax, dword ptr fs:[00000030h] 10_2_049E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6DC9 mov eax, dword ptr fs:[00000030h] 10_2_049E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6DC9 mov ecx, dword ptr fs:[00000030h] 10_2_049E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6DC9 mov eax, dword ptr fs:[00000030h] 10_2_049E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E6DC9 mov eax, dword ptr fs:[00000030h] 10_2_049E6DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497D5E0 mov eax, dword ptr fs:[00000030h] 10_2_0497D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497D5E0 mov eax, dword ptr fs:[00000030h] 10_2_0497D5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A38D34 mov eax, dword ptr fs:[00000030h] 10_2_04A38D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2E539 mov eax, dword ptr fs:[00000030h] 10_2_04A2E539
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04994D3B mov eax, dword ptr fs:[00000030h] 10_2_04994D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04994D3B mov eax, dword ptr fs:[00000030h] 10_2_04994D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04994D3B mov eax, dword ptr fs:[00000030h] 10_2_04994D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04973D34 mov eax, dword ptr fs:[00000030h] 10_2_04973D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496AD30 mov eax, dword ptr fs:[00000030h] 10_2_0496AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049EA537 mov eax, dword ptr fs:[00000030h] 10_2_049EA537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04987D50 mov eax, dword ptr fs:[00000030h] 10_2_04987D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A3D43 mov eax, dword ptr fs:[00000030h] 10_2_049A3D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E3540 mov eax, dword ptr fs:[00000030h] 10_2_049E3540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498C577 mov eax, dword ptr fs:[00000030h] 10_2_0498C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498C577 mov eax, dword ptr fs:[00000030h] 10_2_0498C577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A30EA5 mov eax, dword ptr fs:[00000030h] 10_2_04A30EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A30EA5 mov eax, dword ptr fs:[00000030h] 10_2_04A30EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A30EA5 mov eax, dword ptr fs:[00000030h] 10_2_04A30EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FFE87 mov eax, dword ptr fs:[00000030h] 10_2_049FFE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E46A7 mov eax, dword ptr fs:[00000030h] 10_2_049E46A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049936CC mov eax, dword ptr fs:[00000030h] 10_2_049936CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A8EC7 mov eax, dword ptr fs:[00000030h] 10_2_049A8EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A1FEC0 mov eax, dword ptr fs:[00000030h] 10_2_04A1FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A38ED6 mov eax, dword ptr fs:[00000030h] 10_2_04A38ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049776E2 mov eax, dword ptr fs:[00000030h] 10_2_049776E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049916E0 mov ecx, dword ptr fs:[00000030h] 10_2_049916E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499A61C mov eax, dword ptr fs:[00000030h] 10_2_0499A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499A61C mov eax, dword ptr fs:[00000030h] 10_2_0499A61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496C600 mov eax, dword ptr fs:[00000030h] 10_2_0496C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496C600 mov eax, dword ptr fs:[00000030h] 10_2_0496C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496C600 mov eax, dword ptr fs:[00000030h] 10_2_0496C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04998E00 mov eax, dword ptr fs:[00000030h] 10_2_04998E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A1FE3F mov eax, dword ptr fs:[00000030h] 10_2_04A1FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A21608 mov eax, dword ptr fs:[00000030h] 10_2_04A21608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496E620 mov eax, dword ptr fs:[00000030h] 10_2_0496E620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04977E41 mov eax, dword ptr fs:[00000030h] 10_2_04977E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04977E41 mov eax, dword ptr fs:[00000030h] 10_2_04977E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04977E41 mov eax, dword ptr fs:[00000030h] 10_2_04977E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04977E41 mov eax, dword ptr fs:[00000030h] 10_2_04977E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04977E41 mov eax, dword ptr fs:[00000030h] 10_2_04977E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04977E41 mov eax, dword ptr fs:[00000030h] 10_2_04977E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2AE44 mov eax, dword ptr fs:[00000030h] 10_2_04A2AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2AE44 mov eax, dword ptr fs:[00000030h] 10_2_04A2AE44
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498AE73 mov eax, dword ptr fs:[00000030h] 10_2_0498AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498AE73 mov eax, dword ptr fs:[00000030h] 10_2_0498AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498AE73 mov eax, dword ptr fs:[00000030h] 10_2_0498AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498AE73 mov eax, dword ptr fs:[00000030h] 10_2_0498AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498AE73 mov eax, dword ptr fs:[00000030h] 10_2_0498AE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497766D mov eax, dword ptr fs:[00000030h] 10_2_0497766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04978794 mov eax, dword ptr fs:[00000030h] 10_2_04978794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E7794 mov eax, dword ptr fs:[00000030h] 10_2_049E7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E7794 mov eax, dword ptr fs:[00000030h] 10_2_049E7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E7794 mov eax, dword ptr fs:[00000030h] 10_2_049E7794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A37F5 mov eax, dword ptr fs:[00000030h] 10_2_049A37F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498F716 mov eax, dword ptr fs:[00000030h] 10_2_0498F716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FFF10 mov eax, dword ptr fs:[00000030h] 10_2_049FFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FFF10 mov eax, dword ptr fs:[00000030h] 10_2_049FFF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499A70E mov eax, dword ptr fs:[00000030h] 10_2_0499A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499A70E mov eax, dword ptr fs:[00000030h] 10_2_0499A70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499E730 mov eax, dword ptr fs:[00000030h] 10_2_0499E730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A3070D mov eax, dword ptr fs:[00000030h] 10_2_04A3070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A3070D mov eax, dword ptr fs:[00000030h] 10_2_04A3070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04964F2E mov eax, dword ptr fs:[00000030h] 10_2_04964F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04964F2E mov eax, dword ptr fs:[00000030h] 10_2_04964F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A38F6A mov eax, dword ptr fs:[00000030h] 10_2_04A38F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497EF40 mov eax, dword ptr fs:[00000030h] 10_2_0497EF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497FF60 mov eax, dword ptr fs:[00000030h] 10_2_0497FF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04969080 mov eax, dword ptr fs:[00000030h] 10_2_04969080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E3884 mov eax, dword ptr fs:[00000030h] 10_2_049E3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E3884 mov eax, dword ptr fs:[00000030h] 10_2_049E3884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499F0BF mov ecx, dword ptr fs:[00000030h] 10_2_0499F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499F0BF mov eax, dword ptr fs:[00000030h] 10_2_0499F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499F0BF mov eax, dword ptr fs:[00000030h] 10_2_0499F0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A90AF mov eax, dword ptr fs:[00000030h] 10_2_049A90AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049920A0 mov eax, dword ptr fs:[00000030h] 10_2_049920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049920A0 mov eax, dword ptr fs:[00000030h] 10_2_049920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049920A0 mov eax, dword ptr fs:[00000030h] 10_2_049920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049920A0 mov eax, dword ptr fs:[00000030h] 10_2_049920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049920A0 mov eax, dword ptr fs:[00000030h] 10_2_049920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049920A0 mov eax, dword ptr fs:[00000030h] 10_2_049920A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FB8D0 mov eax, dword ptr fs:[00000030h] 10_2_049FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FB8D0 mov ecx, dword ptr fs:[00000030h] 10_2_049FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FB8D0 mov eax, dword ptr fs:[00000030h] 10_2_049FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FB8D0 mov eax, dword ptr fs:[00000030h] 10_2_049FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FB8D0 mov eax, dword ptr fs:[00000030h] 10_2_049FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049FB8D0 mov eax, dword ptr fs:[00000030h] 10_2_049FB8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049658EC mov eax, dword ptr fs:[00000030h] 10_2_049658EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E7016 mov eax, dword ptr fs:[00000030h] 10_2_049E7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E7016 mov eax, dword ptr fs:[00000030h] 10_2_049E7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E7016 mov eax, dword ptr fs:[00000030h] 10_2_049E7016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499002D mov eax, dword ptr fs:[00000030h] 10_2_0499002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499002D mov eax, dword ptr fs:[00000030h] 10_2_0499002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499002D mov eax, dword ptr fs:[00000030h] 10_2_0499002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499002D mov eax, dword ptr fs:[00000030h] 10_2_0499002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499002D mov eax, dword ptr fs:[00000030h] 10_2_0499002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A34015 mov eax, dword ptr fs:[00000030h] 10_2_04A34015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A34015 mov eax, dword ptr fs:[00000030h] 10_2_04A34015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497B02A mov eax, dword ptr fs:[00000030h] 10_2_0497B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497B02A mov eax, dword ptr fs:[00000030h] 10_2_0497B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497B02A mov eax, dword ptr fs:[00000030h] 10_2_0497B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497B02A mov eax, dword ptr fs:[00000030h] 10_2_0497B02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04980050 mov eax, dword ptr fs:[00000030h] 10_2_04980050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04980050 mov eax, dword ptr fs:[00000030h] 10_2_04980050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A22073 mov eax, dword ptr fs:[00000030h] 10_2_04A22073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A31074 mov eax, dword ptr fs:[00000030h] 10_2_04A31074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992990 mov eax, dword ptr fs:[00000030h] 10_2_04992990
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498C182 mov eax, dword ptr fs:[00000030h] 10_2_0498C182
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499A185 mov eax, dword ptr fs:[00000030h] 10_2_0499A185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E51BE mov eax, dword ptr fs:[00000030h] 10_2_049E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E51BE mov eax, dword ptr fs:[00000030h] 10_2_049E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E51BE mov eax, dword ptr fs:[00000030h] 10_2_049E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E51BE mov eax, dword ptr fs:[00000030h] 10_2_049E51BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049E69A6 mov eax, dword ptr fs:[00000030h] 10_2_049E69A6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049961A0 mov eax, dword ptr fs:[00000030h] 10_2_049961A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049961A0 mov eax, dword ptr fs:[00000030h] 10_2_049961A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049F41E8 mov eax, dword ptr fs:[00000030h] 10_2_049F41E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0496B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0496B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496B1E1 mov eax, dword ptr fs:[00000030h] 10_2_0496B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04969100 mov eax, dword ptr fs:[00000030h] 10_2_04969100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04969100 mov eax, dword ptr fs:[00000030h] 10_2_04969100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04969100 mov eax, dword ptr fs:[00000030h] 10_2_04969100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499513A mov eax, dword ptr fs:[00000030h] 10_2_0499513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499513A mov eax, dword ptr fs:[00000030h] 10_2_0499513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04984120 mov eax, dword ptr fs:[00000030h] 10_2_04984120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04984120 mov eax, dword ptr fs:[00000030h] 10_2_04984120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04984120 mov eax, dword ptr fs:[00000030h] 10_2_04984120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04984120 mov eax, dword ptr fs:[00000030h] 10_2_04984120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04984120 mov ecx, dword ptr fs:[00000030h] 10_2_04984120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498B944 mov eax, dword ptr fs:[00000030h] 10_2_0498B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0498B944 mov eax, dword ptr fs:[00000030h] 10_2_0498B944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496B171 mov eax, dword ptr fs:[00000030h] 10_2_0496B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496B171 mov eax, dword ptr fs:[00000030h] 10_2_0496B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496C962 mov eax, dword ptr fs:[00000030h] 10_2_0496C962
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499D294 mov eax, dword ptr fs:[00000030h] 10_2_0499D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499D294 mov eax, dword ptr fs:[00000030h] 10_2_0499D294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497AAB0 mov eax, dword ptr fs:[00000030h] 10_2_0497AAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0497AAB0 mov eax, dword ptr fs:[00000030h] 10_2_0497AAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0499FAB0 mov eax, dword ptr fs:[00000030h] 10_2_0499FAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049652A5 mov eax, dword ptr fs:[00000030h] 10_2_049652A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049652A5 mov eax, dword ptr fs:[00000030h] 10_2_049652A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049652A5 mov eax, dword ptr fs:[00000030h] 10_2_049652A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049652A5 mov eax, dword ptr fs:[00000030h] 10_2_049652A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049652A5 mov eax, dword ptr fs:[00000030h] 10_2_049652A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992ACB mov eax, dword ptr fs:[00000030h] 10_2_04992ACB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04992AE4 mov eax, dword ptr fs:[00000030h] 10_2_04992AE4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496AA16 mov eax, dword ptr fs:[00000030h] 10_2_0496AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_0496AA16 mov eax, dword ptr fs:[00000030h] 10_2_0496AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04983A1C mov eax, dword ptr fs:[00000030h] 10_2_04983A1C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04965210 mov eax, dword ptr fs:[00000030h] 10_2_04965210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04965210 mov ecx, dword ptr fs:[00000030h] 10_2_04965210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04965210 mov eax, dword ptr fs:[00000030h] 10_2_04965210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04965210 mov eax, dword ptr fs:[00000030h] 10_2_04965210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04978A0A mov eax, dword ptr fs:[00000030h] 10_2_04978A0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2AA16 mov eax, dword ptr fs:[00000030h] 10_2_04A2AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A2AA16 mov eax, dword ptr fs:[00000030h] 10_2_04A2AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A4A2C mov eax, dword ptr fs:[00000030h] 10_2_049A4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049A4A2C mov eax, dword ptr fs:[00000030h] 10_2_049A4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A38A62 mov eax, dword ptr fs:[00000030h] 10_2_04A38A62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A1B260 mov eax, dword ptr fs:[00000030h] 10_2_04A1B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04A1B260 mov eax, dword ptr fs:[00000030h] 10_2_04A1B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_049F4257 mov eax, dword ptr fs:[00000030h] 10_2_049F4257
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04969240 mov eax, dword ptr fs:[00000030h] 10_2_04969240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 10_2_04969240 mov eax, dword ptr fs:[00000030h] 10_2_04969240
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 5_2_00409B40 LdrLoadDll, 5_2_00409B40
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.wanfengzp.com
Source: C:\Windows\explorer.exe Network Connect: 188.114.97.7 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.multicoopltda.com
Source: C:\Windows\explorer.exe Domain query: www.4kx.claims
Source: C:\Windows\explorer.exe Network Connect: 154.213.81.89 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: C30000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1086008 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread register set: target process: 3352 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3352 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path} Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" Jump to behavior
Source: explorer.exe, 00000006.00000000.389610017.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.369265558.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.408541055.0000000000B68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Progman\Pr
Source: explorer.exe, 00000006.00000000.390088188.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.408941213.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.467589397.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Program Manager
Source: explorer.exe, 00000006.00000000.390088188.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.408941213.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.374874176.0000000005E10000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.390088188.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.408941213.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.467589397.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.390088188.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.408941213.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.467589397.00000000011E0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.417245816.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.379248815.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.399201344.0000000008778000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndh
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\vZnbpHVO9Ay3PKW.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.0.RegSvcs.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.vZnbpHVO9Ay3PKW.exe.38b8838.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000002.561819107.0000000002C90000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435809794.0000000001A00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.402882411.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561679136.0000000000790000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360586488.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.561855817.0000000002CC0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435249168.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000000.360845207.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.366813478.000000000381C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.420796666.000000000FC7E000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.435599788.00000000016B0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 583349 Sample: vZnbpHVO9Ay3PKW.exe Startdate: 04/03/2022 Architecture: WINDOWS Score: 100 33 www.todosartenes.net 2->33 35 parkingsrv0.dondominio.com 2->35 43 Found malware configuration 2->43 45 Malicious sample detected (through community Yara rule) 2->45 47 Antivirus detection for URL or domain 2->47 49 6 other signatures 2->49 11 vZnbpHVO9Ay3PKW.exe 3 2->11         started        signatures3 process4 file5 31 C:\Users\user\...\vZnbpHVO9Ay3PKW.exe.log, ASCII 11->31 dropped 59 Writes to foreign memory regions 11->59 61 Injects a PE file into a foreign processes 11->61 15 RegSvcs.exe 11->15         started        18 RegSvcs.exe 11->18         started        signatures6 process7 signatures8 63 Modifies the context of a thread in another process (thread injection) 15->63 65 Maps a DLL or memory area into another process 15->65 67 Sample uses process hollowing technique 15->67 69 Queues an APC in another process (thread injection) 15->69 20 explorer.exe 15->20 injected 71 Tries to detect virtualization through RDTSC time measurements 18->71 process9 dnsIp10 37 www.wanfengzp.com 154.213.81.89, 49761, 80 COMING-ASABCDEGROUPCOMPANYLIMITEDHK Seychelles 20->37 39 www.multicoopltda.com 188.114.97.7, 49759, 80 CLOUDFLARENETUS European Union 20->39 41 www.4kx.claims 20->41 51 System process connects to network (likely due to code injection or exploit) 20->51 24 cmmon32.exe 20->24         started        signatures11 process12 signatures13 53 Modifies the context of a thread in another process (thread injection) 24->53 55 Maps a DLL or memory area into another process 24->55 57 Tries to detect virtualization through RDTSC time measurements 24->57 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
188.114.97.7
 www.multicoopltda.com European Union
13335 CLOUDFLARENETUS true
154.213.81.89
 www.wanfengzp.com Seychelles
133201 COMING-ASABCDEGROUPCOMPANYLIMITEDHK true

Contacted Domains

Name IP Active
www.wanfengzp.com 154.213.81.89 true
www.multicoopltda.com 188.114.97.7 true
parkingsrv0.dondominio.com 31.214.178.54 true
www.todosartenes.net unknown unknown
www.4kx.claims unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.wanfengzp.com/k8yh/?TvWlL=WlkszVQWggehkNRKyk9knMdKAerz3SY7s+8TALNmeeNpu66eiTCmHshqdICGuNLnjgQy&b6fXyX=qPcT3ZF0rXk8OR true
  • Avira URL Cloud: malware
 unknown
http://www.multicoopltda.com/k8yh/?b6fXyX=qPcT3ZF0rXk8OR&TvWlL=g5y8LnFT155fteZvFM8pUfyNt3b+XWGWDwM5uEmj7cZhEHDH+KATfNiPLE3gzjMDZxnL true
  • Avira URL Cloud: malware
 unknown
www.wanfengzp.com/k8yh/ true
  • Avira URL Cloud: malware
 low